[openstack-dev] [nova] Native QEMU LUKS decryption review overview ahead of FF

Corey Bryant corey.bryant at canonical.com
Tue Jan 23 21:52:30 UTC 2018


On Tue, Jan 23, 2018 at 8:44 AM, Lee Yarwood <lyarwood at redhat.com> wrote:

> A breif progress update in-line below.
>
> On 22-01-18 14:22:12, Lee Yarwood wrote:
> > Hello,
> >
> > With M3 and FF rapidly approaching this week I wanted to post a brief
> > overview of the QEMU native LUKS series.
> >
> > The full series is available on the following topic, I'll go into more
> > detail on each of the changes below:
> >
> > https://review.openstack.org/#/q/topic:bp/libvirt-qemu-
> native-luks+status:open
> >
> > libvirt: Collocate encryptor and volume driver calls
> > https://review.openstack.org/#/c/460243/ (Missing final +2 and +W)
> >
> > This refactor of the Libvirt driver connect and disconnect volume code
> > has the added benefit of also correcting a number of bugs around the
> > attaching and detaching of os-brick encryptors. IMHO this would be
> > useful in Queens even if the rest of the series doesn't land.
> >
> > libvirt: Introduce disk encryption config classes
> > https://review.openstack.org/#/c/464008/ (Missing final +2 and +W)
> >
> > This is the most straight forward change of the series and simply
> > introduces the required config classes to wire up native LUKS decryption
> > within the domain XML of an instance. Hopefully nothing controversial.
>
> Both of these have landed, my thanks to jaypipes for his reviews!
>
> > libvirt: QEMU native LUKS decryption for encrypted volumes
> > https://review.openstack.org/#/c/523958/ (Missing both +2s and +W)
> >
> > This change carries the bulk of the implementation, wiring up encrypted
> > volumes during their initial attachment. The commit message has a
> > detailed run down of the various upgrade and LM corner cases we attempt
> > to handle here, such as LM from a P to Q compute, detaching a P attached
> > encrypted volume after upgrading to Q etc.
>
> Thanks to melwitt and mdbooth for your reviews! I've respun to address
> the various nits and typos pointed out in this change. Ready and waiting
> to respin again if any others crop up.
>
> > Upgrade and LM testing is enabled by the following changes:
> >
> > fixed_key: Use a single hardcoded key across devstack deployments
> > https://review.openstack.org/#/c/536343/
> >
> > compute: Introduce an encrypted volume LM test
> > https://review.openstack.org/#/c/536177/
> >
> > This is being tested by tempest-dsvm-multinode-live-migration and
> > grenade-dsvm-neutron-multinode-live-migration in the following DNM Nova
> > change, enabling volume backed LM tests:
> >
> > DNM: Test LM with encrypted volumes
> > https://review.openstack.org/#/c/536350/
> >
> > Hopefully that covers everything but please feel free to ping if you
> > would like more detail, background etc. Thanks in advance,
>
> grenade-dsvm-neutron-multinode-live-migration is currently failing due
> to our use of the Ocata UCA on stable/pike leading to the following
> issue with the libvirt 2.5.0 build it provides:
>
> libvirt 2.5.0-3ubuntu5.6~cloud0 appears to be compiled without gnutls
> https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1744758
>
>
Hey Lee,

We have a new version of libvirt in ocata-proposed now that should fix your
issue and is ready for testing. Thanks for your work on this and for
opening the bug.

Corey

I've cherry-picked the following devstack change back to stable/pike and
> pulled it into the test change above for Nova, hopefully working around
> these failures:
>
> Update to using pike cloud-archive
> https://review.openstack.org/#/c/536798/
>
> tempest-dsvm-multinode-live-migration is also failing but AFAICT they
> are unrelated to this overall series and appear to be more generic
> volume backed live migration failures.
>
> Thanks again!
>
> Lee
> --
> Lee Yarwood                 A5D1 9385 88CB 7E5F BE64  6618 BCA6 6E33 F672
> 2D76
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180123/2217b026/attachment.html>


More information about the OpenStack-dev mailing list