Encryptor connect_volume not changing the symlink
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
os-brick |
Fix Released
|
High
|
Gorka Eguileor |
Bug Description
There are systems where it has been confirmed that creating an encrypted volume (iSCSI or FC) from an image has resulted in the data being written unencrypted on the disk.
It is expected that this same issue could happen on the Nova side when connecting volumes to instances.
This not only results in an unusable volume (since it fails to attach on an instance), but also in a security risk, because the volume now has the image data unencrypted.
Cases were this frequently happened was when Linux was running in FIPS mode.
Upon investigation, this happens because after returning from the connect_volume call to the os-brick encryptor the symlink that should be pointing to the decrypted device mapper is pointing to the raw device instead.
Upon closer inspection turns out that it's not that the os-brick encryptor code is not replacing the symlink, but that there is a race condition between the os-brick code and the system's udev rules that ends up replacing the symlink.
It all happens because when cryptsetup opens the device (already formatted or not) it generates an kernel uevent that udevd detects and ends up triggering the system udev rules.
Setting the debug mode on udev allows us to see this event:
systemd-
systemd-
. . .
systemd-
systemd-
systemd-
The claiming message is because the device already exists and it was pointing to the cryptsetup Device Mapper device, so it's overwritting it.
So this is the race condition that happens:
- cinder calls connect_volume => returns /dev/disk/
- cinder call connect_volume on the encryptor
- os-brick calls cryptsetup
- cryptsetup triggers the udev rules
- os-brick makes /dev/disk/
- the udev rule claims the symlink and makes it point to /dev/sda again
- cinder writes data to the symlink
Since it's a race condition it doesn't happen every time, as it depends on the speed the udev rules run. If the udev rule checking the /dev/disk/
Changed in os-brick: | |
importance: | Undecided → Medium |
Changed in os-brick: | |
importance: | Medium → Critical |
Changed in os-brick: | |
importance: | Critical → High |
Fix proposed to branch: master /review. opendev. org/c/openstack /os-brick/ +/836391
Review: https:/