Reviewed: https://review.opendev.org/c/openstack/nova/+/962007 Committed: https://opendev.org/openstack/nova/commit/787d2a130053bd369d35480d6534f01b07c2310d Submitter: "Zuul (22348)" Branch: master
commit 787d2a130053bd369d35480d6534f01b07c2310d Author: melanie witt <[email protected]> Date: Mon Sep 22 08:34:47 2025 -0700 Move cleanup of vTPM secret from driver to compute Currently, vTPM secrets are deleted from Barbican any time instance disks are deleted when driver.destroy() is called. This is fine if the instance is also being deleted but if it's not, such as during a resize revert, it will fail with the following error: nova.exception.Invalid: Refusing to create an emulated TPM with no secret! which will bubble up to the API as a HTTP 500. This moves deletion of the vTPM secret from Barbican from the libvirt driver destroy() path to the compute manager _delete_instance() path so that the vTPM secret is deleted only if the instance is being deleted. Closes-Bug: #2125030 Change-Id: I1a43dc0502e1e65b4ef0348610f5eddb43dbff02 Signed-off-by: melanie witt <[email protected]> ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/2125030 Title: Revert resize of instance with vTPM to flavor also with vTPM fails with ERROR state when storage is not shared Status in OpenStack Compute (nova): Fix Released Bug description: I stumbled across this bug while working on vTPM live migration functional tests and was able to also reproduce the failure in a proposed whitebox tempest test patch [1]. When attempting to revert a resize of an instance with vTPM to a flavor also with vTPM, the revert will fail with the following traceback [2]: ERROR nova.compute.manager [None req-009ffcaf-3dc4-4f22-b636-184cf2e0830a tempest-VTPMTest-1347189149 tempest-VTPMTest-1347189149-project-member] [instance: bd387843-0b5a-4340-859c-013f27e39e7a] Setting instance vm_state to ERROR: nova.exception.Invalid: Refusing to create an emulated TPM with no secret! ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] Traceback (most recent call last): ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/compute/manager.py", line 11546, in _error_out_instance_on_exception ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] yield ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/compute/manager.py", line 6046, in _finish_revert_resize ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] self.driver.finish_revert_migration( ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 12779, in finish_revert_migration ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] xml = self._get_guest_xml(context, instance, network_info, disk_info, ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 8047, in _get_guest_xml ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] conf = self._get_guest_config(instance, network_info, image_meta, ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 7571, in _get_guest_config ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] self._add_vtpm_device(guest, flavor, instance, image_meta) ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 6837, in _add_vtpm_device ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] raise exception.Invalid( ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] nova.exception.Invalid: Refusing to create an emulated TPM with no secret! The root cause appears to be the fact that the vTPM secret is always deleted from Barbican when driver.destroy() is called, and driver.destroy() is called as part of the revert resize code path [3]. I don't yet know the best way to fix this but I will be working on it as part of the vTPM live migration effort. [1] https://review.opendev.org/c/openstack/whitebox-tempest-plugin/+/961558 [2] https://zuul.opendev.org/t/openstack/build/091220ed15dc41dfab65b7ce6cb629de/log/compute-host/logs/screen-n-cpu.txt#91404 [3] https://github.com/openstack/nova/blob/1d317f043e03e06dc3bc25acb750efb586551572/nova/compute/manager.py#L5947 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/2125030/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
