Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1362512 - [9.0.z] Unable to attach multipath backed encrypted volumes to instances
Summary: [9.0.z] Unable to attach multipath backed encrypted volumes to instances
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 9.0 (Mitaka)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ga
: 9.0 (Mitaka)
Assignee: Lee Yarwood
QA Contact: Prasanth Anbalagan
URL:
Whiteboard:
Depends On:
Blocks: 1362514 1362515 1362518
TreeView+ depends on / blocked
 
Reported: 2016-08-02 12:17 UTC by Lee Yarwood
Modified: 2016-08-24 12:57 UTC (History)
11 users (show)

Fixed In Version: openstack-nova-13.1.0-6.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, the cryptsetup tool would attempt to reuse multi-path device names when creating a dm-crypt device. This would cause the tool to fail because the device would already exist in the host, which would cause the attachment of a multi-path backed encrypted volume to also fail. With this update, the cryptsetup tool now uses a unique device name, allowing it to create the dm-crypt device successfully, and the attachment of multi-path backed encrypted volumes to succeed.
Clone Of:
: 1362514 (view as bug list)
Environment:
Last Closed: 2016-08-24 12:57:34 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1758 normal SHIPPED_LIVE openstack-nova bug fix advisory 2016-08-24 16:50:11 UTC

Description Lee Yarwood 2016-08-02 12:17:55 UTC
Description of problem:

The following failure is seen when attempting to attach multipath backed encrypted volumes to an instance :

2016-08-01 18:27:32.081 13629 DEBUG nova.openstack.common.processutils [req-945b0e6f-b1ed-47b1-9fec-86058d8a2225 ] Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf cryptsetup luksOpen --key-file=- /dev/dm-8 3600a098038303365763f476c63634758 execute /usr/lib/python2.7/site-packages/nova/openstack/common/processutils.py:171

This is due to a 3600a098038303365763f476c63634758 device already present and in-use on the host. The following change recently corrected this against master :

Fix multipath iSCSI encrypted volume attach failure
https://review.openstack.org/#/c/196482/

This is only present in OSP 6 and 7 with the following Cinder bugfix :

Cinder volume encryption with iSCSI backend doesn't work
https://bugzilla.redhat.com/show_bug.cgi?id=1359197


Version-Release number of selected component (if applicable):
OSP 6,7,8,9

How reproducible:
Always

Steps to Reproduce:
1. Attempt to attach a multipath backed encrypted volume to an instance.

Actual results:
`cryptsetup luksOpen` fails.

Expected results:
`cryptsetup luksOpen` succeeds and the volume is correctly attached.

Additional info:

Comment 2 Prasanth Anbalagan 2016-08-15 18:25:50 UTC
Verified as follow - attached 5 encrypted volumes w/ multipath to an instance.

***********
VERSION
***********
[root@serverA]# yum list installed | grep openstack-nova
openstack-nova-api.noarch            1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-cert.noarch           1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-common.noarch         1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-compute.noarch        1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-conductor.noarch      1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-console.noarch        1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-novncproxy.noarch     1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-scheduler.noarch      1:13.1.1-1.el7ost       @rhelosp-9.0-puddle


*******
LOGS
*******
[root@serverA]# cinder encryption-type-list
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
|            Volume Type ID            |                  Provider                 |      Cipher     | Key Size | Control Location |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| a3c10847-cd23-4587-96ab-e8246dc3d2f0 | nova.volume.encryptors.luks.LuksEncryptor | aes-xts-plain64 |   512    |    front-end     |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+


[root@serverA]# cinder show vol1 | grep encrypted
|           encrypted            |                 True                 |
[root@serverA]# cinder show vol2 | grep encrypted
|           encrypted            |                 True                 |
[root@serverA]# cinder show vol3 | grep encrypted
|           encrypted            |                 True                 |
[root@serverA]# cinder show vol4 | grep encrypted
|           encrypted            |                 True                 |
[root@serverA]# cinder show vol5 | grep encrypted
|           encrypted            |                 True                 |


[root@serverA]# nova list
+--------------------------------------+------+--------+------------+-------------+---------------------+
| ID                                   | Name | Status | Task State | Power State | Networks            |
+--------------------------------------+------+--------+------------+-------------+---------------------+
| 8d044b32-5dd2-4057-a6a2-8c48037c7566 | vm1  | ACTIVE | -          | Running     | public=172.24.4.238 |
+--------------------------------------+------+--------+------------+-------------+---------------------+
[root@serverA]# 


[root@serverA]# cinder list
+--------------------------------------+--------+------+------+-------------+----------+--------------------------------------+
|                  ID                  | Status | Name | Size | Volume Type | Bootable |             Attached to              |
+--------------------------------------+--------+------+------+-------------+----------+--------------------------------------+
| 3861519a-d05e-4e91-ae10-e1e5cfca2e51 | in-use | vol1 |  1   |    iscsi    |  false   | 8d044b32-5dd2-4057-a6a2-8c48037c7566 |
| 3fca2f93-5725-49bb-a137-ece57c8970d3 | in-use | vol4 |  1   |    iscsi    |  false   | 8d044b32-5dd2-4057-a6a2-8c48037c7566 |
| 50ce84bd-9883-46b5-bf65-529dffd44dda | in-use | vol3 |  1   |    iscsi    |  false   | 8d044b32-5dd2-4057-a6a2-8c48037c7566 |
| 8b1ac8db-19b5-4ddf-838e-2145ad1a5e92 | in-use | vol2 |  1   |    iscsi    |  false   | 8d044b32-5dd2-4057-a6a2-8c48037c7566 |
| d459d166-b85d-4b27-8263-146fe94c0d77 | in-use | vol5 |  1   |    iscsi    |  false   | 8d044b32-5dd2-4057-a6a2-8c48037c7566 |
+--------------------------------------+--------+------+------+-------------+----------+--------------------------------------+

[root@serverA]# multipath -ll
36001405648c3d7f5c60469f8d459dca4 dm-5 LIO-ORG ,IBLOCK          
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 26:0:0:0 sdb 8:16  active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 27:0:0:0 sdc 8:32  active ready running
360014052c49f4e3d72c4190be6fe54c6 dm-7 LIO-ORG ,IBLOCK          
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 28:0:0:0 sdd 8:48  active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 29:0:0:0 sde 8:64  active ready running
3600140559f26a031a304eaca65dc3992 dm-13 LIO-ORG ,IBLOCK          
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 34:0:0:0 sdj 8:144 active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 35:0:0:0 sdk 8:160 active ready running
3600140542339871e7a543148f79a3285 dm-9 LIO-ORG ,IBLOCK          
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 30:0:0:0 sdf 8:80  active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 31:0:0:0 sdg 8:96  active ready running
360014059ab72759d9d042d7849d6098f dm-11 LIO-ORG ,IBLOCK          
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 32:0:0:0 sdh 8:112 active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 33:0:0:0 sdi 8:128 active ready running
[root@seal56 ~(keystone_admin)]#

Comment 4 errata-xmlrpc 2016-08-24 12:57:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1758.html


Note You need to log in before you can comment on or make changes to this bug.