Comment 42 for bug 1821696

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/650853
Committed: https://opendev.org/openstack/kolla-ansible/commit/1c63eb20d92febabbcb0dacbc35b0c89771d7202
Submitter: "Zuul (22348)"
Branch: master

commit 1c63eb20d92febabbcb0dacbc35b0c89771d7202
Author: Mark Goddard <email address hidden>
Date: Mon Apr 8 12:18:52 2019 +0100

    Persist nova libvirt secrets in a Docker volume

    Libvirt may reasonably expect that its secrets directory
    (/etc/libvirt/secrets) is persistent. However, the nova_libvirt
    container does not map the secrets directory to a volume, so it will not
    survive a recreation of the container. Furthermore, if Cinder or Nova
    Ceph RBD integration is enabled, nova_libvirt's config.json includes an
    entry for /etc/libvirt/secrets which will wipe out the directory on a
    restart of the container.

    Previously, this appeared to cause an issue with encrypted volumes,
    which could fail to attach in certain situations as described in bug
    1821696. Nova has since made a related change, and the issue can no
    longer be reproduced. However, making the secret store persistent seems
    like a sensible thing to do, and may prevent hitting other corner cases.

    This change maps /etc/libvirt/secrets to a Docker volume in the
    nova_libvirt container. We also modify config.json for the nova_libvirt
    container to merge the /etc/libvirt/secrets directory, to ensure that
    secrets added in the container during runtime are not overwritten when
    the container restarts.

    Change-Id: Ia7e923dddb77ff6db3c9160af931354a2b305e8d
    Related-Bug: #1821696