workarounds: Remove disable_native_luksv1
This was previously deprecated for removal during the Wallaby release. Change-Id: I6a57aff7c95fafef64ab65192ec4ec804658b31f
This commit is contained in:
parent
7c1ca501ee
commit
9bd62eae6e
@ -270,40 +270,6 @@ Related options:
|
||||
|
||||
* ``compute_driver`` (libvirt)
|
||||
* ``[libvirt]/images_type`` (rbd)
|
||||
"""),
|
||||
cfg.BoolOpt(
|
||||
'disable_native_luksv1',
|
||||
default=False,
|
||||
deprecated_for_removal=True,
|
||||
deprecated_since='23.0.0',
|
||||
deprecated_reason="""
|
||||
The underlying performance regression within libgcrypt that prompted this
|
||||
workaround has been resolved as of 1.8.5
|
||||
""",
|
||||
help="""
|
||||
When attaching encrypted LUKSv1 Cinder volumes to instances the Libvirt driver
|
||||
configures the encrypted disks to be natively decrypted by QEMU.
|
||||
|
||||
A performance issue has been discovered in the libgcrypt library used by QEMU
|
||||
that serverly limits the I/O performance in this scenario.
|
||||
|
||||
For more information please refer to the following bug report:
|
||||
|
||||
RFE: hardware accelerated AES-XTS mode
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1762765
|
||||
|
||||
Enabling this workaround option will cause Nova to use the legacy dm-crypt
|
||||
based os-brick encryptor to decrypt the LUKSv1 volume.
|
||||
|
||||
Note that enabling this option while using volumes that do not provide a host
|
||||
block device such as Ceph will result in a failure to boot from or attach the
|
||||
volume to an instance. See the ``[workarounds]/rbd_block_device`` option for a
|
||||
way to avoid this for RBD.
|
||||
|
||||
Related options:
|
||||
|
||||
* ``compute_driver`` (libvirt)
|
||||
* ``rbd_block_device`` (workarounds)
|
||||
"""),
|
||||
cfg.BoolOpt(
|
||||
'rbd_volume_local_attach',
|
||||
|
@ -118,7 +118,6 @@ from nova.virt.libvirt.storage import dmcrypt
|
||||
from nova.virt.libvirt.storage import lvm
|
||||
from nova.virt.libvirt import utils as libvirt_utils
|
||||
from nova.virt.libvirt import vif as libvirt_vif
|
||||
from nova.virt.libvirt.volume import fs as fs_drivers
|
||||
from nova.virt.libvirt.volume import volume as volume_drivers
|
||||
|
||||
CONF = nova.conf.CONF
|
||||
@ -9039,68 +9038,6 @@ class LibvirtConnTestCase(test.NoDBTestCase,
|
||||
mock_encryptor._format_volume.assert_called_once_with(key,
|
||||
**encryption)
|
||||
|
||||
@mock.patch.object(libvirt_driver.LibvirtDriver, '_get_volume_encryption')
|
||||
@mock.patch.object(libvirt_driver.LibvirtDriver, '_get_volume_encryptor')
|
||||
def test_connect_volume_native_luks_workaround(self,
|
||||
mock_get_volume_encryptor, mock_get_volume_encryption):
|
||||
self.flags(disable_native_luksv1=True, group='workarounds')
|
||||
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
|
||||
connection_info = {'driver_volume_type': 'fake',
|
||||
'data': {'device_path': '/fake',
|
||||
'access_mode': 'rw',
|
||||
'volume_id': uuids.volume_id}}
|
||||
encryption = {'provider': encryptors.LUKS,
|
||||
'encryption_key_id': uuids.encryption_key_id}
|
||||
instance = mock.sentinel.instance
|
||||
mock_encryptor = mock.Mock()
|
||||
mock_get_volume_encryptor.return_value = mock_encryptor
|
||||
mock_get_volume_encryption.return_value = encryption
|
||||
|
||||
drvr._connect_volume(self.context, connection_info, instance,
|
||||
encryption=encryption)
|
||||
|
||||
# Assert that the os-brick encryptors are attached
|
||||
mock_encryptor.attach_volume.assert_called_once_with(
|
||||
self.context, **encryption)
|
||||
|
||||
def test_should_disconnect_target_multi_attach_filesystem_driver(self):
