[SRU] nova rbd auth fallback uses cinder user with libvirt secret
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Medium
|
Corey Bryant | |||
Ocata |
Medium
|
Unassigned | |||
Pike |
Medium
|
Unassigned | |||
Queens |
Medium
|
Corey Bryant | |||
Rocky |
Medium
|
Corey Bryant | |||
Ubuntu Cloud Archive |
High
|
Unassigned | |||
Ocata |
High
|
Unassigned | |||
Pike |
High
|
Unassigned | |||
Queens |
High
|
Unassigned | |||
Rocky |
High
|
Unassigned | |||
Stein |
High
|
Unassigned | |||
nova (Ubuntu) |
High
|
Corey Bryant | |||
Bionic |
High
|
Unassigned | |||
Cosmic |
High
|
Unassigned | |||
Disco |
High
|
Corey Bryant |
Bug Description
[Impact]
From David Ames (thedac), originally posted to https:/
Updating this bug. We may decide to move this elsewhere it at some point.
We have a deployment that was upgraded through to pike at which point it was noticed that nova instances with ceph backed volumes would not start.
The cinder key was manually added to the nova-compute nodes in /etc/ceph and with:
sudo virsh secret-define --file /tmp/cinder.secret
However, this did not resolve the problem. It appeared libvirt was trying to use a mixed pair of usernames and keys. It was using the cinder username but the nova-compute key.
Looking at nova's code it falls back to nova.conf when it does not have a secret_uuid from cinder but it was not setting the username correctly.
https:/
The following seems to mitigate this as a temporary fix on nova-compute until we can come up with a complete plan:
https:/
diff --git a/nova/
index cec43ce93b.
--- a/nova/
+++ b/nova/
@@ -71,6 +71,7 @@ class LibvirtNetVolum
else:
+ conf.auth_username = CONF.libvirt.
# secret_type is always hard-coded to 'ceph' in cinder
Apply to /usr/lib/
We still need a migration plan to get from the topology with nova-compute directly related to ceph to the topology with cinder-ceph related to nova-compute using ceph-access which would populate cinder's secret_uuid.
It is possible we will need to carry the patch for existing instances. It may be worth getting that upstream as master has the same problem.
[Test Case]
Upgrade a juju-deployed cloud with ceph backend for nova and cinder from pre-ocata to ocata or above. Ensure that nova instances with ceph backed volumes successfully start.
[Regression Potential]
The fix is minimal and will not be fixed in Ubuntu until it has been approved upstream.
Changed in nova (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Critical |
assignee: | nobody → Corey Bryant (corey.bryant) |
Changed in nova (Ubuntu Disco): | |
importance: | Critical → High |
Changed in nova (Ubuntu Cosmic): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in nova (Ubuntu Bionic): | |
status: | New → Triaged |
importance: | Undecided → High |
summary: |
- nova rbd auth fallback attempts to use cinder auth_username with libvirt - secret_uuid + nova rbd auth fallback attempts to use cinder user with libvirt secret |
Changed in nova: | |
assignee: | nobody → Corey Bryant (corey.bryant) |
status: | New → In Progress |
summary: |
- nova rbd auth fallback attempts to use cinder user with libvirt secret + [SRU] nova rbd auth fallback attempts to use cinder user with libvirt + secret |
summary: |
- [SRU] nova rbd auth fallback attempts to use cinder user with libvirt - secret + [SRU] nova rbd auth fallback uses cinder user with libvirt secret |
description: | updated |
tags: | added: ceph libvirt volumes |
Changed in nova: | |
importance: | Undecided → Medium |
Changed in nova: | |
assignee: | Corey Bryant (corey.bryant) → Matt Riedemann (mriedem) |
Changed in nova: | |
assignee: | Matt Riedemann (mriedem) → Corey Bryant (corey.bryant) |
tags: | added: canonical-bootstack |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 47b7c4f3cc582bf
Author: Corey Bryant <email address hidden>
Date: Fri Dec 21 08:23:32 2018 -0500
Ensure rbd auth fallback uses matching credentials
As of Ocata, cinder config is preferred for rbd auth values with a
fallback to nova values [1]. The fallback path, for the case when
rbd_user is configured in cinder.conf and rbd_secret_uuid is not
configured in cinder.conf, results in the mismatched use of cinder
rbd_user with nova rbd_secret_uuid.
