[Bug 1744758] Re: libvirt 2.5.0-3ubuntu5.6~cloud0 appears to be compiled without gnutls
Lee Yarwood
lyarwood at redhat.com
Tue Jan 23 12:40:12 UTC 2018
So the issue only appears with the Ocata UCA repo that provides the
2.5.0-3ubuntu5.6~cloud0 build. Why we are installing this in the
OpenStack CI upgrade jobs between Pike and Queens is beyond me but
something we should be able to correct outside of this bug.
Anyway, here are some notes on reproducing this using the Ocata UCA repo
:
- Update libvirt using the Ocata UCA repo
# add-apt-repository cloud-archive:ocata
# apt update
# apt upgrade
# dpkg -l | grep libvirt
ii libvirt-bin 2.5.0-3ubuntu5.6~cloud0 amd64 programs for the libvirt library
ii libvirt-clients 2.5.0-3ubuntu5.6~cloud0 amd64 Programs for the libvirt library
ii libvirt-daemon 2.5.0-3ubuntu5.6~cloud0 amd64 Virtualization daemon
ii libvirt-daemon-system 2.5.0-3ubuntu5.6~cloud0 amd64 Libvirt daemon configuration files
ii libvirt0:amd64 2.5.0-3ubuntu5.6~cloud0 amd64 library for interfacing with different virtualization systems
ii python-libvirt 3.0.0-2~cloud0 amd64 libvirt Python bindings
- Create a LUKS encrypted disk and associated secret containing the
required passphrase
# qemu-img create -f luks --object
secret,id=luks_sec,format=raw,data=1234 -o key-secret=luks_sec
/var/lib/libvirt/images/test.img 1G
# cat sec.xml
<secret ephemeral='no' private='yes'>
<uuid>8b0c5785-9e28-4c39-8b5d-21b42446ce35</uuid>
<usage type='volume'>
<volume>/var/lib/libvirt/images/test.img</volume>
</usage>
</secret>
# virsh secret-define sec.xml
# virsh secret-set-value 8b0c5785-9e28-4c39-8b5d-21b42446ce35 $(printf %s "1234" | base64)
- Create a test domain to attach this disk to
wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img -O /var/lib/libvirt/images/cirros-0.4.0-x86_64-disk.img
virt-install --import --name test --vcpus 1 --ram 512 --disk path=/var/lib/libvirt/images/cirros-0.4.0-x86_64-disk.img --nographic
- Create the associated XML for the disk and attempt to attach it to the
domain
# cat disk.xml
<disk type="file" device="disk">
<driver name="qemu" type="qcow2" cache="none" io="native"/>
<source file="/var/lib/libvirt/images/test.img"/>
<target dev='vdb' bus='virtio'/>
<encryption format='luks'>
<secret type='passphrase' uuid='8b0c5785-9e28-4c39-8b5d-21b42446ce35'/>
</encryption>
</disk>
# virsh attach-device test disk.xml
error: Failed to attach device from disk.xml
error: unsupported configuration: luks encryption requires encrypted secrets to be supported
- Upgrade to the Pike UCA and Libvirt 3.6.0:
# add-apt-repository cloud-archive:pike
# apt update
# apt upgrade
# dpkg -l | grep libvirt
ii libvirt-bin 3.6.0-1ubuntu6~cloud0 amd64 programs for the libvirt library
ii libvirt-clients 3.6.0-1ubuntu6~cloud0 amd64 Programs for the libvirt library
ii libvirt-daemon 3.6.0-1ubuntu6~cloud0 amd64 Virtualization daemon
ii libvirt-daemon-system 3.6.0-1ubuntu6~cloud0 amd64 Libvirt daemon configuration files
ii libvirt0:amd64 3.6.0-1ubuntu6~cloud0 amd64 library for interfacing with different virtualization systems
ii python-libvirt 3.5.0-1build1~cloud0 amd64 libvirt Python bindings
# systemctl restart libvirtd
# virsh attach-device test disk.xml
Device attached successfully
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1744758
Title:
libvirt 2.5.0-3ubuntu5.6~cloud0 appears to be compiled without gnutls
Status in Ubuntu Cloud Archive:
New
Status in libvirt package in Ubuntu:
Incomplete
Bug description:
Currently seeing the following error in OpenStack CI on 16.04 with
Libvirt 2.5.0 provided via the UCA when attempting to create a `luks`
Libvirt secret:
http://logs.openstack.org/50/536350/1/check/legacy-grenade-dsvm-
neutron-multinode-live-
migration/5f7ed57/logs/screen-n-cpu.txt.gz?level=ERROR#_Jan_22_15_09_28_467904
~~~
libvirtError: unsupported configuration: luks encryption requires encrypted secrets to be supported
~~~
This appears to be bubbling up due to the HAVE_GNUTLS_CIPHER_ENCRYPT
macro being 0 in this build due to gnutls_cipher_encrypt being missing
at build time :
src/util/vircrypto.c
102 virCryptoHaveCipher(virCryptoCipher algorithm)
103 {
104 switch (algorithm) {
105
106 case VIR_CRYPTO_CIPHER_AES256CBC:
107 #ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
108 return true;
109 #else
110 return false;
111 #endif
112
113 case VIR_CRYPTO_CIPHER_NONE:
114 case VIR_CRYPTO_CIPHER_LAST:
115 break;
116 };
117
118 return false;
119 }
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1744758/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list