|
||||
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
|
||||
volume_driver = mock.MagicMock(
|
||||
spec=fs_drivers.LibvirtMountedFileSystemVolumeDriver)
|
||||
self.assertTrue(drvr._should_disconnect_target(
|
||||
self.context, None, True, volume_driver, None))
|
||||
|
||||
def test_should_disconnect_target_single_attach_filesystem_driver(self):
|
||||
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
|
||||
volume_driver = mock.MagicMock(
|
||||
spec=fs_drivers.LibvirtMountedFileSystemVolumeDriver)
|
||||
self.assertTrue(drvr._should_disconnect_target(
|
||||
self.context, None, False, volume_driver, None))
|
||||
|
||||
@mock.patch.object(libvirt_driver.LibvirtDriver, '_get_volume_encryption')
|
||||
@mock.patch.object(libvirt_driver.LibvirtDriver, '_get_volume_encryptor')
|
||||
def test_disconnect_volume_native_luks_workaround(self,
|
||||
mock_get_volume_encryptor, mock_get_volume_encryption):
|
||||
self.flags(disable_native_luksv1=True, group='workarounds')
|
||||
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
|
||||
drvr._host = mock.Mock()
|
||||
drvr._host.find_secret.return_value = None
|
||||
connection_info = {'driver_volume_type': 'fake',
|
||||
'data': {'device_path': '/fake',
|
||||
'access_mode': 'rw',
|
||||
'volume_id': uuids.volume_id}}
|
||||
encryption = {'provider': encryptors.LUKS,
|
||||
'encryption_key_id': uuids.encryption_key_id}
|
||||
instance = mock.sentinel.instance
|
||||
mock_encryptor = mock.Mock()
|
||||
mock_get_volume_encryptor.return_value = mock_encryptor
|
||||
mock_get_volume_encryption.return_value = encryption
|
||||
|
||||
drvr._disconnect_volume(self.context, connection_info, instance)
|
||||
|
||||
mock_encryptor.detach_volume.assert_called_once_with(
|
||||
**encryption)
|
||||
|
||||
@mock.patch.object(libvirt_driver.LibvirtDriver, '_get_volume_encryptor')
|
||||
def test_disconnect_volume_luks(self, mock_get_volume_encryptor):
|
||||
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
|
||||
@ -10309,15 +10246,6 @@ class LibvirtConnTestCase(test.NoDBTestCase,
|
||||
self.assertTrue(drvr._allow_native_luksv1({
|
||||
'provider': encryptors.LUKS}))
|
||||
|
||||
# Assert the disable_qemu_native_luksv workaround always returns False
|
||||
self.flags(disable_native_luksv1=True, group='workarounds')
|
||||
self.assertFalse(drvr._allow_native_luksv1({
|
||||
'provider': 'nova.volume.encryptors.luks.LuksEncryptor'}))
|
||||
self.assertFalse(drvr._allow_native_luksv1({
|
||||
'provider': 'LuksEncryptor'}))
|
||||
self.assertFalse(drvr._allow_native_luksv1({
|
||||
'provider': encryptors.LUKS}))
|
||||
|
||||
def test_multi_nic(self):
|
||||
network_info = _fake_network_info(self, 2)
|
||||
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), True)
|
||||
|
@ -1884,12 +1884,6 @@ class LibvirtDriver(driver.ComputeDriver):
|
||||
def _allow_native_luksv1(self, encryption=None):
|
||||
"""Check if QEMU's native LUKSv1 decryption should be used.
|
||||
"""
|
||||
# NOTE(lyarwood): Native LUKSv1 decryption can be disabled via a
|
||||
# workarounds configurable in order to aviod known performance issues
|
||||
# with the libgcrypt lib.
|
||||
if CONF.workarounds.disable_native_luksv1:
|
||||
return False
|
||||
|
||||
# NOTE(lyarwood): Ensure the LUKSv1 provider is used.
|
||||
provider = None
|
||||
if encryption:
|
||||
|
@ -0,0 +1,6 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
The ``[workarounds]disable_native_luksv1`` workaround configurable has been
|
||||
removed after previously being deprecated during the Wallaby (23.0.0)
|
||||
release.
|
Loading…
x
Reference in New Issue
Block a user