diff options
author | Eric Harney <eharney@redhat.com> | 2018-05-11 11:56:27 -0400 |
---|---|---|
committer | Eric Harney <eharney@redhat.com> | 2018-05-17 21:35:44 +0000 |
commit | d8d9e1cce7e0fc0170b7b195ecc4ee09e10b0774 (patch) | |
tree | d29e1c44b40ad90ee0b5895299d18e3efbbbe27c | |
parent | 71284352ac1a8896d0850c769233288660e2deda (diff) | |
download | cinder-d8d9e1cce7e0fc0170b7b195ecc4ee09e10b0774.tar.gz |
Disallow multiattach for encrypted volumes12.0.2
We can't assume that the LUKS layer used for
volume encryption functions in a way that will
safely work with multiattach.
Closes-Bug: #1770689
Change-Id: I613b48a9e89270b2f0266bffc5aeeefad37ce8fb
(cherry picked from commit 18327971ca7231807294a6b1dbf3d80c23cb6796)
-rw-r--r-- | cinder/tests/unit/volume/test_volume.py | 32 | ||||
-rw-r--r-- | cinder/volume/flows/api/create_volume.py | 6 |
2 files changed, 38 insertions, 0 deletions
diff --git a/cinder/tests/unit/volume/test_volume.py b/cinder/tests/unit/volume/test_volume.py index ab777fc15..ec34c0b50 100644 --- a/cinder/tests/unit/volume/test_volume.py +++ b/cinder/tests/unit/volume/test_volume.py @@ -681,6 +681,38 @@ class VolumeTestCase(base.BaseVolumeTestCase): 'description', multiattach=True) @mock.patch.object(key_manager, 'API', fake_keymgr.fake_api) + def test_create_volume_with_encrypted_volume_type_multiattach(self): + ctxt = context.get_admin_context() + + cipher = 'aes-xts-plain64' + key_size = 256 + control_location = 'front-end' + + db.volume_type_create(ctxt, + {'id': '61298380-0c12-11e3-bfd6-4b48424183be', + 'name': 'LUKS', + 'extra_specs': {'multiattach': '<is> True'}}) + db.volume_type_encryption_create( + ctxt, + '61298380-0c12-11e3-bfd6-4b48424183be', + {'control_location': control_location, + 'provider': ENCRYPTION_PROVIDER, + 'cipher': cipher, + 'key_size': key_size}) + + volume_api = cinder.volume.api.API() + + db_vol_type = db.volume_type_get_by_name(ctxt, 'LUKS') + + self.assertRaises(exception.InvalidVolume, + volume_api.create, + self.context, + 1, + 'name', + 'description', + volume_type=db_vol_type) + + @mock.patch.object(key_manager, 'API', fake_keymgr.fake_api) def test_create_volume_with_encrypted_volume_type_aes(self): ctxt = context.get_admin_context() diff --git a/cinder/volume/flows/api/create_volume.py b/cinder/volume/flows/api/create_volume.py index 91e000cf0..2e0b40edd 100644 --- a/cinder/volume/flows/api/create_volume.py +++ b/cinder/volume/flows/api/create_volume.py @@ -464,6 +464,12 @@ class ExtractVolumeRequestTask(flow_utils.CinderTask): source_volume, image_meta) + if encryption_key_id is not None and volume_type is not None: + extra_specs = volume_type.get('extra_specs', {}) + if extra_specs.get('multiattach', '') == '<is> True': + msg = _('Multiattach cannot be used with encrypted volumes.') + raise exception.InvalidVolume(reason=msg) + specs = {} if volume_type_id: qos_specs = volume_types.get_volume_type_qos_specs(volume_type_id) |