OpenStack Cinder Charm

  1. Bug #2004173
  2. Comment #0

Comment 0 for bug 2004173

Revision history for this message
Aymen Frikha (aym-frikha) wrote : CIS hardening breaks luks volumes created from images

Hello,

When we enable CIS hardening using cloud-init scripts: https://pastebin.canonical.com/p/92mhhW7DBf/

it breaks the creation of new volumes with luks when need to be created from an image.

+--------------------------------+--------------------------------------+
| Field | Value |
 +--------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2023-01-25T14:34:37.000000 |
| description | None |
| encrypted | True |
| id | 12474116-a517-4ad9-90b2-c864337a2cfc |
| migration_status | None |
| multiattach | False |
| name | test-vol |
| os-vol-host-attr:host | cinder@cinder-ceph#cinder-ceph |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | 5e87742376a6410383a0df86cb6efa2d |
| properties | |
| replication_status | None |
| size | 5 |
| snapshot_id | None |
| source_volid | None |
| status | error |
| type | __DEFAULT__ |
| updated_at | 2023-01-25T14:35:29.000000 |
| user_id | 5e079b88678645c2b090aee6f53f9f96 |
| volume_image_metadata | {'signature_verified': 'False'} |
 +--------------------------------+--------------------------------------+

steps to test this:

openstack volume type create --encryption-provider nova.volume.encryptors.luks.LuksEncryptor --encryption-cipher aes-xts-plain64 --encryption-key-size 256 --encryption-control-location front-end LuksEncryptor-Template-256

openstack volume create --type LuksEncryptor-Template-256 test-vol-bionic-kvm-4 --size 5 --image
bionic-kvm