Race condition when migrating encryption key with snapshot creation in flight

Bug #1756139 reported by Alan Bishop
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Undecided
Alan Bishop

Bug Description

Support was recently added for migrating encryption keys based on the ConfKeyManager's fixed_key into Barbican [1].

[1] https://review.openstack.org/524720

There is a race condition when a snapshot creation is in flight during the time when the volume's encryption key is being migrated. If a snapshot is created right before the volume's key is migrated, the snapshot will contain the all-zeros encryption key ID associated with the fixed_key.

The snapshot creation might not finish until after the volume's key is migrated, and if that happens the encryption_key_id in the snapshot DB will be out of sync with the volume's encryption_key_id.

The solution is to re-sync the encryption_key_id in the snapshot DB with the volume's encryption_key_id prior to making the final snapshot DB update.

Changed in cinder:
assignee: nobody → Alan Bishop (alan-bishop)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/553495

Changed in cinder:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/553495
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=768c5235239c5207b1a3c6ca0605bbe5ed4a6a8e
Submitter: Zuul
Branch: master

commit 768c5235239c5207b1a3c6ca0605bbe5ed4a6a8e
Author: Alan Bishop <email address hidden>
Date: Thu Mar 15 13:04:46 2018 -0400

    Sync snapshot's encryption_key_id with volume's value

    Sync the snapshot's encryption_key_id with the volume's value just
    prior to updating the snapshot's DB entry. This ensures the snapshot
    DB entry isn't out of date in case the volume's encryption_key_id
    changed while the snapshot was in flight. The encryption_key_id will
    change when keys based on the ConfKeyManager are migrated to Barbican.

    Closes-Bug: #1756139
    Change-Id: I65abb8dd17de7633828b731d1cf1f2321a6f3e5b

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/555909

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/queens)

Reviewed: https://review.openstack.org/555909
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=46c4ec1cbdaafd093a99302cf4cf39e8aa1c6715
Submitter: Zuul
Branch: stable/queens

commit 46c4ec1cbdaafd093a99302cf4cf39e8aa1c6715
Author: Alan Bishop <email address hidden>
Date: Thu Mar 15 13:04:46 2018 -0400

    Sync snapshot's encryption_key_id with volume's value

    Sync the snapshot's encryption_key_id with the volume's value just
    prior to updating the snapshot's DB entry. This ensures the snapshot
    DB entry isn't out of date in case the volume's encryption_key_id
    changed while the snapshot was in flight. The encryption_key_id will
    change when keys based on the ConfKeyManager are migrated to Barbican.

    Closes-Bug: #1756139
    Change-Id: I65abb8dd17de7633828b731d1cf1f2321a6f3e5b
    (cherry picked from commit 768c5235239c5207b1a3c6ca0605bbe5ed4a6a8e)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 13.0.0.0b1

This issue was fixed in the openstack/cinder 13.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 12.0.1

This issue was fixed in the openstack/cinder 12.0.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers