The LUKS encryptor feature expects devices to have a symbolic link that
it can overwrite in order to enable transparent encryption/decryption
for instances [1]. This is generally the case for RBD volumes, as Ceph
uses udev rules [2] to create a '/dev/rbd/{pool}/{device}' ->
'/dev/rbdN' symlink. However, in an environment where udev daemon is not
present or configured correctly, this symlink will never be configured.
This causes things to crash and burn in a rather non-obvious manner when
locally attaching an encrypted RBD volume:
('foo' being a stand-in for a very long 'device-$UUID' name)
The long term fix here is to probably stop relying on the side effects
of these udev rules, i.e. the symlinks, but that is a far more involved
fix that would not be backportable. Instead, for now we simply leave a
breadcrumb for the user, informing them as to what's gone wrong and
encouraging them to look at the bug report for more information.
Reviewed: https:/ /review. opendev. org/748661 /git.openstack. org/cgit/ openstack/ os-brick/ commit/ ?id=9905455da6d 7031eb04e209f8e 2225880de01913
Committed: https:/
Submitter: Zuul
Branch: stable/train
commit 9905455da6d7031 eb04e209f8e2225 880de01913
Author: Stephen Finucane <email address hidden>
Date: Wed Jul 22 11:07:19 2020 +0100
rbd: Warn if ceph udev rules are not configured
The LUKS encryptor feature expects devices to have a symbolic link that decryption {pool}/ {device} ' ->
it can overwrite in order to enable transparent encryption/
for instances [1]. This is generally the case for RBD volumes, as Ceph
uses udev rules [2] to create a '/dev/rbd/
'/dev/rbdN' symlink. However, in an environment where udev daemon is not
present or configured correctly, this symlink will never be configured.
This causes things to crash and burn in a rather non-obvious manner when
locally attaching an encrypted RBD volume:
oslo_ concurrency. processutils. ProcessExecutio nError: Unexpected error while running command. volumes/ volume- foo crypt-volume-foo volumes/ foo doesn't exist or access denied.\n"
Command: cryptsetup luksOpen --key-file=- /dev/rbd/
Exit code: 4
Stdout: ''
Stderr: "Device /dev/rbd/
('foo' being a stand-in for a very long 'device-$UUID' name)
The long term fix here is to probably stop relying on the side effects
of these udev rules, i.e. the symlinks, but that is a far more involved
fix that would not be backportable. Instead, for now we simply leave a
breadcrumb for the user, informing them as to what's gone wrong and
encouraging them to look at the bug report for more information.
[1] https:/ /github. com/openstack/ os-brick/ blob/3. 1.0/os_ brick/encryptor s/luks. py#L191- L195 /github. com/ceph/ ceph/blob/ v14.0.0/ udev/50- rbd.rules
[2] https:/
Change-Id: I2775f55039695c 7ec029106c0dafe 4d46255b336 3345941b7876b09 f2c0396864) 192c7af272fb5ee fb0ce43da2)
Signed-off-by: Stephen Finucane <email address hidden>
Related-Bug: #1884114
(cherry picked from commit ee34d925ff8a8a8
(cherry picked from commit 1eeffd986dd8d5a