OpenStack Compute (nova)

encrypted iSCSI volume attach fails when iscsi_use_multipath is enabled

Bug #1439869 reported by Anthony Lee on 2015-04-02

This bug affects 3 people

	Status	Importance	Assigned to
OpenStack Compute (nova)	Fix Released	Medium	Tomoki Sekiyama
Liberty	Fix Released	Undecided	Unassigned
Mitaka	Fix Released	Medium	Lee Yarwood
os-brick	Fix Released	Undecided	Lisa Li

Bug Description

When attempting to attach an encrypted iSCSI volume to an instance with iscsi_use_multipath set to True in nova.conf an error occurs in n-cpu.

The devstack system being used had the following nova version:

commit ab25f5f34b6ee37e495aa338aeb90b914f622b9d
Merge "instance termination with update_dns_entries set fails"

The following error occurs in n-cpu:

Stack Trace:

2015-04-02 13:46:22.641 ERROR nova.virt.block_device [req-61f49ff8-b814-42c0-8cf8-ffe7b6a3561c admin admin] [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] Driver failed to attach volume 4778e71c-a1b5-4d
b5-b677-1d8191468e87 at /dev/vdb
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] Traceback (most recent call last):
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] File "/opt/stack/nova/nova/virt/block_device.py", line 251, in attach
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] device_type=self['device_type'], encryption=encryption)
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 1064, in attach_volume
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] self._disconnect_volume(connection_info, disk_dev)
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 85, in __exit__
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] six.reraise(self.type_, self.value, self.tb)
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 1051, in attach_volume
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] encryptor.attach_volume(context, **encryption)
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] File "/opt/stack/nova/nova/volume/encryptors/cryptsetup.py", line 93, in attach_volume
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] self._open_volume(passphrase, **kwargs)
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] File "/opt/stack/nova/nova/volume/encryptors/cryptsetup.py", line 78, in _open_volume
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] check_exit_code=True, run_as_root=True)
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] File "/opt/stack/nova/nova/utils.py", line 206, in execute
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] return processutils.execute(*cmd, **kwargs)
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] File "/usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py", line 233, in execute
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] cmd=sanitized_cmd)
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] ProcessExecutionError: Unexpected error while running command.
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] Command: sudo nova-rootwrap /etc/nova/rootwrap.conf cryptsetup create --key-file=- 36000eb37601bcf0200
0000000000036c /dev/mapper/36000eb37601bcf02000000000000036c
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] Exit code: 1
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] Stdout: u''
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5] Stderr: u''
2015-04-02 13:46:22.641 TRACE nova.virt.block_device [instance: 41d0c192-a1ce-45eb-a5ff-bcb96ec0d8e5]

multipath-tools was installed
iscsi_use_multipath = True was set under the [libvirt] entry in nova.conf

To reproduce:

install multipath-tools
set iscsi_use_multipath to True in nova.conf under the [libvirt] section.
create an encrypted iSCSI volume and attempt to attach it to an instance (I was using CryptsetupEncryptor).

The above error will occur in n-cpu.

Possibly related bug: https://bugs.launchpad.net/nova/+bug/1439855

See original description

Tags:

Anthony Lee (anthony-mic-lee) on 2015-04-02

description:	updated
description:	updated
description:	updated

Anthony Lee (anthony-mic-lee) on 2015-04-02

description:

updated

Revision history for this message

Sean Dague (sdague) wrote on 2015-04-03:

It appears that the local device name is completely bonkers in this case.

sudo nova-rootwrap /etc/nova/rootwrap.conf cryptsetup create --key-file=- 36000eb37601bcf0200
0000000000036c /dev/mapper/36000eb37601bcf02000000000000036c

Is just the wrong command entirely to be useful.

Changed in nova:
status:	New → Confirmed
importance:	Undecided → Medium
tags:	added: multipath volumes

ugvddm (271025598-9) on 2015-04-19

Changed in nova:
assignee:	nobody → ugvddm (271025598-9)

Revision history for this message

ugvddm (271025598-9) wrote on 2015-05-23:

Crypsetup returns 0 on success or non-zero on error.

       Error codes are: 1 wrong parameters, 2 no permission (bad passphrase),
       3 out of memory, 4 wrong device specified, 5 device already exists or
       device is busy.

http://manpages.ubuntu.com/manpages/precise/man8/cryptsetup.8.html

Tomoki Sekiyama (tsekiyama) on 2015-06-25

Changed in nova:
assignee:	ugvddm (271025598-9) → Tomoki Sekiyama (tsekiyama)

OpenStack Infra (hudson-openstack) on 2015-06-28

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

Richard Hedlind (richard-hedlind) wrote on 2015-09-03:

I have a possible fix for this issue. Is it ok if I assign the bug to myself and push up a proposed fix?

