Open Stack

Thanks Joel. I was able to try this again and can confirm it works as you
describe. Cool.

Based on the comments to the RBD encryption change [1], it looks like there
will be a new direction for ephemeral disk encryption (embedding it in QEMU
directly). I assume LVM will work the same way when the time comes. Will
there be a migration path for the existing ephemeral disk encryption
support for LVM to the new model?


-Chris

[1] https://review.openstack.org/#/c/239798/



On Thu, Apr 14, 2016 at 12:56 PM, Coffman, Joel M. <Joel.Coffman at jhuapl.edu>
wrote:

> > Upon reading the source, I don't see "cryptsetup luksFormat" being
> called anywhere (nova/libvirt/storage/*).
> Check out imagebackend.py:Lvm.create_image
> <https://github.com/openstack/nova/blob/master/nova/virt/libvirt/imagebackend.py#L690>
>  and dmcrypt.py:create_volume
> <https://github.com/openstack/nova/blob/master/nova/virt/libvirt/storage/dmcrypt.py#L48>
> .
>
> > How is this feature envisioned to work?
> The LVM volume with the '-dmcrypt' suffix is the *unencrypted* device
> that is passed to the VM. From a DevStack machine with an encrypted
> instance:
>
> *$* sudo cryptsetup status
> /dev/mapper/065859b2-50d6-46d6-927a-2dfd07db3306_disk-dmcrypt
>
> /dev/mapper/065859b2-50d6-46d6-927a-2dfd07db3306_disk-dmcrypt is active
> and is in use.
>
>   type:    PLAIN
>
>   cipher:  aes-xts-plain64
>
>   keysize: 256 bits
>
>   device:
> /dev/mapper/stack--volumes--default-065859b2--50d6--46d6--927a--2dfd07db3306_disk
>
>   offset:  0 sectors
>
>   size:    2097152 sectors
>
>   mode:    read/write
>
> *$* sudo fuser -vam
> /dev/mapper/065859b2-50d6-46d6-927a-2dfd07db3306_disk-dmcrypt
>
>                      USER        PID ACCESS COMMAND
>
> /dev/dm-1:           libvirt-qemu   8429 F.... qemu-system-x86
> While information in the '*-dmcrypt' device is visible to a root user on
> the compute host, the underlying device (stack--volumes--default-* in the
> example above) is encrypted, and everything written to the underlying disk
> is also encrypted. Try searching for the text in the underlying device –
> you shouldn't be able to find it.
>
> Joel
>
>
> From: Chris Buccella <chris.buccella at verilume.com>
> Reply-To: "openstack-dev at lists.openstack.org" <
> openstack-dev at lists.openstack.org>
> Date: Monday, April 11, 2016 at 1:06 PM
> To: "openstack-dev at lists.openstack.org" <openstack-dev at lists.openstack.org
> >
> Subject: [openstack-dev] [nova] Encrypted Ephemeral Storage
>
> I've been looking into using encrypted ephemeral storage with LVM. With
> the [ephemeral_storage_encryption] and [keymgr] sections to nova.conf, I
> get an LVM volume with "-dmcrypt" is appended to the volume name, but
> otherwise see no difference; I can still grep for text inside the volume.
>
> Upon reading the source, I don't see "cryptsetup luksFormat" being called
> anywhere (nova/libvirt/storage/*).
>
> I was expecting a new encrypted LVM volume when a new instance was
> created. Are my expectations misplaced? How is this feature envisioned to
> work?
>
>
> Thanks,
>
> -Chris
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160425/02d61a8e/attachment.html>