| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change drops the encryptor classes and supporting code from the
codebase in favor of the classes provided by os-brick. This is made
possible by the following os-brick change that introduced new encryption
provider constants during Ocata :
Ic155bd29d46059832cce970bf60375e7e472eca6
Thanks to the following bugfix also released as part of 1.11.0 for Ocata
the constants present in os-brick also support the use of the deprecated
legacy class paths from Nova, for example
nova.volume.encryptors.luks.LuksEncryptor, while using the os-brick
provided classes :
I3ec6e3fe919bc03d158da04a18fb8b651002ed52
Implements: blueprint switch-to-os-brick-encryptor-classes
Change-Id: I37ffc90c0bd57029fced251b5cfd7cd4318a0292
Depends-On: Iae12605dc7d0607e78020a24b5b8801606c2f169
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the new Cinder V3 attachment delete method
during detach if the BDM has an attachment_id in it.
This will only be present in the BDM if/when the
new attachment_create API is called. Otherwise, we
revert to the old calls.
Edge cases are handled in separate patches.
Partially Implements: blueprint cinder-new-attach-apis
Co-Authored-By: Steve Noyes <steve.noyes@oracle.com>
Change-Id: I91b9a60268354ffbed86b1e7d173906cfd7b97bd
|
|
|
|
|
|
|
|
|
|
| |
Specify 'nova' as the name of the application for the flake8-import-order
plugin. That way it knows that imports of nova should come after external
libraries.
Fix issues discovered in ordering by this new check.
Change-Id: I822796ba3d750f93de813035aeee59e8ccb022a2
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
We removed support for cinder v1 in change
84f5c6165bc94690d299ed4d025e421a651d1bb5 but
missed this condition.
Change-Id: I610c9dcf73354d7b78958cf2a1b8dba088896c4d
|
| |
| |
| |
| |
| |
| |
| | |
Use the flake8 plugin flake8-import-order to check import ordering. It
can do it automatically and don't need reviewers to check it.
Change-Id: Ia3d81bbbb44b40804b3268c0e648276a36cb4805
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch finishes to remove the 'check_attach' call from Nova
completely. As Cinder already performs the required checks as part
of the 'reserve_volume' (os-reserve) call it is unnecessary to check the
statemachine in Nova also and it can lead to race conditions.
The missing 'reserve_volume' call is added to the BFV flow. In case of
build failure the volume will be locked in 'attaching' state until the
instance in ERROR state is cleaned up.
We also check AZ for each volume attach operation which we haven't
done for unshelve. A release note is added to enable 'cross_az_attach'
in case the user does not care about AZ.
The compute service version had to be bumped as the old computes still
perform 'check_attach', which will fail when the API reserves the
volume and the volume state moves to 'attaching'. If the computes
are not new enough the old check will be called as opposed to
'reserve_volume'.
Closes-Bug: #1581230
Change-Id: I3a3caa4c566ecc132aa2699f8c7e5987bbcc863a
|
|
|
|
|
|
|
|
|
|
|
|
| |
These constants detail the supported encryption formats and their
associated in tree encryption provider implementations.
The use of out of tree and direct use of these in tree implementations
is now deprecated and will be blocked in the 16.0.0 Pike release of
Nova.
Change-Id: Ic155bd29d46059832cce970bf60375e7e472eca6
Partial-bug: #1639293
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to Ib563b0ea the passphrase used by CryptsetupEncryptor and
LuksEncryptor had any leading zeros per hexadecimal digit removed, for
example 0x04 or 04 would turn into 0x4 or 4. As a result any volume
encrypted prior to the release of Newton used a modified passphrase that
was different to that stored by the key manager being used in the
environment.
To correct this for LuksEncryptor volumes permission denied errors are
now caught when attempting to open a volume. A second attempt to open
the volume is then made using a mangled passphrase. If successful the
correct passphrase is then added to the volume before the mangled
passphrase is finally removed. This workaround can be removed in a
future release once it is safe to assume that all LuksEncryptor volumes
have had any mangled passphrases replaced in this way.