Revision history for this message

Tomoki Sekiyama (tsekiyama) wrote on 2015-09-03:

I've proposed for this fix:

https://review.openstack.org/#/c/196482/

I appreciate if you could review this.

Revision history for this message

Richard Hedlind (richard-hedlind) wrote on 2015-09-03:

Tomoki,
I just gave your fix a +1. Hopefully we can get some +2s on this. Such a small fix.

Not sure why launchpad hasn't updated this bug report with a link to your proposed fix?

Richard

Revision history for this message

Sivasathurappan Radhakrishnan (siva-radhakrishnan) wrote on 2016-06-02:

@Tomoki Sekiyama can you please let me know if you are still working on the patch that you proposes as it is in merge conflict right now ?

Revision history for this message

Tomoki Sekiyama (tsekiyama) wrote on 2016-06-03:

Sorry for this left in merge conflict. I have rebased the change to fix the conflict. Thanks.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-05: Fix merged to nova (master)

Reviewed: https://review.openstack.org/196482
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=89a61ab8f4602e018763afb173e1a862f151a222
Submitter: Jenkins
Branch: master

commit 89a61ab8f4602e018763afb173e1a862f151a222
Author: Tomoki Sekiyama <email address hidden>
Date: Thu Jun 25 17:41:47 2015 -0400

Fix multipath iSCSI encrypted volume attach failure

    Currently iSCSI volume attachment fails if iscsi_use_multipath is
    set to True. This is because the encryptor requests cryptsetup
    to create the symlink to the LUKS device with the same name of
    the device-mapper multipath device. To avoid the name collision,
    this patch adds the 'crypt-' prefix to the symlink.

Change-Id: I01a3104025a9c479e40933ca24024355df9dfb8b
Closes-Bug: #1439869

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

Lisa Li (lisali) wrote on 2016-07-06:

As Cinder will use encryptors, nova/encryptors is copied to os-brick. We also need to import this fix into os-brick.

Changed in os-brick:
assignee:	nobody → Lisa Li (lisali)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-06: Fix proposed to os-brick (master)

#10

Fix proposed to branch: master
Review: https://review.openstack.org/338017

Changed in os-brick:
status:	New → In Progress

Revision history for this message

Lisa Li (lisali) wrote on 2016-07-06:

#11

Tom, I introduced the fix to os-brick. Please help to review it: https://review.openstack.org/338017

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-07: Fix merged to os-brick (master)

#12

Reviewed: https://review.openstack.org/338017
Committed: https://git.openstack.org/cgit/openstack/os-brick/commit/?id=9d2bb5e15de92c72cc50bac2ee5d0b3b2704ed1e
Submitter: Jenkins
Branch: master

commit 9d2bb5e15de92c72cc50bac2ee5d0b3b2704ed1e
Author: lisali <email address hidden>
Date: Wed Jul 6 13:48:20 2016 +0800

Fix multipath iSCSI encrypted volume attach failure

This is to copy fix of bug 1439869 from Nova to os-brick.

Change-Id: Ia001204df9b14f635ab998590e8add119c1aec23
Closes-Bug: #1439869

Changed in os-brick:
status:	In Progress → Fix Released

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-07-14: Fix included in openstack/nova 14.0.0.0b2

#13

This issue was fixed in the openstack/nova 14.0.0.0b2 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-03: Change abandoned on nova (stable/liberty)

#14

Change abandoned by Lee Yarwood (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/349898

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-03: Fix merged to nova (stable/mitaka)

#15

Reviewed: https://review.openstack.org/349897
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=82190bdd283dda37f7517fd9a268b5e55183f06c
Submitter: Jenkins
Branch: stable/mitaka

commit 82190bdd283dda37f7517fd9a268b5e55183f06c
Author: Tomoki Sekiyama <email address hidden>
Date: Thu Jun 25 17:41:47 2015 -0400

Fix multipath iSCSI encrypted volume attach failure

    NOTE(lyarwood): The rootwrap.d portion of this change is dropped for
    stable/mitaka to avoid upgrade issues. The current wildcard based ln
    filter means that the remainder of the change will still correct this
    issue.

    Conflicts:
            etc/nova/rootwrap.d/compute.filters
            nova/tests/unit/volume/encryptors/test_cryptsetup.py

    Change-Id: I01a3104025a9c479e40933ca24024355df9dfb8b
    Closes-Bug: #1439869
    (cherry picked from commit 89a61ab8f4602e018763afb173e1a862f151a222)

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-08-04: Fix included in openstack/os-brick 1.5.0

#16

This issue was fixed in the openstack/os-brick 1.5.0 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-08-09: Fix included in openstack/nova 13.1.1

#17

This issue was fixed in the openstack/nova 13.1.1 release.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.