| opendevreview | Atsushi Kawai proposed openstack/cinder master: Hitachi: Add maintenance parameters https://review.opendev.org/c/openstack/cinder/+/786873 | 06:16 |
|---|---|---|
| opendevreview | Balazs Gibizer proposed openstack/cinder master: Make sure that nfs backup path has proper access rights https://review.opendev.org/c/openstack/cinder/+/773876 | 10:01 |
| opendevreview | Atsushi Kawai proposed openstack/cinder master: Hitachi: Make the parameters name variable for supporting OEM storages https://review.opendev.org/c/openstack/cinder/+/815461 | 10:03 |
| opendevreview | Atsushi Kawai proposed openstack/cinder master: Hitachi: Make the parameters name variable for supporting OEM storages https://review.opendev.org/c/openstack/cinder/+/815461 | 10:58 |
| *** dviroel|rover|out is now known as dviroel|rover | 11:11 | |
| *** tosky_ is now known as tosky | 11:25 | |
| *** Guest3656 is now known as redrobot | 13:03 | |
| hemna | good morning | 13:12 |
| hemna | do you guys know what happens with volumes currently migration when cinder restarts? | 13:12 |
| *** lbragstad6 is now known as lbragstad | 13:28 | |
| opendevreview | Fernando Ferraz proposed openstack/cinder master: [NetApp] Fix HTTPS connection for python 3.7 https://review.opendev.org/c/openstack/cinder/+/732704 | 14:02 |
| opendevreview | Gabriel Calixto de Paula proposed openstack/cinder-tempest-plugin master: corrected bug on README https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/815516 | 15:36 |
| opendevreview | Merged openstack/cinder stable/xena: PowerMax Driver - Fix for GVG snapshot delete https://review.opendev.org/c/openstack/cinder/+/811730 | 18:04 |
| opendevreview | Merged openstack/cinder stable/xena: PowerMax Driver - Port load balancing fix https://review.opendev.org/c/openstack/cinder/+/811729 | 18:04 |
| qwebirc17101 | As encrypted volumes can't currently be managed/reimported back into the OpenStack environment, I want to have a plan ready for data recovery. As in, accessing the encrypted volume data via the LUKS key that Cinder creates, and gives to Barbican. | 18:52 |
| qwebirc17101 | I've extracted all of our keys from Barbican, and used something like `sudo cryptsetup luksOpen /dev/... DRIVE_UUID --key-file KEY_FILE_EXTRACTED_FROM_BARBICAN`, but I'm always told "No key available with this passphrase." | 18:54 |
| qwebirc17101 | Does anyone have any experience accessing an encrypted volume outside of OpenStack? I had thought I was on the right track, and may have been, but good to get some input. Thanks | 18:55 |
| qwebirc17101 | Any input appreciated, if even just to confirm that the secret, dumped to a file (openstack secret get URI --file ./enc_key --payload_content_type 'application/octet-stream') can indeed be used when doing `cryptsetup luksOpen .. .. --key-file ./enc_key` | 19:19 |
| qwebirc17101 | I'll check the irc logs, so no worries if I'm disconnected. Thanks again | 19:19 |
| qwebirc17101 | (Extra information in case it helps, using an external storage unit, over iscsi) | 19:20 |
| rosmaita | qwebirc17101: the barbican secret payload is not actually the LUKS passphrase | 20:10 |
| rosmaita | you have to transform the bytes in the payload into a sequence of chars in the set [0-9a-f] | 20:10 |
| rosmaita | for example, | 20:10 |
| rosmaita | openstack secret get --payload_content_type 'application/octet-stream' | 20:10 |
| rosmaita | gives you something like this: | 20:10 |
| rosmaita | b"\x94\xc2'\xfdD\xc2\xeeErY\xc8*\xce\x82\x08j$\x98\x1f\xd0\nshB$3\xd6\x19wU\xea\x9f" | 20:10 |
| rosmaita | then | 20:10 |
| rosmaita | you can transform it like this in the python interpreter: | 20:10 |
| rosmaita | . | 20:10 |
| rosmaita | payload = b"\x94\xc2'\xfdD\xc2\xeeErY\xc8*\xce\x82\x08j$\x98\x1f\xd0\nshB$3\xd6\x19wU\xea\x9f" | 20:10 |
| rosmaita | passphrase = binascii.hexlify(payload).decode('ascii') | 20:10 |
| rosmaita | . | 20:10 |
| rosmaita | to do a sanity check: | 20:10 |
| rosmaita | len(payload) should be 32 | 20:10 |
| rosmaita | len(passphrase) should be 64 | 20:10 |
| rosmaita | and passphrase should only be chars in [0-9a-f] | 20:10 |
| rosmaita | so for the above, it would be | 20:10 |
| rosmaita | '94c227fd44c2ee457259c82ace82086a24981fd00a7368422433d6197755ea9f' | 20:10 |
| rosmaita | qwebirc17101: ^^ | 20:10 |
| qwebirc17101 | rosmaita -- thank you! | 20:34 |
| rosmaita | qwebirc17101: good luck! | 20:34 |
| rosmaita | qwebirc17101: btw, the restriction to chars in [0-9a-f] is a cinder convention, the cryptsetup FAQ just suggests using only the 95 printable chars from the first 128 ASCII chars | 20:36 |
| rosmaita | but since you are reading a cinder volume, you have to do what cinder does :) | 20:37 |
| *** dviroel|rover is now known as dviroel|rover|afk | 20:42 | |
| qwebirc17101 | rosmaita - it looks like I can do `xxd -p -c 64 ./key_file` to get the hex bytes printed. and I will keep that 95 char file thing in mind! | 20:48 |
| opendevreview | Luciano Lo Giudice proposed openstack/cinder master: Fix QOS computation https://review.opendev.org/c/openstack/cinder/+/815560 | 22:11 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!