This isn't possible for CryptsetupEncryptor volumes as the plain mode
used by cryptsetup does not provide a way for adding and removing keys.
As such on a permission denied error a second attempt is made to open
the volume using a mangled passphrase. Unlike the above workaround this
cannot be removed in a future release.
Change-Id: I7096463c5eba951dd6322ee6965435e877ca0371
Partial-bug: #1633518
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace mox with mock in test_cinder to complete one task
in the old blueprint. This patch also intends to partially
reduce possible race conditions as shown in the following
log file:
http://logs.openstack.org/58/335358/12/check/gate-nova-python34-db/404641d/console.html#_2016-08-08_19_47_57_286193
Further modifications are contained by the follow up patch
in the chain to add fixes to test_compute as well.
Implements: blueprint mox-to-mock-conversion
Change-Id: I5f27c65c405131768bb8d30b84c5cddb6ace1d27
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes how Nova interacts with volumes at attach time.
Nova should rely upon Cinder's os-reserve to determine if the
state of the volume is in a good/valid state for attaching.
This fixes a race between when nova fetches the volume and calls
os-reserve.
This refactors the volume_api.check_attach a bit and adds a new
check_availability_zone, which is still done on the Nova side.
When Cinder's os-reserve supports passing in the availability
zone, then this check can also be removed.
This patch handles the volume attach API, which is not checked
again in the compute manager. Future patches will handle other
operations like boot from volume and swap volume.
Partial-Bug: #1581230
Change-Id: I5b069ba3480257c061541fc6c19e044c31417b5e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test is really four tests, two of which don't make
any difference and one is a happy path test which is
redundant with the test_check_attach test that comes right
after it.
The two tests which don't make any difference are the ones
where the instance.host is set to None. This made a difference
before az.get_instance_availability_zone was mocked out but
it's not used anymore in this test.
There are some other cleanups in this change:
- move the mock to be a decorator
- use an instance object
- use a valid uuid for the volume id
- use self.flags so we don't have to reset the config override
Change-Id: I44f32f10d99f7cc6edce1d5ae4bc359c6d14fdf3
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Call Cinder client's detach() with attachment_uuid only if the client
is v2.
Cinder client v2 supports passing volume_id and optionally
attachment_id to its volume manager's detach() method, but v1 does
not, only accepting volume_id. Change I3cdc4992 indiscriminately
passes both volume_id and attachment_id to the Cinder client
regardless of its version, prompting with v1:
TypeError: detach() takes exactly 2 arguments (3 given)
Change-Id: I2e8b5947521d659e930141b0b8e6a6353e9163bd
Closes-Bug: 1561056
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently iSCSI volume attachment fails if iscsi_use_multipath is
set to True. This is because the encryptor requests cryptsetup
to create the symlink to the LUKS device with the same name of
the device-mapper multipath device. To avoid the name collision,
this patch adds the 'crypt-' prefix to the symlink.
Change-Id: I01a3104025a9c479e40933ca24024355df9dfb8b
Closes-Bug: #1439869
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* test_cinder: set the code attribute of cinder client exceptions.
Otherwise ClientException.__str__() of cinderclient.exceptions
fails on self.code >= 100 with a TypeError (None cannot be
compared to int).
* Fix usage of six.reraise() in cinder _reraise(): pass the exception
object as exc_value, and use type(exc) for exc_type
* Use "except ... as exc:" syntax to get the current exception value
instead of using sys.exc_info(). Calling sys.exc_info() in
an exception handler can create reference cycles in Python 3.
* Replace six.text_type(exc) with exception_to_unicode(exc) of
oslo_utils.encodeutils. This function is safer and handles more
cases.
* tests-py3.txt: run cinder tests on Python 3
This change is partially based on the work of dims,
change Ibb4fa47cd71d697a4996425b1797ac2f8cc363cd.
