Parse algorithm from cipher for ephemeral disk encryption

Nova's keymgr implementation used to have default values for the algorithm and bit length. Castellan does not have default values, and when Castellan replaced keymgr in Ib563b0ea4b8b4bc1833bf52bf49a68546c384996, the parameters to the create_key method were not updated. This change parses the algorithm from the cipher value and passes it to Castellan's key manager interface. Conflicts: nova/conf/ephemeral_storage.py NOTE(mriedem): The conflicts are due to not having Ic8ea9b0852d5b6f5d8a468fe0a03d21e220a8913 in newton, which was a refactor/cleanup change in ocata. It's just preserved here for readability. Closes-Bug: #1651887 Change-Id: Ib90bc7571aef59325be0efe123fcf12e86252b85 (cherry picked from commit 1d3acad111) (cherry picked from commit fcc931f401)
2017-03-10 18:09:49 -05:00 · 2017-03-10 18:09:49 -05:00 · c589b76e13
parent 0f2d87416e
commit c589b76e13
3 changed files with 43 additions and 4 deletions
--- a/nova/compute/api.py
+++ b/nova/compute/api.py
@ -1398,8 +1398,15 @@ class API(base.Base):
        instance.old_flavor = None
        instance.new_flavor = None
        if CONF.ephemeral_storage_encryption.enabled:
+            # NOTE(kfarr): dm-crypt expects the cipher in a
+            # hyphenated format: cipher-chainmode-ivmode
+            # (ex: aes-xts-plain64). The algorithm needs
+            # to be parsed out to pass to the key manager (ex: aes).
+            cipher = CONF.ephemeral_storage_encryption.cipher
+            algorithm = cipher.split('-')[0] if cipher else None
            instance.ephemeral_key_uuid = self.key_manager.create_key(
                context,
+                algorithm=algorithm,
                length=CONF.ephemeral_storage_encryption.key_size)
        else:
            instance.ephemeral_key_uuid = None
--- a/nova/conf/ephemeral_storage.py
+++ b/nova/conf/ephemeral_storage.py
@ -39,9 +39,10 @@ Enables/disables LVM ephemeral storage encryption.
               help="""
 Cipher-mode string to be used

-The cipher and mode to be used to encrypt ephemeral
-storage. The set of cipher-mode combinations available
-depends on kernel support.
+The cipher and mode to be used to encrypt ephemeral storage. The set of
+cipher-mode combinations available depends on kernel support. According
+to the dm-crypt documentation, the cipher is expected to be in the format:
+"<cipher>-<chainmode>-<ivmode>".

 Possible values:

--- a/nova/tests/unit/compute/test_compute.py
+++ b/nova/tests/unit/compute/test_compute.py
@ -19,13 +19,14 @@

 import base64
 import datetime
+from itertools import chain
 import operator
 import sys
 import time
 import traceback
 import uuid

-from itertools import chain
+from castellan import key_manager
 import mock
 from neutronclient.common import exceptions as neutron_exceptions
 from oslo_log import log as logging
@ -7890,6 +7891,36 @@ class ComputeAPITestCase(BaseTestCase):
                         instance['display_name'])
        self.assertIsNotNone(instance.get('uuid'))
        self.assertEqual([], instance.security_groups.objects)
+        self.assertIsNone(instance.ephemeral_key_uuid)
+
+    def test_populate_instance_for_create_encrypted(self, num_instances=1):
+        CONF.set_override('enabled', True,
+                          group='ephemeral_storage_encryption',
+                          enforce_type=True)
+        CONF.set_override('api_class',
+                          'castellan.tests.unit.key_manager.mock_key_manager.'
+                          'MockKeyManager',
+                          group='key_manager',
+                          enforce_type=True)
+        base_options = {'image_ref': self.fake_image['id'],
+                        'system_metadata': {'fake': 'value'},
+                        'display_name': 'foo',
+                        'uuid': uuids.instance}
+        instance = objects.Instance()
+        instance.update(base_options)
+        inst_type = flavors.get_flavor_by_name("m1.tiny")
+        self.compute_api.key_manager = key_manager.API()
+        index = 1
+        instance = self.compute_api._populate_instance_for_create(
+                                self.context,
+                                instance,
+                                self.fake_image,
+                                index,
+                                security_groups=objects.SecurityGroupList(),
+                                instance_type=inst_type,
+                                num_instances=num_instances,
+                                shutdown_terminate=False)
+        self.assertIsNotNone(instance.ephemeral_key_uuid)

    def test_default_hostname_generator(self):
        fake_uuids = [str(uuid.uuid4()) for x in range(4)]