2013-09-11 12:15:43 -04:00
|
|
|
# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
|
|
|
|
|
# All Rights Reserved.
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
|
# not use this file except in compliance with the License. You may obtain
|
|
|
|
|
# a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
|
|
|
# License for the specific language governing permissions and limitations
|
|
|
|
|
# under the License.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
import os
|
|
|
|
|
|
2015-02-09 17:28:19 -05:00
|
|
|
from oslo_log import log as logging
|
|
|
|
|
|
Handle KeyError when volume encryption is not supported
When attaching a volume, after the connection is initialized to the
volume in Cinder, the nova.volume.encryptors.get_encryption_metadata
method is called to get encryption metadata for the volume. That call is
based on the 'encrypted' key in connection_info['data'] returned from
the os-initialize_connection Cinder API.
However, just because the volume has an encryption key in Cinder does
not mean that the corresponding volume driver in Nova supports
encrypting the volume, like in the case of RBD volumes.
Tempest has tests for encrypted volumes which succeed today in the Ceph
job but they are actually false positives since without Cinder change
I03f8cae05cc117e14f7482115de685fc9f3fa54a, the 'encrypted' key is not
set in the connection_info dict and Nova doesn't attempt encryption of
the volume during attach.
The Ceph job fails when encrypted=True is in connection_info because
cryptsetup (and luks which extends cryptsetup) requires the
'device_path' key in the connection_info dict, which is set when
connecting the volume during attach via the corresponding Nova volume
driver. In the case of RBD and libvirt, the LibvirtNetVolumeDriver is
used and the 'device_path' key isn't set, so a KeyError is raised when
trying to construct the CryptsetupEncryptor or LuksEncryptor objects.
This change adds a check in CryptsetupEncryptor such that if the
device_path is not in connection_info, a VolumeEcnryptionNotSupported
error is raised rather than KeyError.
Note that this doesn't fix the encrypted volume tests in Tempest. Those
tests fail due to a timeout waiting for the volume status to be 'in-use'
which doesn't happen since the compute manager rolls back the
reservation on the volume when the error occurs. The Tempest tests will
have to be skipped in the Ceph job until volume encryption is supported
for RBD in Nova, which will be a separate set of changes.
Related-Bug: #1463525
Change-Id: I8efc2628b09d4e9e59831353daa080b20e17ccde
2015-06-20 13:33:06 -07:00
|
|
|
from nova import exception
|
2013-09-11 12:15:43 -04:00
|
|
|
from nova import utils
|
|
|
|
|
from nova.volume.encryptors import base
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class CryptsetupEncryptor(base.VolumeEncryptor):
|
|
|
|
|
"""A VolumeEncryptor based on dm-crypt.
|
|
|
|
|
|
|
|
|
|
This VolumeEncryptor uses dm-crypt to encrypt the specified volume.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
def __init__(self, connection_info, **kwargs):
|
|
|
|
|
super(CryptsetupEncryptor, self).__init__(connection_info, **kwargs)
|
|
|
|
|
|
Handle KeyError when volume encryption is not supported
When attaching a volume, after the connection is initialized to the
volume in Cinder, the nova.volume.encryptors.get_encryption_metadata
method is called to get encryption metadata for the volume. That call is
based on the 'encrypted' key in connection_info['data'] returned from
the os-initialize_connection Cinder API.
However, just because the volume has an encryption key in Cinder does
not mean that the corresponding volume driver in Nova supports
encrypting the volume, like in the case of RBD volumes.
Tempest has tests for encrypted volumes which succeed today in the Ceph
job but they are actually false positives since without Cinder change
I03f8cae05cc117e14f7482115de685fc9f3fa54a, the 'encrypted' key is not
set in the connection_info dict and Nova doesn't attempt encryption of
the volume during attach.
The Ceph job fails when encrypted=True is in connection_info because
cryptsetup (and luks which extends cryptsetup) requires the
'device_path' key in the connection_info dict, which is set when
connecting the volume during attach via the corresponding Nova volume
driver. In the case of RBD and libvirt, the LibvirtNetVolumeDriver is
used and the 'device_path' key isn't set, so a KeyError is raised when
trying to construct the CryptsetupEncryptor or LuksEncryptor objects.
This change adds a check in CryptsetupEncryptor such that if the
device_path is not in connection_info, a VolumeEcnryptionNotSupported
error is raised rather than KeyError.
Note that this doesn't fix the encrypted volume tests in Tempest. Those
tests fail due to a timeout waiting for the volume status to be 'in-use'
which doesn't happen since the compute manager rolls back the
reservation on the volume when the error occurs. The Tempest tests will
have to be skipped in the Ceph job until volume encryption is supported
for RBD in Nova, which will be a separate set of changes.