Co-Authored-By: Davanum Srinivas <davanum@gmail.com>
Partially-Implements: blueprint nova-python3-newton
Change-Id: I5c252106c0e681b79033b47ebb3d457ff23ed624
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
Replace 'stubs.Set' with 'stub_out' in
nova/tests/unit/volume/encryptors/test_base.py
Change-Id: I6c671825062595444ab3331d648030546f8e791a
Implements: blueprint remove-mox-newton
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Because key manager code is duplicated across several projects, a key
manager interface was moved into its own library. This patch goes back
to replace the old code with the new library.
Change-Id: Ib563b0ea4b8b4bc1833bf52bf49a68546c384996
Implements: blueprint use-castellan-key-manager
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
This change moves the cinder config options to a central
location "nova/conf/cinder.py".
Change-Id: I144abf6c92f499fa605307631121cf96e24fbd62
Partially-Implements: blueprint centralize-config-options-newton
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Uses codecs module in order to decode hex.
Enables keymgr unit tests for gate-nova-python34.
Enables volume.encryptors unit tests for gate-nova-python34.
Partially Implements: blueprint nova-python3-newton
Change-Id: I43504da03c42c6b684da0ca1c3640c31a9843a45
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In 'nova.volume.cinder.API.initialize_connection' method, all exceptions
threw by 'terminate_connection' will be caught and logged. When log the
exceptions, the code try to record the 'code' attribute of the exception
since the code is expecting a CinderClientException or NovaException[1].
But if the some else exception(like TypeError) which doesn't have a code
on it was threw up, we will got a AttributeError.
This commit add logic to check if the exception has a code on it before
try to read it.
[1]https://github.com/openstack/nova/blob/13.0.0.0rc3/nova/volume/cinder.py#L437
Change-Id: I42fd2f2b77c41a60dfaf0cc882a344596d50daf5
Closes-Bug: #1564551
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
The cinder wrapper on all cinder API calls can check for the cinder
client returning OverLimit, so it can get correctly translated to
OverQuota. The OverQuota is different in volumes vs. snapshots, so they
need to be separated out into the different wrappers. But also, because
in snapshot creations, we need to catch a NotFound as a VolumeNotFound
and an OverLimit as an OverQuota for snapshots, we need to make a new
wrapper that mixes those two together for when we create snapshots.
Change-Id: Ia03f15232df71ca9a31ffbcca60f33949312a686
Partial-Bug: #1554631
|
|
|
|
|
|
|
|
| |
In the generic Cinder wrapper that decorates all Cinder API calls, this
add Forbidden to the list of exceptions to translate.
Change-Id: I5b893f5dae181d8e0a5539e064255225fd2a39a8
Partial-Bug: #1554631
|
|
|
|
|
|
|
|
|
|
|
| |
Within the volume API, some functions are wrapped to translate either
volume exceptions or snapshot exceptions. Within both of those wrappers,
they check for a connection error and raise a nova
CinderConnectionFailed exception. This is now moved to a common wrapper,
which both the volume and snapshot translation wrappers use.
Change-Id: If2b948645c3678ed35074d61dbbb24428fcf570f
Related-Bug: #1554631
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During evacuation a local connector is built. This is the
wrong connector to use for cinder terminate_connection.
In order to fix this, store the initial connector with
the BDM connection_info. Use the stored connector when
we detect that we have this wrong host situation.
This fix does not work for existing attachments
(made prior to this patch) because existing attachments
don't have the connector stashed in the bdm.connection_info.
In cases where the original connector was not saved, leave
the behavior as-is.
Change-Id: I793f2996fc0af1c321a240ad9348dc9bce816030
Partial-Bug: #1522496
|
|
|
|
|
|
|
|
|
|
| |
Older Cinder blows up because of the extra parameter in the detach call
to Cinder. We need to find another way to pass the info.
This reverts commit d31bb4be8edbce6719258ae1cbbb583a2c3c3a28.
