Cinder

Volume manage to encrypted type issues

Bug #1944577 reported by Eric Harney
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Critical
Eric Harney
Cinder yoga-rc2 "20.0.0.0rc2"

Bug Description

1. Create unencrypted volume
2. Unmanage it
3. Manage it to an encrypted type
4. Observe that volume is on an encrypted type but shows that it is not encrypted

Bigger picture: we should probably not allow managing to an encrypted type since there is no way to associate the volume w/ an encryption key.

$ cinder type-list
+--------------------------------------+-------------+---------------------+-----------+
| ID | Name | Description | Is_Public |
+--------------------------------------+-------------+---------------------+-----------+
| 3b92c9c0-ce77-4d5b-b6af-4936ad1e073e | __DEFAULT__ | Default Volume Type | True |
| 4fb104db-1010-4fd7-9d12-b0ff63e8f82c | mytype | - | True |
| e0f55b07-b69d-4c82-b7da-2d1267e1ad67 | ceph | - | True |
+--------------------------------------+-------------+---------------------+-----------+

$ cinder encryption-type-list
+--------------------------------------+----------+-----------------+----------+------------------+
| Volume Type ID | Provider | Cipher | Key Size | Control Location |
+--------------------------------------+----------+-----------------+----------+------------------+
| e0f55b07-b69d-4c82-b7da-2d1267e1ad67 | luks | aes-xts-plain64 | 256 | front-end |
+--------------------------------------+----------+-----------------+----------+------------------+

$ cinder create 1 --volume-type 4fb104db-1010-4fd7-9d12-b0ff63e8f82c
+--------------------------------+--------------------------------------+
| Property | Value |
+--------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2021-09-22T14:53:57.000000 |
| description | None |
| encrypted | False |
| id | 4381d236-7731-48b0-b5ac-162df89f8b8b |
| metadata | {} |
| migration_status | None |
| multiattach | False |
| name | None |
| os-vol-host-attr:host | None |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | e39ce39b34b94c698b6c45cb95e5229f |
| replication_status | None |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| updated_at | None |
| user_id | 659af4d79fed47218240c4809023c5c8 |
| volume_type | mytype |
+--------------------------------+--------------------------------------+

$ cinder show 4381d236-7731-48b0-b5ac-162df89f8b8b
+--------------------------------+--------------------------------------+
| Property | Value |
+--------------------------------+--------------------------------------+
| attached_servers | [] |
| attachment_ids | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2021-09-22T14:53:57.000000 |
| description | None |
| encrypted | False |
| id | 4381d236-7731-48b0-b5ac-162df89f8b8b |
| metadata | |
| migration_status | None |
| multiattach | False |
| name | None |
| os-vol-host-attr:host | ubuntufocal4@ceph#ceph |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | e39ce39b34b94c698b6c45cb95e5229f |
| replication_status | None |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | available |
| updated_at | 2021-09-22T14:53:58.000000 |
| user_id | 659af4d79fed47218240c4809023c5c8 |
| volume_type | mytype |
+--------------------------------+--------------------------------------+

$ cinder unmanage 4381d236-7731-48b0-b5ac-162df89f8b8b

$ cinder list
+----+--------+------+------+-------------+----------+-------------+
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+----+--------+------+------+-------------+----------+-------------+
+----+--------+------+------+-------------+----------+-------------+

$ cinder manage --volume-type e0f55b07-b69d-4c82-b7da-2d1267e1ad67 ubuntufocal4@ceph 4381d236-7731-48b0-b5ac-162df89f8b8b
(oops, wrong specifier)

$ cinder delete ae10d5dd-7376-48e5-a4cc-98feb00d728c

$ cinder manage --volume-type e0f55b07-b69d-4c82-b7da-2d1267e1ad67 ubuntufocal4@ceph volume-4381d236-7731-48b0-b5ac-162df89f8b8b
+--------------------------------+--------------------------------------+
| Property | Value |
+--------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2021-09-22T14:57:37.000000 |
| description | None |
| encrypted | False |
| id | 77fef329-18da-4896-977f-48664a76dba1 |
| metadata | {} |
| migration_status | None |
| multiattach | False |
| name | None |
| os-vol-host-attr:host | ubuntufocal4@ceph |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | e39ce39b34b94c698b6c45cb95e5229f |
| replication_status | None |
| size | 0 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| updated_at | None |
| user_id | 659af4d79fed47218240c4809023c5c8 |
| volume_type | ceph |
+--------------------------------+--------------------------------------+

$ cinder show 77fef329-18da-4896-977f-48664a76dba1
+--------------------------------+--------------------------------------+
| Property | Value |
+--------------------------------+--------------------------------------+
| attached_servers | [] |
| attachment_ids | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2021-09-22T14:57:37.000000 |
| description | None |
| encrypted | False |
| id | 77fef329-18da-4896-977f-48664a76dba1 |
| metadata | |
| migration_status | None |
| multiattach | False |
| name | None |
| os-vol-host-attr:host | ubuntufocal4@ceph#ceph |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | e39ce39b34b94c698b6c45cb95e5229f |
| replication_status | None |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | available |
| updated_at | 2021-09-22T14:57:39.000000 |
| user_id | 659af4d79fed47218240c4809023c5c8 |
| volume_type | ceph |
+--------------------------------+--------------------------------------+

This last "show" shows a volume with encrypted: False on an encrypted volume type.

Eric Harney (eharney)
tags: added: encryption
Sofia Enriquez (lsofia-enriquez)
Changed in cinder:
importance: Undecided → Medium
tags: added: manage type volumes
Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Let's try to get this into RC-2. Failing that, we can at least give operators a warning not to do this.

