[openstack-dev] [nova] Native QEMU LUKS decryption review overview ahead of FF
mriedemos at gmail.com
Wed Jan 24 22:57:29 UTC 2018
On 1/22/2018 8:22 AM, Lee Yarwood wrote:
> With M3 and FF rapidly approaching this week I wanted to post a brief
> overview of the QEMU native LUKS series.
> The full series is available on the following topic, I'll go into more
> detail on each of the changes below:
> libvirt: Collocate encryptor and volume driver calls
> https://review.openstack.org/#/c/460243/ (Missing final +2 and +W)
> This refactor of the Libvirt driver connect and disconnect volume code
> has the added benefit of also correcting a number of bugs around the
> attaching and detaching of os-brick encryptors. IMHO this would be
> useful in Queens even if the rest of the series doesn't land.
> libvirt: Introduce disk encryption config classes
> https://review.openstack.org/#/c/464008/ (Missing final +2 and +W)
> This is the most straight forward change of the series and simply
> introduces the required config classes to wire up native LUKS decryption
> within the domain XML of an instance. Hopefully nothing controversial.
> libvirt: QEMU native LUKS decryption for encrypted volumes
> https://review.openstack.org/#/c/523958/ (Missing both +2s and +W)
> This change carries the bulk of the implementation, wiring up encrypted
> volumes during their initial attachment. The commit message has a
> detailed run down of the various upgrade and LM corner cases we attempt
> to handle here, such as LM from a P to Q compute, detaching a P attached
> encrypted volume after upgrading to Q etc.
> Upgrade and LM testing is enabled by the following changes:
> fixed_key: Use a single hardcoded key across devstack deployments
> compute: Introduce an encrypted volume LM test
> This is being tested by tempest-dsvm-multinode-live-migration and
> grenade-dsvm-neutron-multinode-live-migration in the following DNM Nova
> change, enabling volume backed LM tests:
> DNM: Test LM with encrypted volumes
> Hopefully that covers everything but please feel free to ping if you
> would like more detail, background etc. Thanks in advance,
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
The patch is already approved, and I asked melwitt to write a release
note, at which point it was noted that swap volume will not work with
native luks encrypted volumes. That's a regression.
We need to at least report a nova bug for this so we can work on some
kind of fallback to the non-native decryption until there is a
libvirt/qemu fix upstream and we can put version conditionals in place
for when we can support swap volume with a native luks-encrypted volume.
More information about the OpenStack-dev