os-brick

Bug #1884114
Comment #7

Comment 7 for bug 1884114

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-09-01: Related fix merged to os-brick (stable/train)

Reviewed: https://review.opendev.org/748661
Committed: https://git.openstack.org/cgit/openstack/os-brick/commit/?id=9905455da6d7031eb04e209f8e2225880de01913
Submitter: Zuul
Branch: stable/train

commit 9905455da6d7031eb04e209f8e2225880de01913
Author: Stephen Finucane <email address hidden>
Date: Wed Jul 22 11:07:19 2020 +0100

rbd: Warn if ceph udev rules are not configured

    The LUKS encryptor feature expects devices to have a symbolic link that
    it can overwrite in order to enable transparent encryption/decryption
    for instances [1]. This is generally the case for RBD volumes, as Ceph
    uses udev rules [2] to create a '/dev/rbd/{pool}/{device}' ->
    '/dev/rbdN' symlink. However, in an environment where udev daemon is not
    present or configured correctly, this symlink will never be configured.
    This causes things to crash and burn in a rather non-obvious manner when
    locally attaching an encrypted RBD volume:

      oslo_concurrency.processutils.ProcessExecutionError: Unexpected error while running command.
      Command: cryptsetup luksOpen --key-file=- /dev/rbd/volumes/volume-foo crypt-volume-foo
      Exit code: 4
      Stdout: ''
      Stderr: "Device /dev/rbd/volumes/foo doesn't exist or access denied.\n"

('foo' being a stand-in for a very long 'device-$UUID' name)

    The long term fix here is to probably stop relying on the side effects
    of these udev rules, i.e. the symlinks, but that is a far more involved
    fix that would not be backportable. Instead, for now we simply leave a
    breadcrumb for the user, informing them as to what's gone wrong and
    encouraging them to look at the bug report for more information.

[1] https://github.com/openstack/os-brick/blob/3.1.0/os_brick/encryptors/luks.py#L191-L195
[2] https://github.com/ceph/ceph/blob/v14.0.0/udev/50-rbd.rules

    Change-Id: I2775f55039695c7ec029106c0dafe4d46255b336
    Signed-off-by: Stephen Finucane <email address hidden>
    Related-Bug: #1884114
    (cherry picked from commit ee34d925ff8a8a83345941b7876b09f2c0396864)
    (cherry picked from commit 1eeffd986dd8d5a192c7af272fb5eefb0ce43da2)

Reviewed:  https://review.opendev.org/748661
Committed: https://git.openstack.org/cgit/openstack/os-brick/commit/?id=9905455da6d7031eb04e209f8e2225880de01913
Submitter: Zuul
Branch:    stable/train

commit 9905455da6d7031eb04e209f8e2225880de01913
Author: Stephen Finucane <sfinucan@redhat.com>
Date:   Wed Jul 22 11:07:19 2020 +0100

rbd: Warn if ceph udev rules are not configured
    
    The LUKS encryptor feature expects devices to have a symbolic link that
    it can overwrite in order to enable transparent encryption/decryption
    for instances [1]. This is generally the case for RBD volumes, as Ceph
    uses udev rules [2] to create a '/dev/rbd/{pool}/{device}' ->
    '/dev/rbdN' symlink. However, in an environment where udev daemon is not
    present or configured correctly, this symlink will never be configured.
    This causes things to crash and burn in a rather non-obvious manner when
    locally attaching an encrypted RBD volume:
    
      oslo_concurrency.processutils.ProcessExecutionError: Unexpected error while running command.
      Command: cryptsetup luksOpen --key-file=- /dev/rbd/volumes/volume-foo crypt-volume-foo
      Exit code: 4
      Stdout: ''
      Stderr: "Device /dev/rbd/volumes/foo doesn't exist or access denied.\n"
    
    ('foo' being a stand-in for a very long 'device-$UUID' name)
    
    The long term fix here is to probably stop relying on the side effects
    of these udev rules, i.e. the symlinks, but that is a far more involved
    fix that would not be backportable. Instead, for now we simply leave a
    breadcrumb for the user, informing them as to what's gone wrong and
    encouraging them to look at the bug report for more information.
    
    [1] https://github.com/openstack/os-brick/blob/3.1.0/os_brick/encryptors/luks.py#L191-L195
    [2] https://github.com/ceph/ceph/blob/v14.0.0/udev/50-rbd.rules
    
    Change-Id: I2775f55039695c7ec029106c0dafe4d46255b336
    Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
    Related-Bug: #1884114
    (cherry picked from commit ee34d925ff8a8a83345941b7876b09f2c0396864)
    (cherry picked from commit 1eeffd986dd8d5a192c7af272fb5eefb0ce43da2)