openstack
/
nova
Code Issues Proposed changes

Merge "libvirt: Avoid using os-brick encryptors when device_path isn't provided" into stable/queens

This commit is contained in:
Zuul 2019-07-03 02:06:58 +00:00 committed by Gerrit Code Review
parent 5d349060f5 ec43a1348d
commit 2c1596b78f
2 changed files with 35 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
nova/tests/unit/virt/libvirt/test_driver.py
View File

@ -7830,8 +7830,9 @@ class LibvirtConnTestCase(test.NoDBTestCase,
@mock.patch('os_brick.encryptors.get_encryption_metadata') @mock.patch('os_brick.encryptors.get_encryption_metadata')
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor') @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._use_native_luks')
def test_detach_encryptor_encrypted_volume_meta_missing(self, def test_detach_encryptor_encrypted_volume_meta_missing(self,
mock_get_encryptor, mock_get_metadata): mock_use_native_luks, mock_get_encryptor, mock_get_metadata):
"""Assert that if missing the encryption metadata of an encrypted """Assert that if missing the encryption metadata of an encrypted
volume is fetched and then used to detach the encryptor for the volume. volume is fetched and then used to detach the encryptor for the volume.
""" """
@ -7841,6 +7842,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
encryption = {'provider': 'luks', 'control_location': 'front-end'} encryption = {'provider': 'luks', 'control_location': 'front-end'}
mock_get_metadata.return_value = encryption mock_get_metadata.return_value = encryption
connection_info = {'data': {'volume_id': uuids.volume_id}} connection_info = {'data': {'volume_id': uuids.volume_id}}
mock_use_native_luks.return_value = False
drvr._detach_encryptor(self.context, connection_info, None) drvr._detach_encryptor(self.context, connection_info, None)
@ -7852,8 +7854,9 @@ class LibvirtConnTestCase(test.NoDBTestCase,
@mock.patch('os_brick.encryptors.get_encryption_metadata') @mock.patch('os_brick.encryptors.get_encryption_metadata')
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor') @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._use_native_luks')
def test_detach_encryptor_encrypted_volume_meta_provided(self, def test_detach_encryptor_encrypted_volume_meta_provided(self,
mock_get_encryptor, mock_get_metadata): mock_use_native_luks, mock_get_encryptor, mock_get_metadata):
"""Assert that when provided there are no further attempts to fetch the """Assert that when provided there are no further attempts to fetch the
encryption metadata for the volume and that the provided metadata is encryption metadata for the volume and that the provided metadata is
then used to detach the volume. then used to detach the volume.
@ -7863,6 +7866,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
mock_get_encryptor.return_value = mock_encryptor mock_get_encryptor.return_value = mock_encryptor
encryption = {'provider': 'luks', 'control_location': 'front-end'} encryption = {'provider': 'luks', 'control_location': 'front-end'}
connection_info = {'data': {'volume_id': uuids.volume_id}} connection_info = {'data': {'volume_id': uuids.volume_id}}
mock_use_native_luks.return_value = False
drvr._detach_encryptor(self.context, connection_info, encryption) drvr._detach_encryptor(self.context, connection_info, encryption)
@ -7871,6 +7875,27 @@ class LibvirtConnTestCase(test.NoDBTestCase,
encryption) encryption)
mock_encryptor.detach_volume.assert_called_once_with(**encryption) mock_encryptor.detach_volume.assert_called_once_with(**encryption)
@mock.patch('nova.virt.libvirt.host.Host.find_secret')
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._use_native_luks')
@mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_volume_encryptor')
def test_detach_encryptor_native_luks_device_path_secret_missing(self,
mock_get_encryptor, mock_use_native_luks, mock_find_secret):
"""Assert that the encryptor is not built when native LUKS is
available, the associated volume secret is missing and device_path is
also missing from the connection_info.
"""
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
encryption = {'provider': 'luks', 'control_location': 'front-end',
'encryption_key_id': uuids.encryption_key_id}
connection_info = {'data': {'volume_id': uuids.volume_id}}
mock_find_secret.return_value = False
mock_use_native_luks.return_value = True
drvr._detach_encryptor(self.context, connection_info, encryption)
mock_find_secret.assert_called_once_with('volume', uuids.volume_id)
mock_get_encryptor.assert_not_called()
@mock.patch.object(host.Host, "has_min_version") @mock.patch.object(host.Host, "has_min_version")
def test_use_native_luks(self, mock_has_min_version): def test_use_native_luks(self, mock_has_min_version):
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False) drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)

8
nova/virt/libvirt/driver.py
View File

@ -1412,6 +1412,14 @@ class LibvirtDriver(driver.ComputeDriver):
return self._host.delete_secret('volume', volume_id) return self._host.delete_secret('volume', volume_id)
if encryption is None: if encryption is None:
encryption = self._get_volume_encryption(context, connection_info) encryption = self._get_volume_encryption(context, connection_info)
# NOTE(lyarwood): Handle bug #1821696 where volume secrets have been
# removed manually by returning if native LUKS decryption is available
# and device_path is not present in the connection_info. This avoids
# VolumeEncryptionNotSupported being thrown when we incorrectly build
# the encryptor below due to the secrets not being present above.
if (encryption and self._use_native_luks(encryption) and
not connection_info['data'].get('device_path')):
return
if encryption: if encryption:
encryptor = self._get_volume_encryptor(connection_info, encryptor = self._get_volume_encryptor(connection_info,
encryption) encryption)