[openstack-dev] [nova][cinder] Addressing mangled LUKS passphrases (bug#1633518)
Sean McGinnis
sean.mcginnis at gmx.com
Sun Oct 23 08:48:13 UTC 2016
On Fri, Oct 21, 2016 at 12:07:08PM +0100, Lee Yarwood wrote:
> Hello,
>
> I documented bug#1633518 [1] last week in which volumes encrypted prior
> to Ib563b0ea [2] used a slightly mangled passphrase instead of the
> original passphrase provided by the configured key manager.
>
> My first attempt at resolving this [3] prompted an alternative
> suggestion from mdbooth of adding the correct passphrase to the LUKS
> device when we detect the use of a mangled passphrase.
>
> I'm slightly wary of this option given the changing of passphrases so
> I'd really appreciate input from the wider Nova and Cinder groups on
> your preference for resolving this :
>
> 1. Keep the mangled passphrase in place and attempt to use it after
> getting a permission denied error during luksOpen.
>
> 2. Add the correct passphrase and remove the mangled passphrase from the
> LUKS device with luksChangeKey when we detect the use of the mangled
> passphrase.
>
> 3. An alternative suggestion.
I get the wariness of changing the passphrases, but in this case I think
my preference would be to go with 2 if we know it has been mangled and
we can fix it.
>
> FYI, as os-brick has now copied the encryptor classes from Nova into
> their own tree any fix will be cherry-picked across shortly after
> landing in Nova. I'm also looking into dropping these classes from Nova
> for Ocata so we can avoid duplicating effort like this in future.
Awesome! Glad to see this being done.
>
> Thanks in advance,
>
> Lee
>
> [1] https://launchpad.net/bugs/1633518
> [2] https://review.openstack.org/#/c/309614/
> [3] https://review.openstack.org/#/c/386670/
> --
> Lee Yarwood
> Senior Software Engineer
> Red Hat
>
> PGP : A5D1 9385 88CB 7E5F BE64 6618 BCA6 6E33 F672 2D76
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list