ee34d925ff
The LUKS encryptor feature expects devices to have a symbolic link that
it can overwrite in order to enable transparent encryption/decryption
for instances [1]. This is generally the case for RBD volumes, as Ceph
uses udev rules [2] to create a '/dev/rbd/{pool}/{device}' ->
'/dev/rbdN' symlink. However, in an environment where udev daemon is not
present or configured correctly, this symlink will never be configured.
This causes things to crash and burn in a rather non-obvious manner when
locally attaching an encrypted RBD volume:
oslo_concurrency.processutils.ProcessExecutionError: Unexpected error while running command.
Command: cryptsetup luksOpen --key-file=- /dev/rbd/volumes/volume-foo crypt-volume-foo
Exit code: 4
Stdout: ''
Stderr: "Device /dev/rbd/volumes/foo doesn't exist or access denied.\n"
('foo' being a stand-in for a very long 'device-$UUID' name)
The long term fix here is to probably stop relying on the side effects
of these udev rules, i.e. the symlinks, but that is a far more involved
fix that would not be backportable. Instead, for now we simply leave a
breadcrumb for the user, informing them as to what's gone wrong and
encouraging them to look at the bug report for more information.
[1] https://github.com/openstack/os-brick/blob/3.1.0/os_brick/encryptors/luks.py#L191-L195
[2] https://github.com/ceph/ceph/blob/v14.0.0/udev/50-rbd.rules
Change-Id: I2775f55039695c7ec029106c0dafe4d46255b336
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Related-Bug: #1884114
|
||
|---|---|---|
| doc | ||
| etc/os-brick/rootwrap.d | ||
| os_brick | ||
| releasenotes | ||
| tools | ||
| .coveragerc | ||
| .gitignore | ||
| .gitreview | ||
| .mailmap | ||
| .stestr.conf | ||
| .zuul.yaml | ||
| CONTRIBUTING.rst | ||
| HACKING.rst | ||
| LICENSE | ||
| README.rst | ||
| bindep.txt | ||
| lower-constraints.txt | ||
| pylintrc | ||
| requirements.txt | ||
| setup.cfg | ||
| setup.py | ||
| test-requirements.txt | ||
| tox.ini | ||
README.rst
Team and repository tags
brick
OpenStack Cinder brick library for managing local volume attaches
Features
- Discovery of volumes being attached to a host for many transport protocols.
- Removal of volumes from a host.
Hacking
Hacking on brick requires python-gdbm (for Debian derived distributions), Python 2.7 and Python 3.4. A recent tox is required, as is a recent virtualenv (13.1.0 or newer).
If "tox -e py34" fails with the error "db type could not be determined", remove the .testrepository/ directory and then run "tox -e py34".
- For any other information, refer to the developer documents:
- OR refer to the parent project, Cinder:
- Release notes for the project can be found at:
- License: Apache License, Version 2.0
- Source: https://opendev.org/openstack/os-brick
- Bugs: https://bugs.launchpad.net/os-brick