[Bug 1809454] Fix merged to nova (stable/pike)

OpenStack Infra 1809454 at bugs.launchpad.net
Tue Feb 5 18:09:53 UTC 2019 

Reviewed:  https://review.openstack.org/627011
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=a7e25aa3d2088e2726988c03e84b3b5ea47bfb7e
Submitter: Zuul
Branch:    stable/pike

commit a7e25aa3d2088e2726988c03e84b3b5ea47bfb7e
Author: Corey Bryant <corey.bryant at canonical.com>
Date:   Fri Dec 21 08:23:32 2018 -0500

    Ensure rbd auth fallback uses matching credentials
    
    As of Ocata, cinder config is preferred for rbd auth values with a
    fallback to nova values [1]. The fallback path, for the case when
    rbd_user is configured in cinder.conf and rbd_secret_uuid is not
    configured in cinder.conf, results in the mismatched use of cinder
    rbd_user with nova rbd_secret_uuid.
    
    This fixes that fallback path to use nova rbd_user from nova.conf
    with rbd_secret_uuid from nova.conf.
    
    [1] See commit f2d27f6a8afb62815fb6a885bd4f8ae4ed287fd3
    
    Thanks to David Ames for this fix.
    
    Change-Id: Ieba216275c07ab16414065ee47e66915e9e9477d
    Co-Authored-By: David Ames <david.ames at canonical.com>
    Closes-Bug: #1809454
    (cherry picked from commit 47b7c4f3cc582bf463fd0c796df84736a0074f48)
    (cherry picked from commit f5d8ee1bfc3b7b9f1a25f85b42e207db0c9f4b04)
    (cherry picked from commit accef50f9648dc40f1a6f457f83f5359e9dd2a24)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1809454

Title:
  [SRU] nova rbd auth fallback uses cinder user with libvirt secret

Status in Ubuntu Cloud Archive:
  Fix Committed
Status in Ubuntu Cloud Archive ocata series:
  Fix Committed
Status in Ubuntu Cloud Archive pike series:
  Fix Committed
Status in Ubuntu Cloud Archive queens series:
  Fix Committed
Status in Ubuntu Cloud Archive rocky series:
  Fix Committed
Status in Ubuntu Cloud Archive stein series:
  Fix Committed
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) ocata series:
  Triaged
Status in OpenStack Compute (nova) pike series:
  Triaged
Status in OpenStack Compute (nova) queens series:
  In Progress
Status in OpenStack Compute (nova) rocky series:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released
Status in nova source package in Bionic:
  Fix Committed
Status in nova source package in Cosmic:
  Fix Committed
Status in nova source package in Disco:
  Fix Released

Bug description:
  [Impact]
  From David Ames (thedac), originally posted to https://bugs.launchpad.net/charm-nova-compute/+bug/1671422/comments/25:

  Updating this bug. We may decide to move this elsewhere it at some
  point.

  We have a deployment that was upgraded through to pike at which point
  it was noticed that nova instances with ceph backed volumes would not
  start.

  The cinder key was manually added to the nova-compute nodes in /etc/ceph and with:
  sudo virsh secret-define --file /tmp/cinder.secret

  However, this did not resolve the problem. It appeared libvirt was
  trying to use a mixed pair of usernames and keys. It was using the
  cinder username but the nova-compute key.

  Looking at nova's code it falls back to nova.conf when it does not have a secret_uuid from cinder but it was not setting the username correctly.
  https://github.com/openstack/nova/blob/stable/pike/nova/virt/libvirt/volume/net.py#L74

  The following seems to mitigate this as a temporary fix on nova-
  compute until we can come up with a complete plan:

  https://pastebin.ubuntu.com/p/tGm7C7fpXT/

  diff --git a/nova/virt/libvirt/volume/net.py b/nova/virt/libvirt/volume/net.py
  index cec43ce93b..8b0148df0b 100644
  --- a/nova/virt/libvirt/volume/net.py
  +++ b/nova/virt/libvirt/volume/net.py
  @@ -71,6 +71,7 @@ class LibvirtNetVolumeDriver(libvirt_volume.LibvirtBaseVolumeDriver):
               else:
                   LOG.debug('Falling back to Nova configuration for RBD auth '
                             'secret_uuid value.')
                 + conf.auth_username = CONF.libvirt.rbd_user
                   conf.auth_secret_uuid = CONF.libvirt.rbd_secret_uuid
               # secret_type is always hard-coded to 'ceph' in cinder
               conf.auth_secret_type = netdisk_properties['secret_type']

  Apply to /usr/lib/python2.7/dist-
  packages/nova/virt/libvirt/volume/net.py

  We still need a migration plan to get from the topology with nova-
  compute directly related to ceph to the topology with cinder-ceph
  related to nova-compute using ceph-access which would populate
  cinder's secret_uuid.

  It is possible we will need to carry the patch for existing instances.
  It may be worth getting that upstream as master has the same problem.

  [Test Case]
  Upgrade a juju-deployed cloud with ceph backend for nova and cinder from pre-ocata to ocata or above. Ensure that nova instances with ceph backed volumes successfully start.

  [Regression Potential]
  The fix is minimal and will not be fixed in Ubuntu until it has been approved upstream.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1809454/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list