Tuesday, 2021-10-26

opendevreviewAtsushi Kawai proposed openstack/cinder master: Hitachi: Add maintenance parameters  https://review.opendev.org/c/openstack/cinder/+/78687306:16
opendevreviewBalazs Gibizer proposed openstack/cinder master: Make sure that nfs backup path has proper access rights  https://review.opendev.org/c/openstack/cinder/+/77387610:01
opendevreviewAtsushi Kawai proposed openstack/cinder master: Hitachi: Make the parameters name variable for supporting OEM storages  https://review.opendev.org/c/openstack/cinder/+/81546110:03
opendevreviewAtsushi Kawai proposed openstack/cinder master: Hitachi: Make the parameters name variable for supporting OEM storages  https://review.opendev.org/c/openstack/cinder/+/81546110:58
*** dviroel|rover|out is now known as dviroel|rover11:11
*** tosky_ is now known as tosky11:25
*** Guest3656 is now known as redrobot13:03
hemnagood morning13:12
hemnado you guys know what happens with volumes currently migration when cinder restarts?13:12
*** lbragstad6 is now known as lbragstad13:28
opendevreviewFernando Ferraz proposed openstack/cinder master: [NetApp] Fix HTTPS connection for python 3.7  https://review.opendev.org/c/openstack/cinder/+/73270414:02
opendevreviewGabriel Calixto de Paula proposed openstack/cinder-tempest-plugin master: corrected bug on README  https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/81551615:36
opendevreviewMerged openstack/cinder stable/xena: PowerMax Driver - Fix for GVG snapshot delete  https://review.opendev.org/c/openstack/cinder/+/81173018:04
opendevreviewMerged openstack/cinder stable/xena: PowerMax Driver - Port load balancing fix  https://review.opendev.org/c/openstack/cinder/+/81172918:04
qwebirc17101As encrypted volumes can't currently be managed/reimported back into the OpenStack environment, I want to have a plan ready for data recovery. As in, accessing the encrypted volume data via the LUKS key that Cinder creates, and gives to Barbican.18:52
qwebirc17101I've extracted all of our keys from Barbican, and used something like `sudo cryptsetup luksOpen /dev/... DRIVE_UUID --key-file KEY_FILE_EXTRACTED_FROM_BARBICAN`,   but I'm always told "No key available with this passphrase."18:54
qwebirc17101Does anyone have any experience accessing an encrypted volume outside of OpenStack? I had thought I was on the right track, and may have been, but good to get some input. Thanks18:55
qwebirc17101Any input appreciated, if even just to confirm that the secret, dumped to a file (openstack secret get URI --file ./enc_key --payload_content_type 'application/octet-stream')    can indeed be used when doing `cryptsetup luksOpen .. .. --key-file ./enc_key`19:19
qwebirc17101I'll check the irc logs, so no worries if I'm disconnected. Thanks again19:19
qwebirc17101(Extra information in case it helps, using an external storage unit, over iscsi)19:20
rosmaitaqwebirc17101: the barbican secret payload is not actually the LUKS passphrase20:10
rosmaitayou have to transform the bytes in the payload into a sequence of chars in the set [0-9a-f]20:10
rosmaitafor example,20:10
rosmaitaopenstack secret get --payload_content_type 'application/octet-stream'20:10
rosmaitagives you something like this:20:10
rosmaitayou can transform it like this in the python interpreter:20:10
rosmaitapayload = b"\x94\xc2'\xfdD\xc2\xeeErY\xc8*\xce\x82\x08j$\x98\x1f\xd0\nshB$3\xd6\x19wU\xea\x9f"20:10
rosmaitapassphrase = binascii.hexlify(payload).decode('ascii')20:10
rosmaitato do a sanity check:20:10
rosmaitalen(payload) should be 3220:10
rosmaitalen(passphrase) should be 6420:10
rosmaitaand passphrase should only be chars in [0-9a-f]20:10
rosmaitaso for the above, it would be20:10
rosmaitaqwebirc17101: ^^20:10
qwebirc17101rosmaita -- thank you!20:34
rosmaitaqwebirc17101: good luck!20:34
rosmaitaqwebirc17101: btw, the restriction to chars in [0-9a-f] is a cinder convention, the cryptsetup FAQ just suggests using only the 95 printable chars from the first 128 ASCII chars20:36
rosmaitabut since you are reading a cinder volume, you have to do what cinder does :)20:37
*** dviroel|rover is now known as dviroel|rover|afk20:42
qwebirc17101rosmaita - it looks like I can do `xxd -p -c 64 ./key_file` to get the hex bytes printed. and I will keep that 95 char file thing in mind!20:48
opendevreviewLuciano Lo Giudice proposed openstack/cinder master: Fix QOS computation  https://review.opendev.org/c/openstack/cinder/+/81556022:11

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!