Related-Bug: #1463525
Change-Id: I8efc2628b09d4e9e59831353daa080b20e17ccde
2015-06-20 13:33:06 -07:00
|
|
|
# Fail if no device_path was set when connecting the volume, e.g. in
|
|
|
|
|
# the case of libvirt network volume drivers.
|
|
|
|
|
data = connection_info['data']
|
|
|
|
|
if not data.get('device_path'):
|
|
|
|
|
volume_id = data.get('volume_id') or connection_info.get('serial')
|
|
|
|
|
raise exception.VolumeEncryptionNotSupported(
|
|
|
|
|
volume_id=volume_id,
|
|
|
|
|
volume_type=connection_info['driver_volume_type'])
|
|
|
|
|
|
2013-09-11 12:15:43 -04:00
|
|
|
# the device's path as given to libvirt -- e.g., /dev/disk/by-path/...
|
|
|
|
|
self.symlink_path = connection_info['data']['device_path']
|
|
|
|
|
|
|
|
|
|
# a unique name for the volume -- e.g., the iSCSI participant name
|
|
|
|
|
self.dev_name = self.symlink_path.split('/')[-1]
|
|
|
|
|
# the device's actual path on the compute host -- e.g., /dev/sd_
|
|
|
|
|
self.dev_path = os.path.realpath(self.symlink_path)
|
|
|
|
|
|
|
|
|
|
def _get_passphrase(self, key):
|
2015-09-14 17:53:56 -04:00
|
|
|
"""Convert raw key to string."""
|
2013-09-11 12:15:43 -04:00
|
|
|
return ''.join(hex(x).replace('0x', '') for x in key)
|
|
|
|
|
|
|
|
|
|
def _open_volume(self, passphrase, **kwargs):
|
|
|
|
|
"""Opens the LUKS partition on the volume using the specified
|
|
|
|
|
passphrase.
|
|
|
|
|
|
|
|
|
|
:param passphrase: the passphrase used to access the volume
|
|
|
|
|
"""
|
2014-04-25 01:03:05 -07:00
|
|
|
LOG.debug("opening encrypted volume %s", self.dev_path)
|
2013-09-11 12:15:43 -04:00
|
|
|
|
|
|
|
|
# NOTE(joel-coffman): cryptsetup will strip trailing newlines from
|
|
|
|
|
# input specified on stdin unless --key-file=- is specified.
|
|
|
|
|
cmd = ["cryptsetup", "create", "--key-file=-"]
|
|
|
|
|
|
|
|
|
|
cipher = kwargs.get("cipher", None)
|
|
|
|
|
if cipher is not None:
|
|
|
|
|
cmd.extend(["--cipher", cipher])
|
|
|
|
|
|
|
|
|
|
key_size = kwargs.get("key_size", None)
|
|
|
|
|
if key_size is not None:
|
|
|
|
|
cmd.extend(["--key-size", key_size])
|
|
|
|
|
|
|
|
|
|
cmd.extend([self.dev_name, self.dev_path])
|
|
|
|
|
|
|
|
|
|
utils.execute(*cmd, process_input=passphrase,
|
|
|
|
|
check_exit_code=True, run_as_root=True)
|
|
|
|
|
|
|
|
|
|
def attach_volume(self, context, **kwargs):
|
|
|
|
|
"""Shadows the device and passes an unencrypted version to the
|
|
|
|
|
instance.
|
|
|
|
|
|
|
|
|
|
Transparent disk encryption is achieved by mounting the volume via
|
|
|
|
|
dm-crypt and passing the resulting device to the instance. The
|
|
|
|
|
instance is unaware of the underlying encryption due to modifying the
|
|
|
|
|
original symbolic link to refer to the device mounted by dm-crypt.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
key = self._get_key(context).get_encoded()
|
|
|
|
|
passphrase = self._get_passphrase(key)
|
|
|
|
|
|
|
|
|
|
self._open_volume(passphrase, **kwargs)
|
|
|
|
|
|
|
|
|
|
# modify the original symbolic link to refer to the decrypted device
|
|
|
|
|
utils.execute('ln', '--symbolic', '--force',
|
|
|
|
|
'/dev/mapper/%s' % self.dev_name, self.symlink_path,
|
|
|
|
|
run_as_root=True, check_exit_code=True)
|
|
|
|
|
|
|
|
|
|
def _close_volume(self, **kwargs):
|
|
|
|
|
"""Closes the device (effectively removes the dm-crypt mapping)."""
|
2014-04-25 01:03:05 -07:00
|
|
|
LOG.debug("closing encrypted volume %s", self.dev_path)
|
2015-10-13 14:08:31 +08:00
|
|
|
# cryptsetup returns 4 when attempting to destroy a non-active
|
|
|
|
|
# dm-crypt device. We are going to ignore this error code to make
|
|
|
|
|
# nova deleting that instance successfully.
|
2013-09-11 12:15:43 -04:00
|
|
|
utils.execute('cryptsetup', 'remove', self.dev_name,
|
2015-10-13 14:08:31 +08:00
|
|
|
run_as_root=True, check_exit_code=[0, 4])
|
2013-09-11 12:15:43 -04:00
|
|
|
|
|
|
|
|
def detach_volume(self, **kwargs):
|
|
|
|
|
"""Removes the dm-crypt mapping for the device."""
|
|
|
|
|
self._close_volume(**kwargs)
|