Cinder do not encrypt volumes correctly(25% success ratio)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
Eric Harney |
Bug Description
[1. Description]
I faced an issue with encryption of glance image to the volume. When glance image is small(1GB size), I observed that around 25% of my tests fails, because created volume is not encrypted even if it should be. Inside cinder logs I do not see anything suspicious, only after manual mount I can see that volume is not encrypted as it should be.
[2. Test case scenario]
I created a test script for it to measure failure ratio:
#!/bin/bash
result=result-file
> $result
for i in $(seq 1 20)
do
openstack volume create --type LUKS --bootable --description "test-sda-volume" --size 2 --image my-image my-$i-test
sleep 80
openstack server create --flavor m8.c4 --network <my-net-id> --volume my-$i-test my-$i-test
sleep 150
openstack server show my-$i-test >> $result
sleep 5
openstack server delete my-$i-test
sleep 10
openstack volume delete my-$i-test
done
[3. Results from failure operation]
When problem occur I can see such error in nova-compute logs: https:/
[4. Logs]
Beside of nova-compute logs mentioned above: https:/
we can see such logs(with debug on) in cinder:
- from fail: https:/
- from correct operation: https:/
I can't see any significant differences between failure and correct operation inside cinder logs.
[5. Manual mount of 'encrypted' volume]
I manually mounted broken volume and I was able to see data there:
https:/
Similar operation for correctly encrypted volume was like that: https:/
[6. SW versions]
# dpkg -l | grep cinder
ii cinder-api 2:16.4.
ii cinder-backup 2:16.4.
ii cinder-common 2:16.4.
ii cinder-scheduler 2:16.4.
ii cinder-volume 2:16.4.
ii python3-cinder 2:16.4.
ii python3-
# dpkg -l | grep barbican
ii barbican-api 1:10.0.
ii barbican-common 1:10.0.
ii barbican-
ii barbican-worker 1:10.0.
ii python3-barbican 1:10.0.
ii python3-
# dpkg -l | grep nova
ii nova-api 2:20.6.
ii nova-common 2:20.6.
ii nova-conductor 2:20.6.
rc nova-consoleauth 2:19.3.
ii nova-novncproxy 2:20.6.
ii nova-scheduler 2:20.6.
ii python3-nova 2:20.6.
ii python3-novaclient 2:15.1.
In case anything else is needed, I'm ready to help
Changed in cinder: | |
importance: | Undecided → High |
tags: | added: encryption |
Thanks for the report. We have recently discovered this behavior elsewhere, it seems to be due to a race condition in device management from os-brick.
We believe that https:/ /review. opendev. org/c/openstack /os-brick/ +/836391 will fix this issue. (Being tracked in https:/ /bugs.launchpad .net/os- brick/+ bug/1967790 .)
If you could test that os-brick patch in your environment, it would be helpful to know if it fixes the issue fully for you.