[openstack-dev] [nova][cinder] Addressing mangled LUKS passphrases (bug#1633518)
Hello, I documented bug#1633518 [1] last week in which volumes encrypted prior to Ib563b0ea [2] used a slightly mangled passphrase instead of the original passphrase provided by the configured key manager. My first attempt at resolving this [3] prompted an alternative suggestion from mdbooth of adding the correct passphrase to the LUKS device when we detect the use of a mangled passphrase. I'm slightly wary of this option given the changing of passphrases so I'd really appreciate input from the wider Nova and Cinder groups on your preference for resolving this : 1. Keep the mangled passphrase in place and attempt to use it after getting a permission denied error during luksOpen. 2. Add the correct passphrase and remove the mangled passphrase from the LUKS device with luksChangeKey when we detect the use of the mangled passphrase. 3. An alternative suggestion. FYI, as os-brick has now copied the encryptor classes from Nova into their own tree any fix will be cherry-picked across shortly after landing in Nova. I'm also looking into dropping these classes from Nova for Ocata so we can avoid duplicating effort like this in future. Thanks in advance, Lee [1] https://launchpad.net/bugs/1633518 [2] https://review.openstack.org/#/c/309614/ [3] https://review.openstack.org/#/c/386670/ -- Lee Yarwood Senior Software Engineer Red Hat PGP : A5D1 9385 88CB 7E5F BE64 6618 BCA6 6E33 F672 2D76 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][cinder] Addressing mangled LUKS passphrases (bug#1633518)
On Fri, Oct 21, 2016 at 12:07:08PM +0100, Lee Yarwood wrote: > Hello, > > I documented bug#1633518 [1] last week in which volumes encrypted prior > to Ib563b0ea [2] used a slightly mangled passphrase instead of the > original passphrase provided by the configured key manager. > > My first attempt at resolving this [3] prompted an alternative > suggestion from mdbooth of adding the correct passphrase to the LUKS > device when we detect the use of a mangled passphrase. > > I'm slightly wary of this option given the changing of passphrases so > I'd really appreciate input from the wider Nova and Cinder groups on > your preference for resolving this : > > 1. Keep the mangled passphrase in place and attempt to use it after > getting a permission denied error during luksOpen. > > 2. Add the correct passphrase and remove the mangled passphrase from the > LUKS device with luksChangeKey when we detect the use of the mangled > passphrase. > > 3. An alternative suggestion. I get the wariness of changing the passphrases, but in this case I think my preference would be to go with 2 if we know it has been mangled and we can fix it. > > FYI, as os-brick has now copied the encryptor classes from Nova into > their own tree any fix will be cherry-picked across shortly after > landing in Nova. I'm also looking into dropping these classes from Nova > for Ocata so we can avoid duplicating effort like this in future. Awesome! Glad to see this being done. > > Thanks in advance, > > Lee > > [1] https://launchpad.net/bugs/1633518 > [2] https://review.openstack.org/#/c/309614/ > [3] https://review.openstack.org/#/c/386670/ > -- > Lee Yarwood > Senior Software Engineer > Red Hat > > PGP : A5D1 9385 88CB 7E5F BE64 6618 BCA6 6E33 F672 2D76 > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][cinder] Addressing mangled LUKS passphrases (bug#1633518)
On Fri, Oct 21, 2016 at 12:07:08PM +0100, Lee Yarwood wrote: > Hello, > > I documented bug#1633518 [1] last week in which volumes encrypted prior > to Ib563b0ea [2] used a slightly mangled passphrase instead of the > original passphrase provided by the configured key manager. > > My first attempt at resolving this [3] prompted an alternative > suggestion from mdbooth of adding the correct passphrase to the LUKS > device when we detect the use of a mangled passphrase. > > I'm slightly wary of this option given the changing of passphrases so > I'd really appreciate input from the wider Nova and Cinder groups on > your preference for resolving this : > > 1. Keep the mangled passphrase in place and attempt to use it after > getting a permission denied error during luksOpen. This is going to be painful when we switch to using QEMU for LUKS, because it is going to amount to starting QEMU, watching it fail to open disks and then trying to start QEMU again. IMHO we need to fix the broken passphrases globally asap. > 2. Add the correct passphrase and remove the mangled passphrase from the > LUKS device with luksChangeKey when we detect the use of the mangled > passphrase. Yes we should be doing this to fix up the broken devices. Regards, Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o-http://search.cpan.org/~danberr/ :| __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
