Merge "Fix multipath iSCSI encrypted volume attach failure"

This commit is contained in:
Jenkins 2016-07-05 22:37:04 +00:00 committed by Gerrit Code Review
commit a59834a515
2 changed files with 76 additions and 3 deletions

View File

@ -15,6 +15,7 @@
import binascii import binascii
import copy
from castellan.common.objects import symmetric_key as key from castellan.common.objects import symmetric_key as key
import mock import mock
@ -33,14 +34,15 @@ def fake__get_key(context):
class CryptsetupEncryptorTestCase(test_base.VolumeEncryptorTestCase): class CryptsetupEncryptorTestCase(test_base.VolumeEncryptorTestCase):
def _create(self, connection_info): @mock.patch('os.path.exists', return_value=False)
def _create(self, connection_info, mock_exists):
return cryptsetup.CryptsetupEncryptor(connection_info) return cryptsetup.CryptsetupEncryptor(connection_info)
def setUp(self): def setUp(self):
super(CryptsetupEncryptorTestCase, self).setUp() super(CryptsetupEncryptorTestCase, self).setUp()
self.dev_path = self.connection_info['data']['device_path'] self.dev_path = self.connection_info['data']['device_path']
self.dev_name = self.dev_path.split('/')[-1] self.dev_name = 'crypt-%s' % self.dev_path.split('/')[-1]
self.symlink_path = self.dev_path self.symlink_path = self.dev_path
@ -102,3 +104,37 @@ class CryptsetupEncryptorTestCase(test_base.VolumeEncryptorTestCase):
cryptsetup.CryptsetupEncryptor, cryptsetup.CryptsetupEncryptor,
connection_info) connection_info)
self.assertIn(type, six.text_type(exc)) self.assertIn(type, six.text_type(exc))
@mock.patch('os.path.exists', return_value=True)
@mock.patch('nova.utils.execute')
def test_init_volume_encryption_with_old_name(self, mock_execute,
mock_exists):
# If an old name crypt device exists, dev_path should be the old name.
old_dev_name = self.dev_path.split('/')[-1]
encryptor = cryptsetup.CryptsetupEncryptor(self.connection_info)
self.assertFalse(encryptor.dev_name.startswith('crypt-'))
self.assertEqual(old_dev_name, encryptor.dev_name)
self.assertEqual(self.dev_path, encryptor.dev_path)
self.assertEqual(self.symlink_path, encryptor.symlink_path)
mock_exists.assert_called_once_with('/dev/mapper/%s' % old_dev_name)
mock_execute.assert_called_once_with(
'cryptsetup', 'status', old_dev_name, run_as_root=True)
@mock.patch('os.path.exists', side_effect=[False, True])
@mock.patch('nova.utils.execute')
def test_init_volume_encryption_with_wwn(self, mock_execute, mock_exists):
# If an wwn name crypt device exists, dev_path should be based on wwn.
old_dev_name = self.dev_path.split('/')[-1]
wwn = 'fake_wwn'
connection_info = copy.deepcopy(self.connection_info)
connection_info['data']['multipath_id'] = wwn
encryptor = cryptsetup.CryptsetupEncryptor(connection_info)
self.assertFalse(encryptor.dev_name.startswith('crypt-'))
self.assertEqual(wwn, encryptor.dev_name)
self.assertEqual(self.dev_path, encryptor.dev_path)
self.assertEqual(self.symlink_path, encryptor.symlink_path)
mock_exists.assert_has_calls([
mock.call('/dev/mapper/%s' % old_dev_name),
mock.call('/dev/mapper/%s' % wwn)])
mock_execute.assert_called_once_with(
'cryptsetup', 'status', wwn, run_as_root=True)

View File

@ -17,9 +17,11 @@
import binascii import binascii
import os import os
from oslo_concurrency import processutils
from oslo_log import log as logging from oslo_log import log as logging
from nova import exception from nova import exception
from nova.i18n import _LW
from nova import utils from nova import utils
from nova.volume.encryptors import base from nova.volume.encryptors import base
@ -49,10 +51,45 @@ class CryptsetupEncryptor(base.VolumeEncryptor):
self.symlink_path = connection_info['data']['device_path'] self.symlink_path = connection_info['data']['device_path']
# a unique name for the volume -- e.g., the iSCSI participant name # a unique name for the volume -- e.g., the iSCSI participant name
self.dev_name = self.symlink_path.split('/')[-1] self.dev_name = 'crypt-%s' % self.symlink_path.split('/')[-1]
# NOTE(tsekiyama): In older version of nova, dev_name was the same
# as the symlink name. Now it has 'crypt-' prefix to avoid conflict
# with multipath device symlink. To enable rolling update, we use the
# old name when the encrypted volume already exists.
old_dev_name = self.symlink_path.split('/')[-1]
wwn = data.get('multipath_id')
if self._is_crypt_device_available(old_dev_name):
self.dev_name = old_dev_name
LOG.debug("Using old encrypted volume name: %s", self.dev_name)
elif wwn and wwn != old_dev_name:
# FibreChannel device could be named '/dev/mapper/<WWN>'.
if self._is_crypt_device_available(wwn):
self.dev_name = wwn
LOG.debug("Using encrypted volume name from wwn: %s",
self.dev_name)
# the device's actual path on the compute host -- e.g., /dev/sd_ # the device's actual path on the compute host -- e.g., /dev/sd_
self.dev_path = os.path.realpath(self.symlink_path) self.dev_path = os.path.realpath(self.symlink_path)
def _is_crypt_device_available(self, dev_name):
if not os.path.exists('/dev/mapper/%s' % dev_name):
return False
try:
utils.execute('cryptsetup', 'status', dev_name, run_as_root=True)
except processutils.ProcessExecutionError as e:
# If /dev/mapper/<dev_name> is a non-crypt block device (such as a
# normal disk or multipath device), exit_code will be 1. In the
# case, we will omit the warning message.
if e.exit_code != 1:
LOG.warning(_LW('cryptsetup status %(dev_name) exited '
'abnormally (status %(exit_code)s): %(err)s'),
{"dev_name": dev_name, "exit_code": e.exit_code,
"err": e.stderr})
return False
return True
def _get_passphrase(self, key): def _get_passphrase(self, key):
"""Convert raw key to string.""" """Convert raw key to string."""
return binascii.hexlify(key).decode('utf-8') return binascii.hexlify(key).decode('utf-8')