This fixes that fallback path to use nova rbd_user from nova.conf
with rbd_secret_uuid from nova.conf.
[1] See commit f2d27f6a8afb628
Thanks to David Ames for this fix.
Change-Id: Ieba216275c07ab
Co-Authored-By: David Ames <email address hidden>
Closes-Bug: #1809454
Changed in nova: | |
status: | In Progress → Fix Released |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit f5d8ee1bfc3b7b9
Author: Corey Bryant <email address hidden>
Date: Fri Dec 21 08:23:32 2018 -0500
Ensure rbd auth fallback uses matching credentials
As of Ocata, cinder config is preferred for rbd auth values with a
fallback to nova values [1]. The fallback path, for the case when
rbd_user is configured in cinder.conf and rbd_secret_uuid is not
configured in cinder.conf, results in the mismatched use of cinder
rbd_user with nova rbd_secret_uuid.
This fixes that fallback path to use nova rbd_user from nova.conf
with rbd_secret_uuid from nova.conf.
[1] See commit f2d27f6a8afb628
Thanks to David Ames for this fix.
Change-Id: Ieba216275c07ab
Co-Authored-By: David Ames <email address hidden>
Closes-Bug: #1809454
(cherry picked from commit 47b7c4f3cc582bf
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit accef50f9648dc4
Author: Corey Bryant <email address hidden>
Date: Fri Dec 21 08:23:32 2018 -0500
Ensure rbd auth fallback uses matching credentials
As of Ocata, cinder config is preferred for rbd auth values with a
fallback to nova values [1]. The fallback path, for the case when
rbd_user is configured in cinder.conf and rbd_secret_uuid is not
configured in cinder.conf, results in the mismatched use of cinder
rbd_user with nova rbd_secret_uuid.
This fixes that fallback path to use nova rbd_user from nova.conf
with rbd_secret_uuid from nova.conf.
[1] See commit f2d27f6a8afb628
Thanks to David Ames for this fix.
Change-Id: Ieba216275c07ab
Co-Authored-By: David Ames <email address hidden>
Closes-Bug: #1809454
(cherry picked from commit 47b7c4f3cc582bf
(cherry picked from commit f5d8ee1bfc3b7b9
Corey Bryant (corey.bryant) wrote : | #5 |
New packages have been uploaded to Ubuntu disco, cosmic and bionic with patches cherry-picked from upstream nova. cosmic and bionic are awaiting SRU review.
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package nova - 2:19.0.
---------------
nova (2:19.0.
* d/p/ensure-
picked from upstream to ensure ceph backend continues to work for upgrades
from pre-Ocata (LP: #1809454).
-- Corey Bryant <email address hidden> Fri, 21 Dec 2018 09:20:12 -0500
Changed in nova (Ubuntu Disco): | |
status: | Triaged → Fix Released |
Hello Corey, or anyone else affected,
Accepted nova into cosmic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in nova (Ubuntu Cosmic): | |
status: | Triaged → Fix Committed |
tags: | added: verification-needed verification-needed-cosmic |
Brian Murray (brian-murray) wrote : | #8 |
Hello Corey, or anyone else affected,
Accepted nova into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in nova (Ubuntu Bionic): | |
status: | Triaged → Fix Committed |
tags: | added: verification-needed-bionic |
Corey Bryant (corey.bryant) wrote : | #9 |
Hello Corey, or anyone else affected,
Accepted nova into rocky-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.
