Volume Encryption not supported by charm

Bug #1708768 reported by Drew Freiberger
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Cinder Charm
Triaged
Wishlist
Unassigned
OpenStack Nova Compute Charm
Triaged
Wishlist
Unassigned

Bug Description

I've tried to configure an encrypted volume based on the process outlined here:

https://docs.openstack.org/liberty/config-reference/content/section_create-encrypted-volume-type.html (couldn't find equivalent link for mitaka)

It resulted in creating the volume within cinder (using a charmed ceph backend), however, when attempting to attach to a nova-compute instance, I receive the following traceback, which shows that the keymgr api is not configured by the charm per this reference:

https://docs.openstack.org/mitaka/config-reference/block-storage/volume-encryption.html

nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] Traceback (most recent call last):
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/driver.py", line 1345, in attach_volume
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] encryption)
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/driver.py", line 1286, in _get_volume_encryptor
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] **encryption)
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/volume/encryptors/__init__.py", line 34, in get_volume_encryptor
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] encryptor = nop.NoOpEncryptor(connection_info, **kwargs)
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/volume/encryptors/nop.py", line 28, in __init__
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] super(NoOpEncryptor, self).__init__(connection_info, **kwargs)
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/volume/encryptors/base.py", line 35, in __init__
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] self._key_manager = keymgr.API()
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/keymgr/__init__.py", line 33, in API
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] return cls()
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/keymgr/conf_key_mgr.py", line 58, in __init__
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] raise ValueError(_('keymgr.fixed_key not defined'))
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] ValueError: keymgr.fixed_key not defined
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058]
nova-compute.log:2017-08-04 23:21:41.232 588061 ERROR nova.virt.block_device [req-15cb8edd-d101-4099-a776-569db18b3231 1d3dd7410c33419aac94508264038c89 1fa839daef4d4dac9dc0576ae9420453 - - -] [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] Driver failed to attach volume 31b44efe-ec93-43d3-9800-f658ec6dae23 at /dev/vdb

Running trusty/Mitaka bootstack cloud with:
cinder 2:8.1.1-0ubuntu3~cloud0
nova-compute 2:13.1.4-0ubuntu1~cloud0

recently updated to openstack-charms/17.02

Revision history for this message
Matt Rae (mattrae) wrote :

Confirming that currently encrypted volumes are not supported by the cinder or barbican charms. Barbican is required but the Barbican charm currently doesn't support integrating with cinder.

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

(I'm the author of the barbican charms)

It's not so much that the Barbican charm needs to support cinder, as cinder needs to be configurable to use Barbican: Please see here: (mitaka) https://docs.openstack.org/mitaka/config-reference/block-storage/volume-encryption.html and (newton) https://docs.openstack.org/newton/config-reference/block-storage/volume-encryption.html

i.e. cinder would need updating to provide a [key_manager] section.

A bigger issue is that the Barbican charm isn't 'production' yet, as there is no suitable HSM configuration defined for it. The 'out-of-the-box no hsm' configuration might be suitable, soft-hsm doesn't work due to a missing OpenSSL feature on Xenial (#1611393), and no hardware HSM has been identified as a solution to work against. Please see bug: #1615211 for more details.

So, from a Barbican perspective, it can work with just the built in secret system. However, there's no HA (tested) on the Barbican charm and there's probably a little work in getting it fully production level (which we want to do!) with just the built in system.

It boils down to the requirements of the user. i.e. with some work we would be able to support Barbican / internal secret store / encrypted volumes (with a change to the Cinder charm) if it's okay that those volume keys are stored in the database, rather than an HSM. If they have to be stored in an HSM, then the HSM needs selecting, and a configuration charm for it needs to be produced.

Hope that helps with some background.

Changed in charm-cinder:
status: New → Triaged
Changed in charm-nova-compute:
status: New → Triaged
Changed in charm-cinder:
importance: Undecided → Wishlist
Changed in charm-nova-compute:
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.