OpenStack Compute (nova)

Bug #1739593
Comment #30

Comment 30 for bug 1739593

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-20: Fix merged to nova (stable/ocata)

#30

Reviewed: https://review.openstack.org/561604
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=0225a61fc4557c1257383a654f0741f7ef2ddeac
Submitter: Zuul
Branch: stable/ocata

commit 0225a61fc4557c1257383a654f0741f7ef2ddeac
Author: Lee Yarwood <email address hidden>
Date: Mon Feb 12 18:07:14 2018 +0000

libvirt: Block swap volume attempts with encrypted volumes prior to Queens

    Prior to Queens any attempt to swap between encrypted volumes would
    result in unencrypted data being written to the new volume. This
    unencrypted data would then be overwritten the next time the volume was
    attached to an instance as Nova no longer identified the volume as
    encrypted, resulting in the volume being reformatted.

    This stable only change uses limited parts of the following changes to
    block all swap_volume attempts with encrypted volumes prior to Queens
    where this was resolved by Ica323b87fa85a454fca9d46ada3677f18 and also
    blocked when using QEMU to decrypt LUKS volumes by
    Ibfa64f18bbd2fb70db7791330ed1a64fe61c1.

Ica323b87fa85a454fca9d46ada3677f18fe50022

The request context is provided to swap_volume in order to look up the
encryption metadata of a volume.

Ibfa64f18bbd2fb70db7791330ed1a64fe61c1355

Attempts to swap from an encrypted volume are blocked with a
NotImplementedError exception raised.

I258127fdcd011ccec721d5ff62eb7f128f130336

Attempts to swap from an unencrypted volume to an encrypted volume are
also blocked with a NotImplementedError exception raised.

Ie02d298cd92d5b5ebcbbcd2b0e8be01f197bfafb

The serial of a volume is used as the id if connection_info for the
volume doesn't contain the volume_id key. Required to avoid bug #1746609.

    Conflicts:
            nova/tests/unit/compute/test_compute_mgr.py
            nova/tests/unit/virt/libvirt/test_driver.py

    NOTE(lyarwood): Conflict due to cinderv3 support for swap_volume not
    being present in stable/ocata via
    I4b8bd01f1ffe2640fe7313213bf853d2e1bef9dd.

    Closes-bug: #1739593
    Change-Id: If12e7860baad2899380f06144a0270784a5466b8
    (cherry picked from commit 5b64a1936122eeb35f37a09f9d38159e1a224c58)

Reviewed:  https://review.openstack.org/561604
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=0225a61fc4557c1257383a654f0741f7ef2ddeac
Submitter: Zuul
Branch:    stable/ocata

commit 0225a61fc4557c1257383a654f0741f7ef2ddeac
Author: Lee Yarwood <lyarwood@redhat.com>
Date:   Mon Feb 12 18:07:14 2018 +0000

libvirt: Block swap volume attempts with encrypted volumes prior to Queens
    
    Prior to Queens any attempt to swap between encrypted volumes would
    result in unencrypted data being written to the new volume. This
    unencrypted data would then be overwritten the next time the volume was
    attached to an instance as Nova no longer identified the volume as
    encrypted, resulting in the volume being reformatted.
    
    This stable only change uses limited parts of the following changes to
    block all swap_volume attempts with encrypted volumes prior to Queens
    where this was resolved by Ica323b87fa85a454fca9d46ada3677f18 and also
    blocked when using QEMU to decrypt LUKS volumes by
    Ibfa64f18bbd2fb70db7791330ed1a64fe61c1.
    
    Ica323b87fa85a454fca9d46ada3677f18fe50022
    
    The request context is provided to swap_volume in order to look up the
    encryption metadata of a volume.
    
    Ibfa64f18bbd2fb70db7791330ed1a64fe61c1355
    
    Attempts to swap from an encrypted volume are blocked with a
    NotImplementedError exception raised.
    
    I258127fdcd011ccec721d5ff62eb7f128f130336
    
    Attempts to swap from an unencrypted volume to an encrypted volume are
    also blocked with a NotImplementedError exception raised.
    
    Ie02d298cd92d5b5ebcbbcd2b0e8be01f197bfafb
    
    The serial of a volume is used as the id if connection_info for the
    volume doesn't contain the volume_id key. Required to avoid bug #1746609.
    
    Conflicts:
            nova/tests/unit/compute/test_compute_mgr.py
            nova/tests/unit/virt/libvirt/test_driver.py
    
    NOTE(lyarwood): Conflict due to cinderv3 support for swap_volume not
    being present in stable/ocata via
    I4b8bd01f1ffe2640fe7313213bf853d2e1bef9dd.
    
    Closes-bug: #1739593
    Change-Id: If12e7860baad2899380f06144a0270784a5466b8
    (cherry picked from commit 5b64a1936122eeb35f37a09f9d38159e1a224c58)