On Tue, Jan 23, 2018 at 8:44 AM, Lee Yarwood <[email protected]> wrote:
> A breif progress update in-line below. > > On 22-01-18 14:22:12, Lee Yarwood wrote: > > Hello, > > > > With M3 and FF rapidly approaching this week I wanted to post a brief > > overview of the QEMU native LUKS series. > > > > The full series is available on the following topic, I'll go into more > > detail on each of the changes below: > > > > https://review.openstack.org/#/q/topic:bp/libvirt-qemu- > native-luks+status:open > > > > libvirt: Collocate encryptor and volume driver calls > > https://review.openstack.org/#/c/460243/ (Missing final +2 and +W) > > > > This refactor of the Libvirt driver connect and disconnect volume code > > has the added benefit of also correcting a number of bugs around the > > attaching and detaching of os-brick encryptors. IMHO this would be > > useful in Queens even if the rest of the series doesn't land. > > > > libvirt: Introduce disk encryption config classes > > https://review.openstack.org/#/c/464008/ (Missing final +2 and +W) > > > > This is the most straight forward change of the series and simply > > introduces the required config classes to wire up native LUKS decryption > > within the domain XML of an instance. Hopefully nothing controversial. > > Both of these have landed, my thanks to jaypipes for his reviews! > > > libvirt: QEMU native LUKS decryption for encrypted volumes > > https://review.openstack.org/#/c/523958/ (Missing both +2s and +W) > > > > This change carries the bulk of the implementation, wiring up encrypted > > volumes during their initial attachment. The commit message has a > > detailed run down of the various upgrade and LM corner cases we attempt > > to handle here, such as LM from a P to Q compute, detaching a P attached > > encrypted volume after upgrading to Q etc. > > Thanks to melwitt and mdbooth for your reviews! I've respun to address > the various nits and typos pointed out in this change. Ready and waiting > to respin again if any others crop up. > > > Upgrade and LM testing is enabled by the following changes: > > > > fixed_key: Use a single hardcoded key across devstack deployments > > https://review.openstack.org/#/c/536343/ > > > > compute: Introduce an encrypted volume LM test > > https://review.openstack.org/#/c/536177/ > > > > This is being tested by tempest-dsvm-multinode-live-migration and > > grenade-dsvm-neutron-multinode-live-migration in the following DNM Nova > > change, enabling volume backed LM tests: > > > > DNM: Test LM with encrypted volumes > > https://review.openstack.org/#/c/536350/ > > > > Hopefully that covers everything but please feel free to ping if you > > would like more detail, background etc. Thanks in advance, > > grenade-dsvm-neutron-multinode-live-migration is currently failing due > to our use of the Ocata UCA on stable/pike leading to the following > issue with the libvirt 2.5.0 build it provides: > > libvirt 2.5.0-3ubuntu5.6~cloud0 appears to be compiled without gnutls > https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1744758 > > Hey Lee, We have a new version of libvirt in ocata-proposed now that should fix your issue and is ready for testing. Thanks for your work on this and for opening the bug. Corey I've cherry-picked the following devstack change back to stable/pike and > pulled it into the test change above for Nova, hopefully working around > these failures: > > Update to using pike cloud-archive > https://review.openstack.org/#/c/536798/ > > tempest-dsvm-multinode-live-migration is also failing but AFAICT they > are unrelated to this overall series and appear to be more generic > volume backed live migration failures. > > Thanks again! > > Lee > -- > Lee Yarwood A5D1 9385 88CB 7E5F BE64 6618 BCA6 6E33 F672 > 2D76 > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
