libvirt: Block swapping to an encrypted volume when using QEMU to decrypt

The original check in Ibfa64f18bbd2fb70db7791330ed1a64fe61c1355 only blocked swap volume _from_ an encrypted LUKS volume while using native QEMU decryption. This change expands that check to also block swap volume when swapping _to_ an encrypted LUKS volume while using native QEMU decryption, regardless of the original volume being encrypted. Change-Id: I258127fdcd011ccec721d5ff62eb7f128f130336 Closes-bug: #1749418
2018-02-14 10:19:24 +00:00 · 2018-02-14 10:19:24 +00:00 · 7ceccee056
parent f577ecbdbe
commit 7ceccee056
2 changed files with 19 additions and 4 deletions
--- a/nova/tests/unit/virt/libvirt/test_driver.py
+++ b/nova/tests/unit/virt/libvirt/test_driver.py
@ -16133,10 +16133,23 @@ class LibvirtConnTestCase(test.NoDBTestCase,
    def test_swap_volume_native_luks_blocked(self, mock_use_native_luks,
                                             mock_get_encryption):
        drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI())
-        mock_get_encryption.return_value = {'provider': 'luks'}
        mock_use_native_luks.return_value = True
+
+        # dest volume is encrypted
+        mock_get_encryption.side_effect = [{}, {'provider': 'luks'}]
        self.assertRaises(NotImplementedError, drvr.swap_volume, self.context,
-                         {}, {}, None, None, None)
+                            {}, {}, None, None, None)
+
+        # src volume is encrypted
+        mock_get_encryption.side_effect = [{'provider': 'luks'}, {}]
+        self.assertRaises(NotImplementedError, drvr.swap_volume, self.context,
+                            {}, {}, None, None, None)
+
+        # both volumes are encrypted
+        mock_get_encryption.side_effect = [{'provider': 'luks'},
+                                           {'provider': 'luks'}]
+        self.assertRaises(NotImplementedError, drvr.swap_volume, self.context,
+                            {}, {}, None, None, None)

    @mock.patch('nova.virt.libvirt.guest.BlockDevice.is_job_complete',
                return_value=True)
--- a/nova/virt/libvirt/driver.py
+++ b/nova/virt/libvirt/driver.py
@ -1547,8 +1547,10 @@ class LibvirtDriver(driver.ComputeDriver):
                    new_connection_info, instance, mountpoint, resize_to):

        # NOTE(lyarwood): https://bugzilla.redhat.com/show_bug.cgi?id=760547
-        encryption = self._get_volume_encryption(context, old_connection_info)
-        if encryption and self._use_native_luks(encryption):
+        old_encrypt = self._get_volume_encryption(context, old_connection_info)
+        new_encrypt = self._get_volume_encryption(context, new_connection_info)
+        if ((old_encrypt and self._use_native_luks(old_encrypt)) or
+            (new_encrypt and self._use_native_luks(new_encrypt))):
            raise NotImplementedError(_("Swap volume is not supported for "
                "encrypted volumes when native LUKS decryption is enabled."))