Browse Source

Merge "libvirt: Avoid using os-brick encryptors when device_path isn't provided" into stable/queens

tags/17.0.11
Zuul 2 months ago
parent
commit
2c1596b78f
2 changed files with 35 additions and 2 deletions
  1. 27
    2
      nova/tests/unit/virt/libvirt/test_driver.py
  2. 8
    0
      nova/virt/libvirt/driver.py

+ 27
- 2
nova/tests/unit/virt/libvirt/test_driver.py View File

@@ -7830,8 +7830,9 @@ class LibvirtConnTestCase(test.NoDBTestCase,
7830 7830
 
7831 7831
     @mock.patch('os_brick.encryptors.get_encryption_metadata')
7832 7832
     @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
7833
+    @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._use_native_luks')
7833 7834
     def test_detach_encryptor_encrypted_volume_meta_missing(self,
7834
-            mock_get_encryptor, mock_get_metadata):
7835
+            mock_use_native_luks, mock_get_encryptor, mock_get_metadata):
7835 7836
         """Assert that if missing the encryption metadata of an encrypted
7836 7837
         volume is fetched and then used to detach the encryptor for the volume.
7837 7838
         """
@@ -7841,6 +7842,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
7841 7842
         encryption = {'provider': 'luks', 'control_location': 'front-end'}
7842 7843
         mock_get_metadata.return_value = encryption
7843 7844
         connection_info = {'data': {'volume_id': uuids.volume_id}}
7845
+        mock_use_native_luks.return_value = False
7844 7846
 
7845 7847
         drvr._detach_encryptor(self.context, connection_info, None)
7846 7848
 
@@ -7852,8 +7854,9 @@ class LibvirtConnTestCase(test.NoDBTestCase,
7852 7854
 
7853 7855
     @mock.patch('os_brick.encryptors.get_encryption_metadata')
7854 7856
     @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
7857
+    @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._use_native_luks')
7855 7858
     def test_detach_encryptor_encrypted_volume_meta_provided(self,
7856
-            mock_get_encryptor, mock_get_metadata):
7859
+            mock_use_native_luks, mock_get_encryptor, mock_get_metadata):
7857 7860
         """Assert that when provided there are no further attempts to fetch the
7858 7861
         encryption metadata for the volume and that the provided metadata is
7859 7862
         then used to detach the volume.
@@ -7863,6 +7866,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
7863 7866
         mock_get_encryptor.return_value = mock_encryptor
7864 7867
         encryption = {'provider': 'luks', 'control_location': 'front-end'}
7865 7868
         connection_info = {'data': {'volume_id': uuids.volume_id}}
7869
+        mock_use_native_luks.return_value = False
7866 7870
 
7867 7871
         drvr._detach_encryptor(self.context, connection_info, encryption)
7868 7872
 
@@ -7871,6 +7875,27 @@ class LibvirtConnTestCase(test.NoDBTestCase,
7871 7875
                                                    encryption)
7872 7876
         mock_encryptor.detach_volume.assert_called_once_with(**encryption)
7873 7877
 
7878
+    @mock.patch('nova.virt.libvirt.host.Host.find_secret')
7879
+    @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._use_native_luks')
7880
+    @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
7881
+    def test_detach_encryptor_native_luks_device_path_secret_missing(self,
7882
+            mock_get_encryptor, mock_use_native_luks, mock_find_secret):
7883
+        """Assert that the encryptor is not built when native LUKS is
7884
+        available, the associated volume secret is missing and device_path is
7885
+        also missing from the connection_info.
7886
+        """
7887
+        drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
7888
+        encryption = {'provider': 'luks', 'control_location': 'front-end',
7889
+                      'encryption_key_id': uuids.encryption_key_id}
7890
+        connection_info = {'data': {'volume_id': uuids.volume_id}}
7891
+        mock_find_secret.return_value = False
7892
+        mock_use_native_luks.return_value = True
7893
+
7894
+        drvr._detach_encryptor(self.context, connection_info, encryption)
7895
+
7896
+        mock_find_secret.assert_called_once_with('volume', uuids.volume_id)
7897
+        mock_get_encryptor.assert_not_called()
7898
+
7874 7899
     @mock.patch.object(host.Host, "has_min_version")
7875 7900
     def test_use_native_luks(self, mock_has_min_version):
7876 7901
         drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)

+ 8
- 0
nova/virt/libvirt/driver.py View File

@@ -1412,6 +1412,14 @@ class LibvirtDriver(driver.ComputeDriver):
1412 1412
             return self._host.delete_secret('volume', volume_id)
1413 1413
         if encryption is None:
1414 1414
             encryption = self._get_volume_encryption(context, connection_info)
1415
+        # NOTE(lyarwood): Handle bug #1821696 where volume secrets have been
1416
+        # removed manually by returning if native LUKS decryption is available
1417
+        # and device_path is not present in the connection_info. This avoids
1418
+        # VolumeEncryptionNotSupported being thrown when we incorrectly build
1419
+        # the encryptor below due to the secrets not being present above.
1420
+        if (encryption and self._use_native_luks(encryption) and
1421
+            not connection_info['data'].get('device_path')):
1422
+            return
1415 1423
         if encryption:
1416 1424
             encryptor = self._get_volume_encryptor(connection_info,
1417 1425
                                                    encryption)

Loading…
Cancel
Save