<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 23, 2018 at 8:44 AM, Lee Yarwood <span dir="ltr"><<a href="mailto:lyarwood@redhat.com" target="_blank">lyarwood@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">A breif progress update in-line below.<br>
<span class=""><br>
On 22-01-18 14:22:12, Lee Yarwood wrote:<br>
> Hello,<br>
><br>
> With M3 and FF rapidly approaching this week I wanted to post a brief<br>
> overview of the QEMU native LUKS series.<br>
><br>
> The full series is available on the following topic, I'll go into more<br>
> detail on each of the changes below:<br>
><br>
> <a href="https://review.openstack.org/#/q/topic:bp/libvirt-qemu-native-luks+status:open" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/q/topic:bp/libvirt-qemu-<wbr>native-luks+status:open</a><br>
><br>
> libvirt: Collocate encryptor and volume driver calls<br>
> <a href="https://review.openstack.org/#/c/460243/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/460243/</a> (Missing final +2 and +W)<br>
><br>
> This refactor of the Libvirt driver connect and disconnect volume code<br>
> has the added benefit of also correcting a number of bugs around the<br>
> attaching and detaching of os-brick encryptors. IMHO this would be<br>
> useful in Queens even if the rest of the series doesn't land.<br>
><br>
> libvirt: Introduce disk encryption config classes<br>
> <a href="https://review.openstack.org/#/c/464008/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/464008/</a> (Missing final +2 and +W)<br>
><br>
> This is the most straight forward change of the series and simply<br>
> introduces the required config classes to wire up native LUKS decryption<br>
> within the domain XML of an instance. Hopefully nothing controversial.<br>
<br>
</span>Both of these have landed, my thanks to jaypipes for his reviews!<br>
<span class=""><br>
> libvirt: QEMU native LUKS decryption for encrypted volumes<br>
> <a href="https://review.openstack.org/#/c/523958/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/523958/</a> (Missing both +2s and +W)<br>
><br>
> This change carries the bulk of the implementation, wiring up encrypted<br>
> volumes during their initial attachment. The commit message has a<br>
> detailed run down of the various upgrade and LM corner cases we attempt<br>
> to handle here, such as LM from a P to Q compute, detaching a P attached<br>
> encrypted volume after upgrading to Q etc.<br>
<br>
</span>Thanks to melwitt and mdbooth for your reviews! I've respun to address<br>
the various nits and typos pointed out in this change. Ready and waiting<br>
to respin again if any others crop up.<br>
<span class=""><br>
> Upgrade and LM testing is enabled by the following changes:<br>
><br>
> fixed_key: Use a single hardcoded key across devstack deployments<br>
> <a href="https://review.openstack.org/#/c/536343/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/536343/</a><br>
><br>
> compute: Introduce an encrypted volume LM test<br>
> <a href="https://review.openstack.org/#/c/536177/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/536177/</a><br>
><br>
> This is being tested by tempest-dsvm-multinode-live-<wbr>migration and<br>
> grenade-dsvm-neutron-<wbr>multinode-live-migration in the following DNM Nova<br>
> change, enabling volume backed LM tests:<br>
><br>
> DNM: Test LM with encrypted volumes<br>
> <a href="https://review.openstack.org/#/c/536350/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/536350/</a><br>
><br>
> Hopefully that covers everything but please feel free to ping if you<br>
> would like more detail, background etc. Thanks in advance,<br>
<br>
</span>grenade-dsvm-neutron-<wbr>multinode-live-migration is currently failing due<br>
to our use of the Ocata UCA on stable/pike leading to the following<br>
issue with the libvirt 2.5.0 build it provides:<br>
<br>
libvirt 2.5.0-3ubuntu5.6~cloud0 appears to be compiled without gnutls<br>
<a href="https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1744758" rel="noreferrer" target="_blank">https://bugs.launchpad.net/<wbr>ubuntu/+source/libvirt/+bug/<wbr>1744758</a><br>
<br></blockquote><div><br></div><div>Hey Lee,</div><div><br></div><div>We have a new version of libvirt in ocata-proposed now that should fix your issue and is ready for testing. Thanks for your work on this and for opening the bug.</div><div><br></div><div>Corey</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I've cherry-picked the following devstack change back to stable/pike and<br>
pulled it into the test change above for Nova, hopefully working around<br>
these failures:<br>
<br>
Update to using pike cloud-archive<br>
<a href="https://review.openstack.org/#/c/536798/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/536798/</a><br>
<br>
tempest-dsvm-multinode-live-<wbr>migration is also failing but AFAICT they<br>
are unrelated to this overall series and appear to be more generic<br>
volume backed live migration failures.<br>
<br>
Thanks again!<br>
<div class="HOEnZb"><div class="h5"><br>
Lee<br>
--<br>
Lee Yarwood A5D1 9385 88CB 7E5F BE64 6618 BCA6 6E33 F672 2D76<br>
</div></div><br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br></div></div>