[openstack-dev] [nova] Native QEMU LUKS decryption review overview ahead of FF
Lee Yarwood
lyarwood at redhat.com
Tue Jan 23 13:44:49 UTC 2018
A breif progress update in-line below.
On 22-01-18 14:22:12, Lee Yarwood wrote:
> Hello,
>
> With M3 and FF rapidly approaching this week I wanted to post a brief
> overview of the QEMU native LUKS series.
>
> The full series is available on the following topic, I'll go into more
> detail on each of the changes below:
>
> https://review.openstack.org/#/q/topic:bp/libvirt-qemu-native-luks+status:open
>
> libvirt: Collocate encryptor and volume driver calls
> https://review.openstack.org/#/c/460243/ (Missing final +2 and +W)
>
> This refactor of the Libvirt driver connect and disconnect volume code
> has the added benefit of also correcting a number of bugs around the
> attaching and detaching of os-brick encryptors. IMHO this would be
> useful in Queens even if the rest of the series doesn't land.
>
> libvirt: Introduce disk encryption config classes
> https://review.openstack.org/#/c/464008/ (Missing final +2 and +W)
>
> This is the most straight forward change of the series and simply
> introduces the required config classes to wire up native LUKS decryption
> within the domain XML of an instance. Hopefully nothing controversial.
Both of these have landed, my thanks to jaypipes for his reviews!
> libvirt: QEMU native LUKS decryption for encrypted volumes
> https://review.openstack.org/#/c/523958/ (Missing both +2s and +W)
>
> This change carries the bulk of the implementation, wiring up encrypted
> volumes during their initial attachment. The commit message has a
> detailed run down of the various upgrade and LM corner cases we attempt
> to handle here, such as LM from a P to Q compute, detaching a P attached
> encrypted volume after upgrading to Q etc.
Thanks to melwitt and mdbooth for your reviews! I've respun to address
the various nits and typos pointed out in this change. Ready and waiting
to respin again if any others crop up.
> Upgrade and LM testing is enabled by the following changes:
>
> fixed_key: Use a single hardcoded key across devstack deployments
> https://review.openstack.org/#/c/536343/
>
> compute: Introduce an encrypted volume LM test
> https://review.openstack.org/#/c/536177/
>
> This is being tested by tempest-dsvm-multinode-live-migration and
> grenade-dsvm-neutron-multinode-live-migration in the following DNM Nova
> change, enabling volume backed LM tests:
>
> DNM: Test LM with encrypted volumes
> https://review.openstack.org/#/c/536350/
>
> Hopefully that covers everything but please feel free to ping if you
> would like more detail, background etc. Thanks in advance,
grenade-dsvm-neutron-multinode-live-migration is currently failing due
to our use of the Ocata UCA on stable/pike leading to the following
issue with the libvirt 2.5.0 build it provides:
libvirt 2.5.0-3ubuntu5.6~cloud0 appears to be compiled without gnutls
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1744758
I've cherry-picked the following devstack change back to stable/pike and
pulled it into the test change above for Nova, hopefully working around
these failures:
Update to using pike cloud-archive
https://review.openstack.org/#/c/536798/
tempest-dsvm-multinode-live-migration is also failing but AFAICT they
are unrelated to this overall series and appear to be more generic
volume backed live migration failures.
Thanks again!
Lee
--
Lee Yarwood A5D1 9385 88CB 7E5F BE64 6618 BCA6 6E33 F672 2D76
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180123/f80db104/attachment.sig>
More information about the OpenStack-dev
mailing list