On Fri, Oct 21, 2016 at 12:07:08PM +0100, Lee Yarwood wrote: > Hello, > > I documented bug#1633518 [1] last week in which volumes encrypted prior > to Ib563b0ea [2] used a slightly mangled passphrase instead of the > original passphrase provided by the configured key manager. > > My first attempt at resolving this [3] prompted an alternative > suggestion from mdbooth of adding the correct passphrase to the LUKS > device when we detect the use of a mangled passphrase. > > I'm slightly wary of this option given the changing of passphrases so > I'd really appreciate input from the wider Nova and Cinder groups on > your preference for resolving this : > > 1. Keep the mangled passphrase in place and attempt to use it after > getting a permission denied error during luksOpen. > > 2. Add the correct passphrase and remove the mangled passphrase from the > LUKS device with luksChangeKey when we detect the use of the mangled > passphrase. > > 3. An alternative suggestion.
I get the wariness of changing the passphrases, but in this case I think my preference would be to go with 2 if we know it has been mangled and we can fix it. > > FYI, as os-brick has now copied the encryptor classes from Nova into > their own tree any fix will be cherry-picked across shortly after > landing in Nova. I'm also looking into dropping these classes from Nova > for Ocata so we can avoid duplicating effort like this in future. Awesome! Glad to see this being done. > > Thanks in advance, > > Lee > > [1] https://launchpad.net/bugs/1633518 > [2] https://review.openstack.org/#/c/309614/ > [3] https://review.openstack.org/#/c/386670/ > -- > Lee Yarwood > Senior Software Engineer > Red Hat > > PGP : A5D1 9385 88CB 7E5F BE64 6618 BCA6 6E33 F672 2D76 > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
