Reviewed: https://review.opendev.org/752090 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f9b67893acf94c06fd41be36b80b99788dc77e48 Submitter: Zuul Branch: master
commit f9b67893acf94c06fd41be36b80b99788dc77e48 Author: Lee Yarwood <[email protected]> Date: Tue Sep 15 18:17:04 2020 +0100 compute: Skip cinder_encryption_key_id check when booting from volume Idf84ccff254d26fa13473fe9741ddac21cbcf321 added this check in order for Nova to avoid booting encrypted images created by Cinder as there is currently no support for using such images (rotating keys etc). The check however missed the slightly convoluted use case where this image property is found against a volume after the volume in question is created using an encrypted image created by cinder from an encrypted volume. In other words: - Cinder creates an encrypted volume A - Glance creates an encrypted image A from volume A - Cinder creates an encrypted volume B from image A - Nova attempts to boot an instance using volume B Note that Nova may request the creation of volume B or a user could also do this directly through Cinder. As such this change simply ensures that the instance isn't booting from a volume when preforming the check as it is only valid when booting from an image. Closes-Bug: #1895696 Change-Id: Ic92cab7362fa25050e5bbef5c3e360108365b5c7 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1895696 Title: unable to boot instance from encrypted volume created from a glance image of an encrypted volume Status in Cinder: New Status in OpenStack Compute (nova): Fix Released Bug description: Description =========== What the title says, plus see "steps to reproduce" below. This is a regression caused by the fix for https://bugs.launchpad.net/nova/+bug/1852106 Steps to Reproduce ================== 1. Let Image-1 be a "regular" (non-encrypted, bootable) image in Glance (like the cirros image). 2. Create volume V-1 in Cinder from Image-1 specifying encrypted volume-type T-1. 3. Boot an instance from V-1 (make sure delete-on-terminate is false). Works fine. Delete the instance to free up the volume. 4. Call cinder upload-to-image on V-1 to create Image-2. 5. Create volume V-2 in Cinder specifying encrypted volume-type T-1 from Image-2. 6. Boot an instance from V-2. Expected result =============== Working instance booted from volume. Actual result ============= ERROR (BadRequest): Image None is unacceptable: Direct booting of an image uploaded from an encrypted volume is unsupported. (HTTP 400) Note: If we bypass the check at https://review.opendev.org/#/c/707738/3/nova/compute/api.py@894, the instance goes 'active' and is operable (you can ssh into it). (Of course, we don't want to bypass the check, it just needs to be made aware that we are booting from a volume, not trying to boot from an image.) To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1895696/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
