OpenStack Compute (nova)

Incorrect regex on rootwrap for encrypted volumes ln creation

Bug #1362854 reported by John Griffith on 2014-08-28

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
OpenStack Compute (nova)	Fix Released	Critical	John Griffith	OpenStack Compute (nova) 2014.2 "juno"
Havana	Fix Released	Critical	Alan Pevec	OpenStack Compute (nova) 2013.2.4
Icehouse	Fix Released	Critical	John Griffith	OpenStack Compute (nova) 2014.1.3

Bug Description

While running Tempest tests against my device, the encryption tests consistently fail to attach. Turns out the problem is an attempt to create symbolic link for encryption process, however the rootwrap spec is restricted to targets with the default openstack.org iqn.

Error Message from n-cpu:

Stderr: '/usr/local/bin/nova-rootwrap: Unauthorized command: ln --symbolic --force /dev/mapper/ip-10.10.8.112:3260-iscsi-iqn.2010-01.com.solidfire:3gd2.uuid-6f210923-36bf-46a4-b04a-6b4269af9d4f.4710-lun-0 /dev/disk/by-path/ip-10.10.8.112:3260-iscsi-iqn.2010-01.com.sol

Rootwrap entry currently implemented:

ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*, /dev/disk/by-path/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*

See original description

John Griffith (john-griffith) on 2014-08-28

summary:	- Missing rootwrap for encrypted volumes + Incorrect regex on rootwrap for encrypted volumes ln creation
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-28: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/117652

Changed in nova:
assignee:	nobody → John Griffith (john-griffith)
status:	New → In Progress

Sean Dague (sdague) on 2014-09-09

Changed in nova:
importance:	Undecided → Critical
milestone:	none → juno-rc1

John Griffith (john-griffith) on 2014-09-09

tags:

added: havana-backport-potential icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-09: Fix proposed to nova (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/120233

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-09: Fix proposed to nova (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/120239

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-12: Fix merged to nova (master)

Reviewed: https://review.openstack.org/117652
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=00808f2072c3ee8958ad16eabad7994730bb8b86
Submitter: Jenkins
Branch: master

commit 00808f2072c3ee8958ad16eabad7994730bb8b86
Author: John Griffith <email address hidden>
Date: Thu Aug 28 17:27:35 2014 -0600

Fix rootwrap for non openstack.org iqn's

The encryption methods implemented for attached volumes
require a symbolic link created to the /dev/disk-by* iqn.

    The current implementation works fine for LVM, however the rootwrap
    is restricted to only allow iqns of the form openstack.org, for
    vendors that use their own target and iqn this won't work and will
    result in the attach failing for unauthorized command.

This just makes the regex for the rootwrap filter a bit more
permissive, only looking for iscsi-iqn.*

Change-Id: I023ad24867c045a88f72c5ac7ac4e4da097a3643
Closes-Bug: 1362854

Changed in nova:
status:	In Progress → Fix Committed

Alan Pevec (apevec) on 2014-09-18

tags:

removed: havana-backport-potential icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-19: Fix merged to nova (stable/icehouse)

Reviewed: https://review.openstack.org/120233
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=df09c2a305c6a4cb41f649956197456b4a2d3e20
Submitter: Jenkins
Branch: stable/icehouse

commit df09c2a305c6a4cb41f649956197456b4a2d3e20
Author: John Griffith <email address hidden>
Date: Thu Aug 28 17:27:35 2014 -0600

Fix rootwrap for non openstack.org iqn's

The encryption methods implemented for attached volumes
require a symbolic link created to the /dev/disk-by* iqn.

This just makes the regex for the rootwrap filter a bit more
permissive, only looking for iscsi-iqn.*

    Change-Id: I023ad24867c045a88f72c5ac7ac4e4da097a3643
    Closes-Bug: 1362854
    (cherry picked from commit 00808f2072c3ee8958ad16eabad7994730bb8b86)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-19: Fix merged to nova (stable/havana)

Reviewed: https://review.openstack.org/120239
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=a7f5a9d23a3085d079d1abd3415e8e931895046f
Submitter: Jenkins
Branch: stable/havana

commit a7f5a9d23a3085d079d1abd3415e8e931895046f
Author: John Griffith <email address hidden>
Date: Thu Aug 28 17:27:35 2014 -0600

Fix rootwrap for non openstack.org iqn's

The encryption methods implemented for attached volumes
require a symbolic link created to the /dev/disk-by* iqn.

This just makes the regex for the rootwrap filter a bit more
permissive, only looking for iscsi-iqn.*

Closes-Bug: 1362854
(cherry picked from commit 00808f2072c3ee8958ad16eabad7994730bb8b86)

    Change-Id: I023ad24867c045a88f72c5ac7ac4e4da097a3643
    Conflicts:
     etc/nova/rootwrap.d/compute.filters

Thierry Carrez (ttx) on 2014-10-01

Changed in nova:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in nova:
milestone:	juno-rc1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.