Please help us by testing this new package. To enable the -proposed repository:
sudo add-apt-repository cloud-archive:
sudo apt-get update
Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-
Further information regarding the verification process can be found at https:/
Changed in cloud-archive: | |
status: | Triaged → Fix Committed |
tags: | added: verification-rocky-needed |
Corey Bryant (corey.bryant) wrote : | #10 |
Hello Corey, or anyone else affected,
Accepted nova into pike-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.
Please help us by testing this new package. To enable the -proposed repository:
sudo add-apt-repository cloud-archive:
sudo apt-get update
Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-
Further information regarding the verification process can be found at https:/
Corey Bryant (corey.bryant) wrote : | #11 |
Hello Corey, or anyone else affected,
Accepted nova into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.
Please help us by testing this new package. To enable the -proposed repository:
sudo add-apt-repository cloud-archive:
sudo apt-get update
Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-
Further information regarding the verification process can be found at https:/
tags: | added: verification-pike-needed |
Corey Bryant (corey.bryant) wrote : | #12 |
Hello Corey, or anyone else affected,
Accepted nova into queens-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.
Please help us by testing this new package. To enable the -proposed repository:
sudo add-apt-repository cloud-archive:
sudo apt-get update
Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-
Further information regarding the verification process can be found at https:/
tags: | added: verification-queens-needed |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/pike
commit a7e25aa3d2088e2
Author: Corey Bryant <email address hidden>
Date: Fri Dec 21 08:23:32 2018 -0500
Ensure rbd auth fallback uses matching credentials
As of Ocata, cinder config is preferred for rbd auth values with a
fallback to nova values [1]. The fallback path, for the case when
rbd_user is configured in cinder.conf and rbd_secret_uuid is not
configured in cinder.conf, results in the mismatched use of cinder
rbd_user with nova rbd_secret_uuid.
This fixes that fallback path to use nova rbd_user from nova.conf
with rbd_secret_uuid from nova.conf.
[1] See commit f2d27f6a8afb628
Thanks to David Ames for this fix.
Change-Id: Ieba216275c07ab
Co-Authored-By: David Ames <email address hidden>
Closes-Bug: #1809454
(cherry picked from commit 47b7c4f3cc582bf
(cherry picked from commit f5d8ee1bfc3b7b9
(cherry picked from commit accef50f9648dc4
Xav Paice (xavpaice) wrote : | #14 |
How do we go about getting this moving forward from cloud-archive:
David Ames (thedac) wrote : | #15 |
The newton-proposed, ocata-proposed, pike-proposed, queens-proposed, bionic-proposed and rocky-proposed packages have all been tested.
Newton to pike upgrades were performed. The bug no longer exists. The fix is verified in the packages.
tags: |
added: verification-done-bionic verification-newton-done verification-ocata-done verification-pike-done verification-queens-done verification-rocky-done removed: verification-needed verification-needed-bionic verification-pike-needed verification-queens-needed verification-rocky-needed |
David Ames (thedac) wrote : | #16 |
Verified on cosmic.
tags: |
added: verification-done-cosmic removed: verification-needed-cosmic |
David Ames (thedac) wrote : | #17 |
Adding a bit more context.
The original break only occurred with instances launched on Newton with a subsequent upgrade to Ocata.
The required fix needs to be in every Ubuntu/OpenStack combination we support from xenial-ocata to cosmic-rocky.
I tested the upgrade from xenail-newton to xenial-ocata.
I have also tested that no regressions occur with deployments from xenial-pike to cosmic-rocky.
Launchpad Janitor (janitor) wrote : | #18 |
This bug was fixed in the package nova - 2:18.0.3-0ubuntu2
---------------
nova (2:18.0.3-0ubuntu2) cosmic; urgency=medium
* d/p/ensure-
picked from upstream to ensure ceph backend continues to work for upgrades
from pre-Ocata (LP: #1809454).
-- Corey Bryant <email address hidden> Mon, 07 Jan 2019 14:49:48 -0500
Changed in nova (Ubuntu Cosmic): | |
status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for nova has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Corey Bryant (corey.bryant) wrote : | #20 |
The verification of the Stable Release Update for nova has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Corey Bryant (corey.bryant) wrote : | #21 |
This bug was fixed in the package nova - 2:18.0.
