diff --git a/nova/tests/unit/virt/libvirt/volume/test_net.py b/nova/tests/unit/virt/libvirt/volume/test_net.py index cec1a834febd..49947d1fa470 100644 --- a/nova/tests/unit/virt/libvirt/volume/test_net.py +++ b/nova/tests/unit/virt/libvirt/volume/test_net.py @@ -139,6 +139,38 @@ class LibvirtNetVolumeDriverTestCase( self.assertEqual(self.uuid, tree.find('./auth/secret').get('uuid')) libvirt_driver.disconnect_volume(connection_info, "vde") + def test_libvirt_rbd_driver_auth_enabled_flags_secret_uuid_fallback(self): + """The values from the cinder connection_info take precedence over + nova.conf values, unless it's old connection data where the + secret_uuid wasn't set on the cinder side for the original connection + which is now persisted in the + nova.block_device_mappings.connection_info column and used here. In + this case we fallback to use the local config for secret_uuid. + """ + libvirt_driver = net.LibvirtNetVolumeDriver(self.fake_host) + connection_info = self.rbd_connection(self.vol) + secret_type = 'ceph' + connection_info['data']['auth_enabled'] = True + connection_info['data']['auth_username'] = self.user + connection_info['data']['secret_type'] = secret_type + # Fake out cinder not setting the secret_uuid in the old connection. + connection_info['data']['secret_uuid'] = None + + flags_uuid = '37152720-1785-11e2-a740-af0c1d8b8e4b' + flags_user = 'bar' + self.flags(rbd_user=flags_user, + rbd_secret_uuid=flags_uuid, + group='libvirt') + + conf = libvirt_driver.get_config(connection_info, self.disk_info) + tree = conf.format_dom() + self._assertNetworkAndProtocolEquals(tree) + self.assertEqual(self.user, tree.find('./auth').get('username')) + self.assertEqual(secret_type, tree.find('./auth/secret').get('type')) + # Assert that the secret_uuid comes from CONF.libvirt.rbd_secret_uuid. + self.assertEqual(flags_uuid, tree.find('./auth/secret').get('uuid')) + libvirt_driver.disconnect_volume(connection_info, "vde") + def test_libvirt_rbd_driver_auth_disabled(self): libvirt_driver = net.LibvirtNetVolumeDriver(self.fake_host) connection_info = self.rbd_connection(self.vol) diff --git a/nova/virt/libvirt/volume/net.py b/nova/virt/libvirt/volume/net.py index a405433405bf..8692495e99ef 100644 --- a/nova/virt/libvirt/volume/net.py +++ b/nova/virt/libvirt/volume/net.py @@ -62,13 +62,25 @@ class LibvirtNetVolumeDriver(libvirt_volume.LibvirtBaseVolumeDriver): auth_enabled = netdisk_properties.get('auth_enabled') if auth_enabled: conf.auth_username = netdisk_properties['auth_username'] - conf.auth_secret_uuid = netdisk_properties['secret_uuid'] + # We started preferring Cinder config for rbd auth values starting + # in Ocata, but if we have a guest connection from before that when + # secret_uuid wasn't configured in Cinder, we need to fallback to + # get it from local nova.conf. + if netdisk_properties['secret_uuid'] is not None: + conf.auth_secret_uuid = netdisk_properties['secret_uuid'] + else: + LOG.debug('Falling back to Nova configuration for RBD auth ' + 'secret_uuid value.') + conf.auth_secret_uuid = CONF.libvirt.rbd_secret_uuid # secret_type is always hard-coded to 'ceph' in cinder conf.auth_secret_type = netdisk_properties['secret_type'] elif CONF.libvirt.rbd_secret_uuid: # Anyone relying on falling back to nova config is probably having # this work accidentally and we'll remove that support in the # 16.0.0 Pike release. + # NOTE(mriedem): We'll have to be extra careful about this in case + # the reason we got here is due to an old volume connection created + # before we started preferring the Cinder settings in Ocata. LOG.warning(_LW('Falling back to Nova configuration values for ' 'RBD authentication. Cinder should be configured ' 'for auth with Ceph volumes. This fallback will '