Hello, I documented bug#1633518 [1] last week in which volumes encrypted prior to Ib563b0ea [2] used a slightly mangled passphrase instead of the original passphrase provided by the configured key manager.
My first attempt at resolving this [3] prompted an alternative suggestion from mdbooth of adding the correct passphrase to the LUKS device when we detect the use of a mangled passphrase. I'm slightly wary of this option given the changing of passphrases so I'd really appreciate input from the wider Nova and Cinder groups on your preference for resolving this : 1. Keep the mangled passphrase in place and attempt to use it after getting a permission denied error during luksOpen. 2. Add the correct passphrase and remove the mangled passphrase from the LUKS device with luksChangeKey when we detect the use of the mangled passphrase. 3. An alternative suggestion. FYI, as os-brick has now copied the encryptor classes from Nova into their own tree any fix will be cherry-picked across shortly after landing in Nova. I'm also looking into dropping these classes from Nova for Ocata so we can avoid duplicating effort like this in future. Thanks in advance, Lee [1] https://launchpad.net/bugs/1633518 [2] https://review.openstack.org/#/c/309614/ [3] https://review.openstack.org/#/c/386670/ -- Lee Yarwood Senior Software Engineer Red Hat PGP : A5D1 9385 88CB 7E5F BE64 6618 BCA6 6E33 F672 2D76 __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