---------------
nova (2:18.0.
.
* New update for the Ubuntu Cloud Archive.
.
nova (2:18.0.3-0ubuntu2) cosmic; urgency=medium
.
* d/p/ensure-
picked from upstream to ensure ceph backend continues to work for upgrades
from pre-Ocata (LP: #1809454).
Launchpad Janitor (janitor) wrote : | #22 |
This bug was fixed in the package nova - 2:17.0.7-0ubuntu2
---------------
nova (2:17.0.7-0ubuntu2) bionic; urgency=medium
* d/p/ensure-
picked from upstream to ensure ceph backend continues to work for upgrades
from pre-Ocata (LP: #1809454).
-- Corey Bryant <email address hidden> Mon, 07 Jan 2019 14:54:42 -0500
Changed in nova (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Corey Bryant (corey.bryant) wrote : | #23 |
The verification of the Stable Release Update for nova has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Corey Bryant (corey.bryant) wrote : | #24 |
This bug was fixed in the package nova - 2:17.0.
---------------
nova (2:17.0.
.
* New update for the Ubuntu Cloud Archive.
.
nova (2:17.0.7-0ubuntu2) bionic; urgency=medium
.
* d/p/ensure-
picked from upstream to ensure ceph backend continues to work for upgrades
from pre-Ocata (LP: #1809454).
Corey Bryant (corey.bryant) wrote : | #25 |
The verification of the Stable Release Update for nova has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Corey Bryant (corey.bryant) wrote : | #26 |
This bug was fixed in the package nova - 2:16.1.
---------------
nova (2:16.1.
.
* d/p/ensure-
picked from upstream to ensure ceph backend continues to work for upgrades
from pre-Ocata (LP: #1809454).
Corey Bryant (corey.bryant) wrote : | #27 |
The verification of the Stable Release Update for nova has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Corey Bryant (corey.bryant) wrote : | #28 |
This bug was fixed in the package nova - 2:15.1.
---------------
nova (2:15.1.
.
* d/p/ensure-
picked from upstream to ensure ceph backend continues to work for upgrades
from pre-Ocata (LP: #1809454).
This issue was fixed in the openstack/nova 19.0.0.0rc1 release candidate.
This issue was fixed in the openstack/nova 17.0.10 release.
This issue was fixed in the openstack/nova 18.2.0 release.
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/ocata
commit 779e58e97612d9f
Author: Corey Bryant <email address hidden>
Date: Fri Dec 21 08:23:32 2018 -0500
Ensure rbd auth fallback uses matching credentials
As of Ocata, cinder config is preferred for rbd auth values with a
fallback to nova values [1]. The fallback path, for the case when
rbd_user is configured in cinder.conf and rbd_secret_uuid is not
configured in cinder.conf, results in the mismatched use of cinder
rbd_user with nova rbd_secret_uuid.
This fixes that fallback path to use nova rbd_user from nova.conf
with rbd_secret_uuid from nova.conf.
[1] See commit f2d27f6a8afb628
Thanks to David Ames for this fix.
Change-Id: Ieba216275c07ab
Co-Authored-By: David Ames <email address hidden>
Closes-Bug: #1809454
(cherry picked from commit 47b7c4f3cc582bf
(cherry picked from commit f5d8ee1bfc3b7b9
(cherry picked from commit accef50f9648dc4
(cherry picked from commit a7e25aa3d2088e2
Lee Yarwood (lyarwood) wrote : | #33 |
Released in 17.0.10.
This issue was fixed in the openstack/nova 16.1.8 release.
Corey Bryant (corey.bryant) wrote : | #35 |
For some reason this wasn't automatically marked "Fix Released" for upstream stable/pike. It's available in the 16.1.8 release for nova. https:/
Corey Bryant (corey.bryant) wrote : | #36 |
This was fix-released in ocata via nova 2:15.1.
Fix proposed to branch: master /review. openstack. org/626897
Review: https:/