Closes-Bug: #1538620
Change-Id: I99335827ee6492d3f5629850be8e7cbe19371830
|
|
|
|
|
|
|
|
|
|
| |
The lvm driver needs the host name information in order to be able to
provide detach properly. This patch adds the host information to the
attach call under virt/block_device and in volumer/cinder.
Partial-Bug: #1471278
Change-Id: I2c19f7a09299ceb266921f97f40354fb2ed76716
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cinder needs the attachment_id to properly identify which attachment
of a volume to detach. This patch adapts the Cinder driver to pass
the required information. The attachment_id is necessary for volumes
that enable multiple attachments in order to terminate the connection
properly. The attachment_id is retrieved in the API layer where
available and sent through RPC, the RPC version is bumped to 4.7.
Also the translation functions are modified to retrieve all necessary
information for the volume info coming from Cinder including the multiple
attachments. The Nova API returns the volume info in the same format
as earlier.
Co-Authored-By: Ildiko Vancsa <ildiko.vancsa@ericsson.com>
Partially-implements: blueprint multi-attach-volume
Change-Id: I3cdc49924acbdd21d1e6678a3bb4cf7de7f1db1a
|
|
|
|
| |
Change-Id: I43df54ae57a80fce8608b507a874558e137a60d1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an attached encrypted volume is failed to detach from the instance
when deleting that instance, user can not delete that instance at all.
This patch adds 4 in check_exit_code when executing `cryptsetup remove`
command to eat that exception.
PS: exit_code = 4 indicate ENODEV error which means no device(also includes
the crypt device inactive).
Closes-Bug: #1482066
Change-Id: I12e2a52068850528a4bd68486344b74eb9b82c88
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During attach_volume operation, initialize_connection in Cinder
is called. If timeout happens during initialize_connection, the
Cinder API unreserve is called by the compute manager and the
volume state is changed back to available.
However, volume could be already mapped to the host on the array.
This leaves the database and array out of sync. If rescan happens
on the host after this, the volume will be visible to the host.
Then if the so-called available volume is deleted, a faulty
device will remain in the host.
initialize_connection is also called in other cases such as post
live migration. The timeout exception during initialize_connection
should be handled and a rollback should be triggered by calling
terminate_connection in Cinder.
Co-Authored-By: xing-yang <xing.yang@emc.com>
Change-Id: I8c195b7cfc6e9b296fc3b8f5ce56bb5e130769e8
Closes-Bug: #1387807
|
|
|
|
|
|
|
|
| |
This makes getting the availability zone of an instance use the same
code by placing it inside the helper get_instance_availability_zone().
Related-Bug: #1390033
Change-Id: I69b98eacbc8dc91e65611d6bf07272b517fe350d
|
|
|
|
|
|
|
|
|
|
| |
Due to bug 1386232 Nova has forked get_volume_api_from_url method from
python-cinderclient. As the bug is fixed now this commit removes Nova's
version and replaces usages with cinderclient's one.
Depends-On: Idce26be00db8551d265fe668975a5843c772dd65
Change-Id: Ib0043786c808b470078d65db0d874720f99e583e
Closes-Bug: 1465627
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When attaching a volume, after the connection is initialized to the
volume in Cinder, the nova.volume.encryptors.get_encryption_metadata
method is called to get encryption metadata for the volume. That call is
based on the 'encrypted' key in connection_info['data'] returned from
the os-initialize_connection Cinder API.
However, just because the volume has an encryption key in Cinder does
not mean that the corresponding volume driver in Nova supports
encrypting the volume, like in the case of RBD volumes.
Tempest has tests for encrypted volumes which succeed today in the Ceph
job but they are actually false positives since without Cinder change
I03f8cae05cc117e14f7482115de685fc9f3fa54a, the 'encrypted' key is not
set in the connection_info dict and Nova doesn't attempt encryption of
the volume during attach.
