Disallow multiattach for encrypted volumes

We can't assume that the LUKS layer used for volume encryption functions in a way that will safely work with multiattach. Closes-Bug: #1770689 Change-Id: I613b48a9e89270b2f0266bffc5aeeefad37ce8fb (cherry picked from commit 18327971ca)
2018-05-11 11:56:27 -04:00 · 2018-05-11 11:56:27 -04:00 · d8d9e1cce7
parent 71284352ac
commit d8d9e1cce7
2 changed files with 38 additions and 0 deletions
--- a/cinder/tests/unit/volume/test_volume.py
+++ b/cinder/tests/unit/volume/test_volume.py
@ -680,6 +680,38 @@ class VolumeTestCase(base.BaseVolumeTestCase):
                              volume_api.create, self.context, 1, 'name',
                              'description', multiattach=True)

+    @mock.patch.object(key_manager, 'API', fake_keymgr.fake_api)
+    def test_create_volume_with_encrypted_volume_type_multiattach(self):
+        ctxt = context.get_admin_context()
+
+        cipher = 'aes-xts-plain64'
+        key_size = 256
+        control_location = 'front-end'
+
+        db.volume_type_create(ctxt,
+                              {'id': '61298380-0c12-11e3-bfd6-4b48424183be',
+                               'name': 'LUKS',
+                               'extra_specs': {'multiattach': '<is> True'}})
+        db.volume_type_encryption_create(
+            ctxt,
+            '61298380-0c12-11e3-bfd6-4b48424183be',
+            {'control_location': control_location,
+             'provider': ENCRYPTION_PROVIDER,
+             'cipher': cipher,
+             'key_size': key_size})
+
+        volume_api = cinder.volume.api.API()
+
+        db_vol_type = db.volume_type_get_by_name(ctxt, 'LUKS')
+
+        self.assertRaises(exception.InvalidVolume,
+                          volume_api.create,
+                          self.context,
+                          1,
+                          'name',
+                          'description',
+                          volume_type=db_vol_type)
+
    @mock.patch.object(key_manager, 'API', fake_keymgr.fake_api)
    def test_create_volume_with_encrypted_volume_type_aes(self):
        ctxt = context.get_admin_context()
--- a/cinder/volume/flows/api/create_volume.py
+++ b/cinder/volume/flows/api/create_volume.py
@ -464,6 +464,12 @@ class ExtractVolumeRequestTask(flow_utils.CinderTask):
            source_volume,
            image_meta)

+        if encryption_key_id is not None and volume_type is not None:
+            extra_specs = volume_type.get('extra_specs', {})
+            if extra_specs.get('multiattach', '') == '<is> True':
+                msg = _('Multiattach cannot be used with encrypted volumes.')
+                raise exception.InvalidVolume(reason=msg)
+
        specs = {}
        if volume_type_id:
            qos_specs = volume_types.get_volume_type_qos_specs(volume_type_id)