[Bug 1744758] Re: libvirt 2.5.0-3ubuntu5.6~cloud0 appears to be compiled without gnutls
Corey Bryant
corey.bryant at canonical.com
Tue Jan 23 13:54:19 UTC 2018
A couple of things to note about the failing code path.
The error message "luks encryption requires encrypted secrets to be
supported" is coming from qemuDomainSecretDiskPrepare() in
src/qemu/qemu_domain.c: https://paste.ubuntu.com/26444342/
The call to qemuDomainSecretSetup() appears to be returning 0 (zero).
Whether that means virCryptoHaveCipher() is returning True or False is
hard to tell but based on gnutls being included in the build log I'd
have to assume HAVE_GNUTLS_CIPHER_ENCRYPT is true.
What about the other checks in the first if statement in
qemuDomainSecretSetup()? https://paste.ubuntu.com/26444411/ Pasting
here as well. It seems as if one of these checks in the first if is
failing and we don't get to the qemuDomainSecretAESSetup() call, but
instead take the else path.
static int
qemuDomainSecretSetup(virConnectPtr conn,
qemuDomainObjPrivatePtr priv,
qemuDomainSecretInfoPtr secinfo,
const char *srcalias,
virSecretUsageType secretUsageType,
const char *username,
virSecretLookupTypeDefPtr seclookupdef,
bool isLuks)
{
if (virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC) &&
virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_SECRET) &&
(secretUsageType == VIR_SECRET_USAGE_TYPE_CEPH ||
secretUsageType == VIR_SECRET_USAGE_TYPE_VOLUME ||
secretUsageType == VIR_SECRET_USAGE_TYPE_TLS)) {
if (qemuDomainSecretAESSetup(conn, priv, secinfo, srcalias,
secretUsageType, username,
seclookupdef, isLuks) < 0)
return -1;
} else {
if (qemuDomainSecretPlainSetup(conn, secinfo, secretUsageType,
username, seclookupdef) < 0)
return -1;
}
return 0;
}
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1744758
Title:
libvirt 2.5.0-3ubuntu5.6~cloud0 appears to be compiled without gnutls
Status in Ubuntu Cloud Archive:
New
Status in libvirt package in Ubuntu:
Incomplete
Bug description:
Currently seeing the following error in OpenStack CI on 16.04 with
Libvirt 2.5.0 provided via the UCA when attempting to create a `luks`
Libvirt secret:
http://logs.openstack.org/50/536350/1/check/legacy-grenade-dsvm-
neutron-multinode-live-
migration/5f7ed57/logs/screen-n-cpu.txt.gz?level=ERROR#_Jan_22_15_09_28_467904
~~~
libvirtError: unsupported configuration: luks encryption requires encrypted secrets to be supported
~~~
This appears to be bubbling up due to the HAVE_GNUTLS_CIPHER_ENCRYPT
macro being 0 in this build due to gnutls_cipher_encrypt being missing
at build time :
src/util/vircrypto.c
102 virCryptoHaveCipher(virCryptoCipher algorithm)
103 {
104 switch (algorithm) {
105
106 case VIR_CRYPTO_CIPHER_AES256CBC:
107 #ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
108 return true;
109 #else
110 return false;
111 #endif
112
113 case VIR_CRYPTO_CIPHER_NONE:
114 case VIR_CRYPTO_CIPHER_LAST:
115 break;
116 };
117
118 return false;
119 }
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1744758/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list