Imaged encrypted volumes fail to deploy new volumes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Incomplete
|
Low
|
Unassigned |
Bug Description
We have a Stein environment, deployed with Kolla Ansible on CentOS 7, that generates an error when performing the following steps:
1) Create a volume on an encrypted backend
2) Create an image from this volume
3) Create a volume from this image on the encrypted backed (error occurs here)
The volume created in step 3 has a status of "error". The error was logged in the cinder-
The exact commands for reproducing the issue are, where gp1_encrypted is the encrypted Ceph backend:
openstack volume create \
--type gp1_encrypted \
--size 10 \
EricTestVolumeE
openstack image create \
--volume EricTestVolumeE
EricTestImageFr
openstack volume create \
--type gp1_encrypted \
--image EricTestImageFr
--size 10 \
EricTestVolumeF
I thought that Glance possibly was having issues connecting to Barbican, so I checked the glance-api.conf file, and sure enough, the [barbican] stanza was missing. Ussuri and later versions of Kolla Ansible include this stanza that includes the auth_endpoint. So, I created a patch for the file in Kolla Ansible to include this in this environment, re-deployed, the glance-api services restarted successfully, and I confirmed that the stanza was indeed added successfully to all of the glance-api containers.
However, the problem is still there.
I had read here:
https:/
that:
2.2. A user wants to create an encrypted image from a volume. The volume uses an encrypted volume type (LUKS-based). The target image is not to be re-encrypted but will instead reuse the LUKS encryption and key. This use case is already implemented as part of the default behavior of Cinder.
Maybe this is referring to a newer version of Cinder, and/or Glance, than Stein? It did not specify which version started to support this, so maybe we're in need of an upgrade?
Thanks!
Eric
Changed in cinder: | |
importance: | Undecided → Low |
tags: | added: deployment encryption volume |
The log file you attached shows that Cinder got an HTTPInternalSer verError (HTTP 500) from Glance when trying to download the image, so there should be an error related to that failure in the Glance logs. This will be needed to determine what the failure actually is.
Stein should be sufficient for the use case you are describing.