The Ceph job fails when encrypted=True is in connection_info because
cryptsetup (and luks which extends cryptsetup) requires the
'device_path' key in the connection_info dict, which is set when
connecting the volume during attach via the corresponding Nova volume
driver. In the case of RBD and libvirt, the LibvirtNetVolumeDriver is
used and the 'device_path' key isn't set, so a KeyError is raised when
trying to construct the CryptsetupEncryptor or LuksEncryptor objects.
This change adds a check in CryptsetupEncryptor such that if the
device_path is not in connection_info, a VolumeEcnryptionNotSupported
error is raised rather than KeyError.
Note that this doesn't fix the encrypted volume tests in Tempest. Those
tests fail due to a timeout waiting for the volume status to be 'in-use'
which doesn't happen since the compute manager rolls back the
reservation on the volume when the error occurs. The Tempest tests will
have to be skipped in the Ceph job until volume encryption is supported
for RBD in Nova, which will be a separate set of changes.
Related-Bug: #1463525
Change-Id: I8efc2628b09d4e9e59831353daa080b20e17ccde
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cinder change I03f8cae05cc117e14f7482115de685fc9f3fa54a is failing for
some volume driver third party CI like NetApp iSCSI because the device
is in use when formatting the device for LUKS.
This change adds a retry counter to the luksFormat command execution
like we did in commit eef97cdf4bb7f426d7feb394ef54510db8b1656b for
closing the volume and hitting intermittent in-use issues.
Closes-Bug: #1470562
Related-Bug: #1440227
Change-Id: I0cb32a6f9fbe68ae033ad00534512aa5d82a417b
|
|
|
|
|
|
|
|
| |
This patch changes, where it's posible, tests-package
to using test.NoDBTestCase saving test case running time.
Co-Authored-By: yuntongjin <yuntongjin@gmail.com>
Change-Id: I95945f0bf23c9ef963a4b8634ac4ed6236d97ac7
|
|
|
|
|
|
|
|
|
|
| |
Create encrypted volume type with 'LuksEncryptor'
provider, and attach the encrypted volume to volume.
Then nova raise the exception "Empty module name".
The code should add the full module name automatic.
Change-Id: I641036fb5428154d73c2a1a0ed58171152b3900b
Closes-bug: #1384653
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change responds to reviewer comments on
https://review.openstack.org/#/c/124791/8
In particular, this change
1) removes an unnecessary method invocation in test_luks.py,
2) clarifies a comment in the is_luks function, and
3) adds a log warning with the cryptsetup exit code and standard
error when a device is not a LUKS device.
Change-Id: I8b8ef5f6751d1d6445732582ed571173745e704b
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Determination of whether or not a device uses LUKS for encryption
is currently performed by parsing the output of the 'luksOpen'
command. This approach is brittle and does not handle non-English
locales.
This change replaces the existing approach with the 'isLuks' command
to determine if the device uses LUKS. In addition, test cases are
added to provide better coverage of the attach_volume operation
for encrypted volumes.
Closes-Bug: 1372108
Change-Id: I99f905f8f5c7d46ecc826fa0da5d36f54f1107dc
|
| |
| |
| |
| |
| |
| |
| | |
log lines in unit tests won't ever be run in production, no reason to
translate them.
Change-Id: I610deb44f33a966de50296272ab0bfa35462eec9
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| | |
Change-Id: Ic01956a0fc1ef641dd1b9a28caa40debdc8c114c
Closes-Bug: #1391748
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change updates the test cases for volume encryptors to use mocks
rather than stubs. The impetus for this change is comments on another
change (https://review.openstack.org/#/c/124791) that request new
tests to be written using mock. Mixing stubs and mocks would be
confusing so this change removes the existing stubs entirely.
Change-Id: I99ff78edcae5eaccabf4ea4caf04b8406ffa2f80
|
| |
| |
| |
| |
| |
| |
| | |
The removed functions aren't used anywhere except in unit tests, so just
remove them.
Change-Id: Id52e8837152fa8654131ca79e50582e03622b765
|