Merge "libvirt: Avoid using os-brick encryptors when device_path isn't provided" into stable/queens
This commit is contained in:
commit
2c1596b78f
|
@ -7830,8 +7830,9 @@ class LibvirtConnTestCase(test.NoDBTestCase,
|
||||||
|
|
||||||
@mock.patch('os_brick.encryptors.get_encryption_metadata')
|
@mock.patch('os_brick.encryptors.get_encryption_metadata')
|
||||||
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
|
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
|
||||||
|
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._use_native_luks')
|
||||||
def test_detach_encryptor_encrypted_volume_meta_missing(self,
|
def test_detach_encryptor_encrypted_volume_meta_missing(self,
|
||||||
mock_get_encryptor, mock_get_metadata):
|
mock_use_native_luks, mock_get_encryptor, mock_get_metadata):
|
||||||
"""Assert that if missing the encryption metadata of an encrypted
|
"""Assert that if missing the encryption metadata of an encrypted
|
||||||
volume is fetched and then used to detach the encryptor for the volume.
|
volume is fetched and then used to detach the encryptor for the volume.
|
||||||
"""
|
"""
|
||||||
|
@ -7841,6 +7842,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
|
||||||
encryption = {'provider': 'luks', 'control_location': 'front-end'}
|
encryption = {'provider': 'luks', 'control_location': 'front-end'}
|
||||||
mock_get_metadata.return_value = encryption
|
mock_get_metadata.return_value = encryption
|
||||||
connection_info = {'data': {'volume_id': uuids.volume_id}}
|
connection_info = {'data': {'volume_id': uuids.volume_id}}
|
||||||
|
mock_use_native_luks.return_value = False
|
||||||
|
|
||||||
drvr._detach_encryptor(self.context, connection_info, None)
|
drvr._detach_encryptor(self.context, connection_info, None)
|
||||||
|
|
||||||
|
@ -7852,8 +7854,9 @@ class LibvirtConnTestCase(test.NoDBTestCase,
|
||||||
|
|
||||||
@mock.patch('os_brick.encryptors.get_encryption_metadata')
|
@mock.patch('os_brick.encryptors.get_encryption_metadata')
|
||||||
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
|
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
|
||||||
|
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._use_native_luks')
|
||||||
def test_detach_encryptor_encrypted_volume_meta_provided(self,
|
def test_detach_encryptor_encrypted_volume_meta_provided(self,
|
||||||
mock_get_encryptor, mock_get_metadata):
|
mock_use_native_luks, mock_get_encryptor, mock_get_metadata):
|
||||||
"""Assert that when provided there are no further attempts to fetch the
|
"""Assert that when provided there are no further attempts to fetch the
|
||||||
encryption metadata for the volume and that the provided metadata is
|
encryption metadata for the volume and that the provided metadata is
|
||||||
then used to detach the volume.
|
then used to detach the volume.
|
||||||
|
@ -7863,6 +7866,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
|
||||||
mock_get_encryptor.return_value = mock_encryptor
|
mock_get_encryptor.return_value = mock_encryptor
|
||||||
encryption = {'provider': 'luks', 'control_location': 'front-end'}
|
encryption = {'provider': 'luks', 'control_location': 'front-end'}
|
||||||
connection_info = {'data': {'volume_id': uuids.volume_id}}
|
connection_info = {'data': {'volume_id': uuids.volume_id}}
|
||||||
|
mock_use_native_luks.return_value = False
|
||||||
|
|
||||||
drvr._detach_encryptor(self.context, connection_info, encryption)
|
drvr._detach_encryptor(self.context, connection_info, encryption)
|
||||||
|
|
||||||
|
@ -7871,6 +7875,27 @@ class LibvirtConnTestCase(test.NoDBTestCase,
|
||||||
encryption)
|
encryption)
|
||||||
mock_encryptor.detach_volume.assert_called_once_with(**encryption)
|
mock_encryptor.detach_volume.assert_called_once_with(**encryption)
|
||||||
|
|
||||||
|
@mock.patch('nova.virt.libvirt.host.Host.find_secret')
|
||||||
|
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._use_native_luks')
|
||||||
|
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
|
||||||
|
def test_detach_encryptor_native_luks_device_path_secret_missing(self,
|
||||||
|
mock_get_encryptor, mock_use_native_luks, mock_find_secret):
|
||||||
|
"""Assert that the encryptor is not built when native LUKS is
|
||||||
|
available, the associated volume secret is missing and device_path is
|
||||||
|
also missing from the connection_info.
|
||||||
|
"""
|
||||||
|
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
|
||||||
|
encryption = {'provider': 'luks', 'control_location': 'front-end',
|
||||||
|
'encryption_key_id': uuids.encryption_key_id}
|
||||||
|
connection_info = {'data': {'volume_id': uuids.volume_id}}
|
||||||
|
mock_find_secret.return_value = False
|
||||||
|
mock_use_native_luks.return_value = True
|
||||||
|
|
||||||
|
drvr._detach_encryptor(self.context, connection_info, encryption)
|
||||||
|
|
||||||
|
mock_find_secret.assert_called_once_with('volume', uuids.volume_id)
|
||||||
|
mock_get_encryptor.assert_not_called()
|
||||||
|
|
||||||
@mock.patch.object(host.Host, "has_min_version")
|
@mock.patch.object(host.Host, "has_min_version")
|
||||||
def test_use_native_luks(self, mock_has_min_version):
|
def test_use_native_luks(self, mock_has_min_version):
|
||||||
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
|
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
|
||||||
|
|
|
@ -1412,6 +1412,14 @@ class LibvirtDriver(driver.ComputeDriver):
|
||||||
return self._host.delete_secret('volume', volume_id)
|
return self._host.delete_secret('volume', volume_id)
|
||||||
if encryption is None:
|
if encryption is None:
|
||||||
encryption = self._get_volume_encryption(context, connection_info)
|
encryption = self._get_volume_encryption(context, connection_info)
|
||||||
|
# NOTE(lyarwood): Handle bug #1821696 where volume secrets have been
|
||||||
|
# removed manually by returning if native LUKS decryption is available
|
||||||
|
# and device_path is not present in the connection_info. This avoids
|
||||||
|
# VolumeEncryptionNotSupported being thrown when we incorrectly build
|
||||||
|
# the encryptor below due to the secrets not being present above.
|
||||||
|
if (encryption and self._use_native_luks(encryption) and
|
||||||
|
not connection_info['data'].get('device_path')):
|
||||||
|
return
|
||||||
if encryption:
|
if encryption:
|
||||||
encryptor = self._get_volume_encryptor(connection_info,
|
encryptor = self._get_volume_encryptor(connection_info,
|
||||||
encryption)
|
encryption)
|
||||||
|
|
Loading…
Reference in New Issue