openstack/nova
Code Issues Proposed changes
f788cbe26c
nova/releasenotes/notes/workarounds-libvirt-disable-native-luks-a4eccca8019db243.yaml
Lee Yarwood dbb58e964a workarounds: Add option to disable native LUKSv1 decryption by QEMU 
Recently discovered performance issues with the libgcrypt library [1]
mean that operators may wish to avoid the now default native decryption
of LUKSv1 volumes as of I5a0de814f2868f1a4980a69b72b45ee829cedb94.

This change introduces a ``[workarounds]/disable_native_luksv1``
option to disable this native decryption by QEMU, allowing Nova to
fallback to the dm-crypt based os-brick encryptors.

This workaround is temporary and will be removed during the W release
once all impacted distributions have been able to update their
versions of the libgcrypt library.

The _is_luks_v1 method previously used to confirm if a LUKSv1 encryption
provider is being used has been renamed _allow_native_luksv1 and
repurposed to determine if native LUKSv1 decryption by QEMU is allowed.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1762765

Closes-Bug: #1869182
Change-Id: Ia500eb614cf575ab846f64f4b69c9068274c8c1f
2020-04-06 21:39:18 +01:00

27 lines
1.3 KiB
YAML
Raw Blame History

---
other:
- |
The ``[workarounds]/disable_native_luksv1`` configuration option has
been introduced. This can be used by operators to workaround recently
discovered performance issues found within the `libgcrypt library`__ used
by QEMU when natively decrypting LUKSv1 encrypted disks. Enabling this
option will result in the use of the legacy ``dm-crypt`` based os-brick
provided encryptors.
Operators should be aware that this workaround only applies when using the
libvirt compute driver with attached encrypted Cinder volumes using the
``luks`` encryption provider. The ``luks2`` encryption provider will
continue to use the ``dm-crypt`` based os-brick encryptors regardless of
what this configurable is set to.
This workaround is temporary and will be removed during the W release once
all impacted distributions have been able to update their versions of the
libgcrypt library.
.. warning:: Operators must ensure no instances are running on the compute
host before enabling this workaround. Any instances with encrypted LUKSv1
disks left running on the hosts will fail to migrate or stop after this
workaround has been enabled.
.. __: https://bugzilla.redhat.com/show_bug.cgi?id=1762765
View Git Blame Copy Permalink