OpenStack Compute (nova)

unable to boot instance from encrypted volume created from a glance image of an encrypted volume

Bug #1895696 reported by Brian Rosmaita on 2020-09-15

This bug affects 1 person

	Status	Importance	Assigned to
Cinder	New	Undecided	Unassigned
OpenStack Compute (nova)	Fix Released	High	Lee Yarwood
Ussuri	Fix Released	Undecided	Unassigned

Bug Description

Description
===========
What the title says, plus see "steps to reproduce" below.
This is a regression caused by the fix for https://bugs.launchpad.net/nova/+bug/1852106

Steps to Reproduce
==================
1. Let Image-1 be a "regular" (non-encrypted, bootable) image in Glance (like the cirros image).
2. Create volume V-1 in Cinder from Image-1 specifying encrypted volume-type T-1.
3. Boot an instance from V-1 (make sure delete-on-terminate is false). Works fine. Delete the instance to free up the volume.
4. Call cinder upload-to-image on V-1 to create Image-2.
5. Create volume V-2 in Cinder specifying encrypted volume-type T-1 from Image-2.
6. Boot an instance from V-2.

Expected result
===============
Working instance booted from volume.

Actual result
=============
ERROR (BadRequest): Image None is unacceptable: Direct booting of an image uploaded from an encrypted volume is unsupported. (HTTP 400)

Note:
If we bypass the check at https://review.opendev.org/#/c/707738/3/nova/compute/api.py@894, the instance goes 'active' and is operable (you can ssh into it). (Of course, we don't want to bypass the check, it just needs to be made aware that we are booting from a volume, not trying to boot from an image.)

Tags:

Brian Rosmaita (brian-rosmaita) on 2020-09-15

Changed in nova:
assignee:	nobody → Brian Rosmaita (brian-rosmaita)

Lee Yarwood (lyarwood) on 2020-09-15

Changed in nova:
importance:	Undecided → Medium
status:	New → Confirmed

Brian Rosmaita (brian-rosmaita) on 2020-09-15

Changed in nova:
assignee:	Brian Rosmaita (brian-rosmaita) → nobody

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-09-15: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/752090

Changed in nova:
assignee:	nobody → Lee Yarwood (lyarwood)
status:	Confirmed → In Progress

Revision history for this message

Lee Yarwood (lyarwood) wrote on 2020-09-16:

FWIW I also think c-api needs to start dropping this image property when creating a volume as it doesn't make sense being persisted in the volume_image_metadata once it is rotated out IMHO.

Revision history for this message

Lee Yarwood (lyarwood) wrote on 2020-09-17:

and it would be super nice if someone from the cinder team could write actual integration tests for this so we could start finding issues like this earlier.

Changed in nova:
importance:	Medium → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-09-17: Related fix proposed to nova (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/752485

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-09-17: Fix proposed to nova (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/752486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-09-17: Related fix proposed to nova (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/752487

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-09-17: Fix proposed to nova (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/752489

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-09-17: Related fix merged to nova (master)

Reviewed: https://review.opendev.org/752247
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=e76cccddd3ac64d8cc3e7e63e1772d5d23f20669
Submitter: Zuul
Branch: master

commit e76cccddd3ac64d8cc3e7e63e1772d5d23f20669
Author: Lee Yarwood <email address hidden>
Date: Wed Sep 16 13:28:36 2020 +0100

Add regression test for bug #1895696

Related-Bug: #1895696
Change-Id: I15271fb0b8de7f1184acddd607d605837e2eb7d4

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-09-17: Fix merged to nova (master)

Reviewed: https://review.opendev.org/752090
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f9b67893acf94c06fd41be36b80b99788dc77e48
Submitter: Zuul
Branch: master

commit f9b67893acf94c06fd41be36b80b99788dc77e48
Author: Lee Yarwood <email address hidden>
Date: Tue Sep 15 18:17:04 2020 +0100

compute: Skip cinder_encryption_key_id check when booting from volume

    Idf84ccff254d26fa13473fe9741ddac21cbcf321 added this check in order for
    Nova to avoid booting encrypted images created by Cinder as there is
    currently no support for using such images (rotating keys etc).

    The check however missed the slightly convoluted use case where this
    image property is found against a volume after the volume in question is
    created using an encrypted image created by cinder from an encrypted
    volume. In other words:

    - Cinder creates an encrypted volume A
    - Glance creates an encrypted image A from volume A
    - Cinder creates an encrypted volume B from image A
    - Nova attempts to boot an instance using volume B

Note that Nova may request the creation of volume B or a user could also
do this directly through Cinder.

    As such this change simply ensures that the instance isn't booting from
    a volume when preforming the check as it is only valid when booting from
    an image.

Closes-Bug: #1895696
Change-Id: Ic92cab7362fa25050e5bbef5c3e360108365b5c7

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-02-04: Fix included in openstack/nova 21.1.2

#10

This issue was fixed in the openstack/nova 21.1.2 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-09-01: Change abandoned on nova (stable/train)

#11

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/nova/+/752487
Reason: stable/train branch of nova projects' have been tagged as End of Life. All open patches have to be abandoned in order to be able to delete the branch.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-09-01:

#12

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/nova/+/752489
Reason: stable/train branch of nova projects' have been tagged as End of Life. All open patches have to be abandoned in order to be able to delete the branch.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.