Disallow multiattach for encrypted volumes

We can't assume that the LUKS layer used for volume encryption functions in a way that will safely work with multiattach. Closes-Bug: #1770689 Change-Id: I613b48a9e89270b2f0266bffc5aeeefad37ce8fb
2018-05-11 11:56:27 -04:00 · 2018-05-11 11:56:27 -04:00 · 18327971ca
commit 18327971ca
parent baabd09f63
2 changed files with 38 additions and 0 deletions
--- a/cinder/tests/unit/volume/test_volume.py
+++ b/cinder/tests/unit/volume/test_volume.py
@ -680,6 +680,38 @@ class VolumeTestCase(base.BaseVolumeTestCase):
                              volume_api.create, self.context, 1, 'name',
                              'description', multiattach=True)
    @mock.patch.object(key_manager, 'API', fake_keymgr.fake_api)
    def test_create_volume_with_encrypted_volume_type_multiattach(self):
        ctxt = context.get_admin_context()
        cipher = 'aes-xts-plain64'
        key_size = 256
        control_location = 'front-end'
        db.volume_type_create(ctxt,
                              {'id': '61298380-0c12-11e3-bfd6-4b48424183be',
                               'name': 'LUKS',
                               'extra_specs': {'multiattach': '<is> True'}})
        db.volume_type_encryption_create(
            ctxt,
            '61298380-0c12-11e3-bfd6-4b48424183be',
            {'control_location': control_location,
             'provider': ENCRYPTION_PROVIDER,
             'cipher': cipher,
             'key_size': key_size})
        volume_api = cinder.volume.api.API()
        db_vol_type = db.volume_type_get_by_name(ctxt, 'LUKS')
        self.assertRaises(exception.InvalidVolume,
                          volume_api.create,
                          self.context,
                          1,
                          'name',
                          'description',
                          volume_type=db_vol_type)
    @mock.patch.object(key_manager, 'API', fake_keymgr.fake_api)
    def test_create_volume_with_encrypted_volume_type_aes(self):
        ctxt = context.get_admin_context()
--- a/cinder/volume/flows/api/create_volume.py
+++ b/cinder/volume/flows/api/create_volume.py
@ -464,6 +464,12 @@ class ExtractVolumeRequestTask(flow_utils.CinderTask):
            source_volume,
            image_meta)
        if encryption_key_id is not None and volume_type is not None:
            extra_specs = volume_type.get('extra_specs', {})
            if extra_specs.get('multiattach', '') == '<is> True':
                msg = _('Multiattach cannot be used with encrypted volumes.')
                raise exception.InvalidVolume(reason=msg)
        specs = {}
        if volume_type_id:
            qos_specs = volume_types.get_volume_type_qos_specs(volume_type_id)