[nova][ops] seeking input about local/ephemeral disk encryption feature naming

melanie witt melwittt at gmail.com
Wed Jul 13 23:16:58 UTC 2022

Hi everyone,

A potential issue regarding naming has come up during review of the 
ephemeral storage encryption feature [1][2] patch series [3] and we're 
looking for input before moving forward with any naming/terminology 
changes across the specs and the entire patch series.

The concern that has been raised is around use of the term "ephemeral" 
for the name of this feature including traits, extra specs, and image 
properties [4].

For context, the objective of this feature is to provide users with the 
ability to specify that all local disks for the instance be encrypted. 
This includes the root disk and any other local disks.

The initial concern is around use of the word "ephemeral" for the root disk.

My general interpretation of the word "ephemeral" for storage in nova 
has been that it means attached storage that only persists for the 
lifetime of the instance and is destroyed if and when the instance is 
destroyed. This is in contrast to attached cinder volumes which can 
persist after instance deletion.

But should "ephemeral" ever be used to describe a root disk? Is it 
incorrect and/or ambiguous to refer to it as such?

This is part of what is being discussed in [4].

During discussion, I also realized there is a separate gap in the above 
interpretation of "ephemeral" in nova. When cinder volumes are attached 
to an instance, their persistence after the instance is deleted depends 
on whether the 'delete_on_termination' attribute is set to true in the 
request payload when the instance is created [5] or when attaching a 
volume to the instance [6] or updating a volume attached to the instance 

This means that in the currently proposed patches, if a user specifies 
hw:ephemeral_encryption in the extra_specs, for example, and they also 
have a volume with delete_on_termination=True attached, only the root 
disk will be encrypted via the extra spec -- the volume would not be 
encrypted. Encryption of the volume has to be requested in cinder.

Could this mislead a user into thinking both the root disk and cinder 
volume are encrypted when only the root disk is?

Because of the above issues, we are considering whether we should change 
the terminology used in this feature at this stage. Some ideas include 
"local encryption", "local disk encryption", "disk encryption". IMHO 
"disk_encryption" is ambiguous in its own way because an attached cinder 
volume also has a disk.

Changing the naming will be a non-trivial amount of work, so we wanted 
to get additional input before going ahead with such a change.

Another thing noted in a comment on another patch in the series [8] is 
that the os-traits for this feature have already been merged [9]. If we 
decide to change the naming, should we go ahead and use these traits 
as-is and have them not match the naming in nova or should we deprecate 
them and add new traits that match the new name and use those?

I hope this makes sense and your input would be much appreciated.



More information about the openstack-discuss mailing list