Encryption key is not properly formatted before being passed to dmcrypt
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Jackie Truong | ||
Newton |
Fix Committed
|
Medium
|
Lee Yarwood | ||
Ocata |
Fix Committed
|
Medium
|
Lee Yarwood |
Bug Description
Description
===========
A TypeError occurs when using Nova to boot an instance with ephemeral storage encryption enabled.
When key management was moved from Nova to Castellan in the Newton release, the key retrieval return value was changed from being formatted as a list of unsigned ints (in the case of an octet stream) [1] to not being formatted at all [2]. Nova's dmcrypt still expects the retrieved key [3][4] to be formatted as an array of unsigned bytes [5].
References:
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
Steps to reproduce
==================
1. Set up an LVM device:
Create a backing file:
$ truncate nova-lvm -s 2G
Mount the backing file on a loop device:
$ sudo losetup /dev/loop1 nova-lvm
Prepare the device for LVM:
$ sudo pvcreate /dev/loop1
Create the LVM group on the loop device:
$ sudo vgcreate nova-lvm /dev/loop1
2. Set up a devstack environment with ephemeral storage encryption enabled by adding the following lines to `lib/nova`:
iniset $NOVA_CONF ephemeral_
iniset $NOVA_CONF ephemeral_
iniset $NOVA_CONF ephemeral_
iniset $NOVA_CONF libvirt images_type "lvm"
iniset $NOVA_CONF libvirt images_volume_group "nova-lvm"
3. Stack:
$ ./stack
4. Use Nova to boot an instance:
$ nova boot --flavor 1 --image {image_id}
Expected result
===============
Ephemeral storage encryption succeeds and Nova successfully boots the instance.
Actual result
=============
Ephemeral storage encryption fails with a TypeError (similar results can be seen from Barbican Tempest gate failures [1]):
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
2017-05-04 11:51:23.531 TRACE nova.compute.
Nova fails to boot the instance.
Environment
===========
Latest `master` branch for all projects, except for Nova, which has patch [1] applied to get around the error addressed by the patch. However, remnants of the TypeError can still be seen without this patch [2].
[1] https:/
[2] http://
Changed in nova: | |
importance: | Undecided → Medium |
Fix proposed to branch: master /review. openstack. org/462674
Review: https:/