[RBD] Creating an encrypted volume from an unencrypted image will corrupt the data
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Cinder |
In Progress
|
Medium
|
Sofia Enriquez | ||
Bug Description
Description of problem:
Introducing the LUKS header into the encrypted volume that this is
truncating the image data leaving an incomplete boot image.
Steps to Reproduce:
1. Upload unencrypted glance image specifying the image size
2. Create encrypted volume from that image specifying the volume size
equal to the image size
3. Attempt to boot the encrypted volume
Actual results:
Boot fails but Cinder doesn't show errors or warnings.
When creating an encrypted RBD volume from an image, the flow is
something like:
qemu-img create <encrypted file>
qemu-img convert <image> <encrypted file>
rbd import <encrypted file>
but, the create specifies a size based on the volume size, i.e. 1024MB
for a 1GB volume.
Then the convert from raw to LUKS assumes that a 1024MB image being
converted into that file would fit into that encrypted file -- but it
doesn't fit because capacity is lost due to the LUKS headers. qemu-img
convert here truncates data but doesn't fail when doing so.
rbd import then succeeds and the end of the image/volume is missing when
the volume is attached.
| Sofia Enriquez (lsofia-enriquez) wrote | #1 |
| Changed in cinder: | |
| assignee: | nobody → Sofia Enriquez (lsofia-enriquez) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| tags: | added: image rbd |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to cinder (master) | #2 |
| OpenStack Infra (hudson-openstack) wrote Change abandoned on cinder (master) | #3 |
| tags: | added: encryption glance |
| summary: |
- Create encrypt volume from unencrypted image will corrupt the data in - RBD. + [RBD] Creating an encrypted volume from an unencrypted image will + corrupt the data |
| tags: | added: drivers |
https:/