The key manager in nova is currently configured to use a fixed key for
testing until a proper key manager is integrated. However, encrypted
volumes will fail during attachment to a server if a fixed_key is not defined.
Randomized creation of a fixed_key in stack.sh was included in the
stable/icehouse release for testing purposes.
Adding a randomized value for fixed_key allowed new encryption tempest test CR
to pass in the gate for tests that ran the stable/icehouse branch of Devstack.
There is still an issue with tests that start off running stable/havana, such
as the Icehouse Grenade tests. See: https://review.openstack.org/#/c/58018/
If the randomized value for fixed_key is also added to the stable/havana
branch, the patch linked above should pass all of the Jenkins tests.
Change-Id: Ieae6ed056c5e51cda7509a87cbe9b02586c6365b
Implements: blueprint cinder-volume-encryption-tempest-tests
(Modified cherry-picked from commit def4c141f1d917705ac1dbdbfe7525f47382dada)
... | ... |
@@ -1074,6 +1074,12 @@ if is_service_enabled key && is_service_enabled swift3 && is_service_enabled nov |
1074 | 1074 |
iniset $NOVA_CONF DEFAULT s3_affix_tenant "True" |
1075 | 1075 |
fi |
1076 | 1076 |
|
1077 |
+# Create a randomized default value for the keymgr's fixed_key |
|
1078 |
+if is_service_enabled nova; then |
|
1079 |
+ FIXED_KEY=$(cat /dev/urandom | tr -cd 'A-F0-9' | head -c 64) |
|
1080 |
+ iniset $NOVA_CONF keymgr fixed_key "$FIXED_KEY" |
|
1081 |
+fi |
|
1082 |
+ |
|
1077 | 1083 |
if is_service_enabled zeromq; then |
1078 | 1084 |
echo_summary "Starting zermomq receiver" |
1079 | 1085 |
screen_it zeromq "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-rpc-zmq-receiver" |