workarounds: Remove disable_native_luksv1

This was previously deprecated for removal during the Wallaby release.

Change-Id: I6a57aff7c95fafef64ab65192ec4ec804658b31f
This commit is contained in:
Lee Yarwood 2021-08-23 14:39:48 +01:00
parent 7c1ca501ee
commit 9bd62eae6e
4 changed files with 6 additions and 112 deletions

View File

@ -270,40 +270,6 @@ Related options:
* ``compute_driver`` (libvirt)
* ``[libvirt]/images_type`` (rbd)
"""),
cfg.BoolOpt(
'disable_native_luksv1',
default=False,
deprecated_for_removal=True,
deprecated_since='23.0.0',
deprecated_reason="""
The underlying performance regression within libgcrypt that prompted this
workaround has been resolved as of 1.8.5
""",
help="""
When attaching encrypted LUKSv1 Cinder volumes to instances the Libvirt driver
configures the encrypted disks to be natively decrypted by QEMU.
A performance issue has been discovered in the libgcrypt library used by QEMU
that serverly limits the I/O performance in this scenario.
For more information please refer to the following bug report:
RFE: hardware accelerated AES-XTS mode
https://bugzilla.redhat.com/show_bug.cgi?id=1762765
Enabling this workaround option will cause Nova to use the legacy dm-crypt
based os-brick encryptor to decrypt the LUKSv1 volume.
Note that enabling this option while using volumes that do not provide a host
block device such as Ceph will result in a failure to boot from or attach the
volume to an instance. See the ``[workarounds]/rbd_block_device`` option for a
way to avoid this for RBD.
Related options:
* ``compute_driver`` (libvirt)
* ``rbd_block_device`` (workarounds)
"""),
cfg.BoolOpt(
'rbd_volume_local_attach',

View File

@ -118,7 +118,6 @@ from nova.virt.libvirt.storage import dmcrypt
from nova.virt.libvirt.storage import lvm
from nova.virt.libvirt import utils as libvirt_utils
from nova.virt.libvirt import vif as libvirt_vif
from nova.virt.libvirt.volume import fs as fs_drivers
from nova.virt.libvirt.volume import volume as volume_drivers
CONF = nova.conf.CONF
@ -9039,68 +9038,6 @@ class LibvirtConnTestCase(test.NoDBTestCase,
mock_encryptor._format_volume.assert_called_once_with(key,
**encryption)
@mock.patch.object(libvirt_driver.LibvirtDriver, '_get_volume_encryption')
@mock.patch.object(libvirt_driver.LibvirtDriver, '_get_volume_encryptor')
def test_connect_volume_native_luks_workaround(self,
mock_get_volume_encryptor, mock_get_volume_encryption):
self.flags(disable_native_luksv1=True, group='workarounds')
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
connection_info = {'driver_volume_type': 'fake',
'data': {'device_path': '/fake',
'access_mode': 'rw',
'volume_id': uuids.volume_id}}
encryption = {'provider': encryptors.LUKS,
'encryption_key_id': uuids.encryption_key_id}
instance = mock.sentinel.instance
mock_encryptor = mock.Mock()
mock_get_volume_encryptor.return_value = mock_encryptor
mock_get_volume_encryption.return_value = encryption
drvr._connect_volume(self.context, connection_info, instance,
encryption=encryption)
# Assert that the os-brick encryptors are attached
mock_encryptor.attach_volume.assert_called_once_with(
self.context, **encryption)
def test_should_disconnect_target_multi_attach_filesystem_driver(self):
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
volume_driver = mock.MagicMock(
spec=fs_drivers.LibvirtMountedFileSystemVolumeDriver)
self.assertTrue(drvr._should_disconnect_target(
self.context, None, True, volume_driver, None))
def test_should_disconnect_target_single_attach_filesystem_driver(self):
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
volume_driver = mock.MagicMock(
spec=fs_drivers.LibvirtMountedFileSystemVolumeDriver)
self.assertTrue(drvr._should_disconnect_target(
self.context, None, False, volume_driver, None))
@mock.patch.object(libvirt_driver.LibvirtDriver, '_get_volume_encryption')
@mock.patch.object(libvirt_driver.LibvirtDriver, '_get_volume_encryptor')
def test_disconnect_volume_native_luks_workaround(self,
mock_get_volume_encryptor, mock_get_volume_encryption):
self.flags(disable_native_luksv1=True, group='workarounds')
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
drvr._host = mock.Mock()
drvr._host.find_secret.return_value = None
connection_info = {'driver_volume_type': 'fake',
'data': {'device_path': '/fake',
'access_mode': 'rw',
'volume_id': uuids.volume_id}}
encryption = {'provider': encryptors.LUKS,
'encryption_key_id': uuids.encryption_key_id}
instance = mock.sentinel.instance
mock_encryptor = mock.Mock()
mock_get_volume_encryptor.return_value = mock_encryptor
mock_get_volume_encryption.return_value = encryption
drvr._disconnect_volume(self.context, connection_info, instance)
mock_encryptor.detach_volume.assert_called_once_with(
**encryption)
@mock.patch.object(libvirt_driver.LibvirtDriver, '_get_volume_encryptor')
def test_disconnect_volume_luks(self, mock_get_volume_encryptor):
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
@ -10309,15 +10246,6 @@ class LibvirtConnTestCase(test.NoDBTestCase,
self.assertTrue(drvr._allow_native_luksv1({
'provider': encryptors.LUKS}))
# Assert the disable_qemu_native_luksv workaround always returns False
self.flags(disable_native_luksv1=True, group='workarounds')
self.assertFalse(drvr._allow_native_luksv1({
'provider': 'nova.volume.encryptors.luks.LuksEncryptor'}))
self.assertFalse(drvr._allow_native_luksv1({
'provider': 'LuksEncryptor'}))
self.assertFalse(drvr._allow_native_luksv1({
'provider': encryptors.LUKS}))
def test_multi_nic(self):
network_info = _fake_network_info(self, 2)
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), True)

View File

@ -1884,12 +1884,6 @@ class LibvirtDriver(driver.ComputeDriver):
def _allow_native_luksv1(self, encryption=None):
"""Check if QEMU's native LUKSv1 decryption should be used.
"""
# NOTE(lyarwood): Native LUKSv1 decryption can be disabled via a
# workarounds configurable in order to aviod known performance issues
# with the libgcrypt lib.
if CONF.workarounds.disable_native_luksv1:
return False
# NOTE(lyarwood): Ensure the LUKSv1 provider is used.
provider = None
if encryption:

View File

@ -0,0 +1,6 @@
---
upgrade:
- |
The ``[workarounds]disable_native_luksv1`` workaround configurable has been
removed after previously being deprecated during the Wallaby (23.0.0)
release.