compute: Skip cinder_encryption_key_id check when booting from volume

Idf84ccff254d26fa13473fe9741ddac21cbcf321 added this check in order for Nova to avoid booting encrypted images created by Cinder as there is currently no support for using such images (rotating keys etc). The check however missed the slightly convoluted use case where this image property is found against a volume after the volume in question is created using an encrypted image created by cinder from an encrypted volume. In other words: - Cinder creates an encrypted volume A - Glance creates an encrypted image A from volume A - Cinder creates an encrypted volume B from image A - Nova attempts to boot an instance using volume B Note that Nova may request the creation of volume B or a user could also do this directly through Cinder. As such this change simply ensures that the instance isn't booting from a volume when preforming the check as it is only valid when booting from an image. Closes-Bug: #1895696 Change-Id: Ic92cab7362fa25050e5bbef5c3e360108365b5c7
2020-09-15 18:17:04 +01:00
parent e76cccddd3
commit f9b67893ac
2 changed files with 12 additions and 19 deletions
@@ -627,7 +627,12 @@ class API(base.Base):
            return

        image_properties = image.get('properties', {})
-        if image_properties.get('cinder_encryption_key_id'):
+        # NOTE(lyarwood) Skip this check when image_id is None indicating that
+        # the instance is booting from a volume that was itself initially
+        # created from an image. As such we don't care if
+        # cinder_encryption_key_id was against the original image as we are now
+        # booting from an encrypted volume.
+        if image_properties.get('cinder_encryption_key_id') and image_id:
            reason = _('Direct booting of an image uploaded from an '
                       'encrypted volume is unsupported.')
            raise exception.ImageUnacceptable(image_id=image_id,
@@ -122,15 +122,9 @@ class TestNonBootableImageMeta(integrated_helpers._IntegratedTestBase):
            'volume_size': 1,
        }]

-        # FIXME(lyarwood) n-api should ignore cinder_encryption_key_id in the
-        # original image in this case and accept the request.
-        ex = self.assertRaises(
-            client.OpenStackApiException, self.api.post_server,
-            {'server': server})
-        self.assertEqual(400, ex.response.status_code)
-        self.assertIn(
-            "Direct booting of an image uploaded from an encrypted volume is "
-            "unsupported", str(ex))
+        # Assert that this request is accepted and the server moves to ACTIVE
+        server = self.api.post_server({'server': server})
+        self._wait_for_state_change(server, 'ACTIVE')

    def test_nonbootable_metadata_bfv_volume_image_metadata(self):
        """Assert behaviour when c-api has created volume using encrypted image
@@ -147,12 +141,6 @@ class TestNonBootableImageMeta(integrated_helpers._IntegratedTestBase):
            'uuid': uuids.cinder_encrypted_volume_uuid,
        }]

-        # FIXME(lyarwood) n-api should ignore cinder_encryption_key_id in the
-        # volume volume_image_metadata in this case and accept the request.
-        ex = self.assertRaises(
-            client.OpenStackApiException, self.api.post_server,
-            {'server': server})
-        self.assertEqual(400, ex.response.status_code)
-        self.assertIn(
-            "Direct booting of an image uploaded from an encrypted volume is "
-            "unsupported", str(ex))
+        # Assert that this request is accepted and the server moves to ACTIVE
+        server = self.api.post_server({'server': server})
+        self._wait_for_state_change(server, 'ACTIVE')