Adds a default value for fixed_key, for use by a key manager
implementation that reads the key from the configuration settings.
This single, fixed key proffers no protection if the key is
compromised. The current implementation of the key manager does
not work correctly if the key is not set, so including this option
is helpful for Tempest testing and volume encryption within
DevStack.
Implements: blueprint encrypt-cinder-volumes
Change-Id: Id83060afc862c793b79b5429355b213cb4c173fd
https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes
... | ... |
@@ -1098,6 +1098,15 @@ if is_service_enabled key && is_service_enabled swift3 && is_service_enabled nov |
1098 | 1098 |
iniset $NOVA_CONF DEFAULT s3_affix_tenant "True" |
1099 | 1099 |
fi |
1100 | 1100 |
|
1101 |
+# Create a randomized default value for the keymgr's fixed_key |
|
1102 |
+if is_service_enabled nova; then |
|
1103 |
+ FIXED_KEY="" |
|
1104 |
+ for i in $(seq 1 64); |
|
1105 |
+ do FIXED_KEY+=$(echo "obase=16; $(($RANDOM % 16))" | bc); |
|
1106 |
+ done; |
|
1107 |
+ iniset $NOVA_CONF keymgr fixed_key "$FIXED_KEY" |
|
1108 |
+fi |
|
1109 |
+ |
|
1101 | 1110 |
if is_service_enabled zeromq; then |
1102 | 1111 |
echo_summary "Starting zermomq receiver" |
1103 | 1112 |
screen_it zeromq "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-rpc-zmq-receiver" |