libvirt: Block swapping to an encrypted volume when using QEMU to decrypt
The original check in Ibfa64f18bbd2fb70db7791330ed1a64fe61c1355 only blocked swap volume _from_ an encrypted LUKS volume while using native QEMU decryption. This change expands that check to also block swap volume when swapping _to_ an encrypted LUKS volume while using native QEMU decryption, regardless of the original volume being encrypted. Change-Id: I258127fdcd011ccec721d5ff62eb7f128f130336 Closes-bug: #1749418
This commit is contained in:
parent
f577ecbdbe
commit
7ceccee056
|
@ -16133,10 +16133,23 @@ class LibvirtConnTestCase(test.NoDBTestCase,
|
|||
def test_swap_volume_native_luks_blocked(self, mock_use_native_luks,
|
||||
mock_get_encryption):
|
||||
drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI())
|
||||
mock_get_encryption.return_value = {'provider': 'luks'}
|
||||
mock_use_native_luks.return_value = True
|
||||
|
||||
# dest volume is encrypted
|
||||
mock_get_encryption.side_effect = [{}, {'provider': 'luks'}]
|
||||
self.assertRaises(NotImplementedError, drvr.swap_volume, self.context,
|
||||
{}, {}, None, None, None)
|
||||
{}, {}, None, None, None)
|
||||
|
||||
# src volume is encrypted
|
||||
mock_get_encryption.side_effect = [{'provider': 'luks'}, {}]
|
||||
self.assertRaises(NotImplementedError, drvr.swap_volume, self.context,
|
||||
{}, {}, None, None, None)
|
||||
|
||||
# both volumes are encrypted
|
||||
mock_get_encryption.side_effect = [{'provider': 'luks'},
|
||||
{'provider': 'luks'}]
|
||||
self.assertRaises(NotImplementedError, drvr.swap_volume, self.context,
|
||||
{}, {}, None, None, None)
|
||||
|
||||
@mock.patch('nova.virt.libvirt.guest.BlockDevice.is_job_complete',
|
||||
return_value=True)
|
||||
|
|
|
@ -1547,8 +1547,10 @@ class LibvirtDriver(driver.ComputeDriver):
|
|||
new_connection_info, instance, mountpoint, resize_to):
|
||||
|
||||
# NOTE(lyarwood): https://bugzilla.redhat.com/show_bug.cgi?id=760547
|
||||
encryption = self._get_volume_encryption(context, old_connection_info)
|
||||
if encryption and self._use_native_luks(encryption):
|
||||
old_encrypt = self._get_volume_encryption(context, old_connection_info)
|
||||
new_encrypt = self._get_volume_encryption(context, new_connection_info)
|
||||
if ((old_encrypt and self._use_native_luks(old_encrypt)) or
|
||||
(new_encrypt and self._use_native_luks(new_encrypt))):
|
||||
raise NotImplementedError(_("Swap volume is not supported for "
|
||||
"encrypted volumes when native LUKS decryption is enabled."))
|
||||
|
||||
|
|
Loading…
Reference in New Issue