Changed in cinder:
status: New → Triaged
milestone: none → xena-rc2
importance: Medium → Critical
OpenStack Infra (hudson-openstack)
Changed in cinder:
status: Triaged → In Progress
Revision history for this message
xuanyandong (xuanyandong) wrote :

bug fix in: https://review.opendev.org/c/openstack/cinder/+/768458

Brian Rosmaita (brian-rosmaita)
Changed in cinder:
milestone: xena-rc2 → yoga-rc2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/768458
Committed: https://opendev.org/openstack/cinder/commit/8088dc9580356ca51581c56888c9022848f543b1
Submitter: "Zuul (22348)"
Branch: master

commit 8088dc9580356ca51581c56888c9022848f543b1
Author: Yadiel Xuan(轩艳东) <email address hidden>
Date: Thu Dec 24 17:20:42 2020 +0800

    Prohibit volume manage to an encrypted volume type

    Managing a volume to an encrypted volume type should not be allowed.
    One reason is that there is no way for an operator to specify an
    encryption key ID for the volume. Another is that we already don't
    allow a volume of an encrypted type to be un-managed, so this change
    will be symmetric.

    Also update and correct the api-ref for this call.

    Co-authored-by: Yadiel Xuan(轩艳东) <email address hidden>
    Co-authored-by: Brian Rosmaita <email address hidden>

    Change-Id: Ic2da41f3962c1108f974aca952bce3da6d6ac277
    Closes-bug: #1944577

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/cinder/+/834478

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/834478
Committed: https://opendev.org/openstack/cinder/commit/9c1aa92b9578c1dc1d63d4d9124d873438d495eb
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 9c1aa92b9578c1dc1d63d4d9124d873438d495eb
Author: Yadiel Xuan(轩艳东) <email address hidden>
Date: Thu Dec 24 17:20:42 2020 +0800

    Prohibit volume manage to an encrypted volume type

    Managing a volume to an encrypted volume type should not be allowed.
    One reason is that there is no way for an operator to specify an
    encryption key ID for the volume. Another is that we already don't
    allow a volume of an encrypted type to be un-managed, so this change
    will be symmetric.

    Also update and correct the api-ref for this call.

    Co-authored-by: xuan <email address hidden>
    Co-authored-by: Brian Rosmaita <email address hidden>

    Change-Id: Ic2da41f3962c1108f974aca952bce3da6d6ac277
    Closes-bug: #1944577
    (cherry picked from commit 8088dc9580356ca51581c56888c9022848f543b1)
    change:
      cinder/tests/unit/api/contrib/test_volume_manage.py - used a
      feature of unittest.mock that was introduced in py38; rewritten to
      be compatible with py36

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 20.0.0.0rc2

This issue was fixed in the openstack/cinder 20.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/cinder/+/835140

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/835140
Committed: https://opendev.org/openstack/cinder/commit/dd12492f32c8c0796c79fec430912045fbee52bd
Submitter: "Zuul (22348)"
Branch: stable/xena

commit dd12492f32c8c0796c79fec430912045fbee52bd
Author: Yadiel Xuan(轩艳东) <email address hidden>
Date: Thu Dec 24 17:20:42 2020 +0800

    Prohibit volume manage to an encrypted volume type

    Managing a volume to an encrypted volume type should not be allowed.
    One reason is that there is no way for an operator to specify an
    encryption key ID for the volume. Another is that we already don't
    allow a volume of an encrypted type to be un-managed, so this change
    will be symmetric.

    Also update and correct the api-ref for this call.

    Co-authored-by: xuan <email address hidden>
    Co-authored-by: Brian Rosmaita <email address hidden>

    Change-Id: Ic2da41f3962c1108f974aca952bce3da6d6ac277
    Closes-bug: #1944577
    (cherry picked from commit 8088dc9580356ca51581c56888c9022848f543b1)
    change:
      cinder/tests/unit/api/contrib/test_volume_manage.py - used a
      feature of unittest.mock that was introduced in py38; rewritten to
      be compatible with py36
    (cherry picked from commit 9c1aa92b9578c1dc1d63d4d9124d873438d495eb)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/cinder/+/844605

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/844605
Committed: https://opendev.org/openstack/cinder/commit/ba947e6d7db678179b9c14638ac98bc861194b78
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit ba947e6d7db678179b9c14638ac98bc861194b78
Author: Yadiel Xuan(轩艳东) <email address hidden>
Date: Thu Dec 24 17:20:42 2020 +0800

    Prohibit volume manage to an encrypted volume type

    Managing a volume to an encrypted volume type should not be allowed.
    One reason is that there is no way for an operator to specify an
    encryption key ID for the volume. Another is that we already don't
    allow a volume of an encrypted type to be un-managed, so this change
    will be symmetric.

    Also update and correct the api-ref for this call.

    Co-authored-by: xuan <email address hidden>
    Co-authored-by: Brian Rosmaita <email address hidden>

    Change-Id: Ic2da41f3962c1108f974aca952bce3da6d6ac277
    Closes-bug: #1944577
    (cherry picked from commit 8088dc9580356ca51581c56888c9022848f543b1)
    change:
      cinder/tests/unit/api/contrib/test_volume_manage.py - used a
      feature of unittest.mock that was introduced in py38; rewritten to
      be compatible with py36
    (cherry picked from commit 9c1aa92b9578c1dc1d63d4d9124d873438d495eb)
    (cherry picked from commit dd12492f32c8c0796c79fec430912045fbee52bd)
    conflicts:
      cinder/tests/unit/api/contrib/test_volume_manage.py - restored a v2
      test that had been removed in xena
    added:
      api-ref/source/v2/volume-manage.inc

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 19.1.1

This issue was fixed in the openstack/cinder 19.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 21.0.0.0rc1

This issue was fixed in the openstack/cinder 21.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 18.2.1

This issue was fixed in the openstack/cinder 18.2.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.