Linstor: encryption support (apache#10126)

This introduces a new encryption mode, instead of a simple bool.
Now also storage driver can just provide encrypted volumes to CloudStack.

Author: rp-

api/src/main/java/com/cloud/storage/Storage.java

@@ -139,6 +139,21 @@ public static enum TemplateType {
         ISODISK /* Template corresponding to a iso (non root disk) present in an OVA */
     }
 
+    public enum EncryptionSupport {
+        /**
+         * Encryption not supported.
+         */
+        Unsupported,
+        /**
+         * Will use hypervisor encryption driver (qemu -> luks)
+         */
+        Hypervisor,
+        /**
+         * Storage pool handles encryption and just provides an encrypted volume
+         */
+        Storage
+    }
+
     /**
      * StoragePoolTypes carry some details about the format and capabilities of a storage pool. While not necessarily a
      * 1:1 with PrimaryDataStoreDriver (and for KVM agent, KVMStoragePool and StorageAdaptor) implementations, it is
@@ -150,57 +165,35 @@ public static enum TemplateType {
      * ensure this is available on the agent side as well. This is best done by defining the StoragePoolType in a common
      * package available on both management server and agent plugin jars.
      */
-    public static class StoragePoolType {
-        private static final Map<String, StoragePoolType> map = new LinkedHashMap<>();
-
-        public static final StoragePoolType Filesystem = new StoragePoolType("Filesystem", false, true, true);
-        public static final StoragePoolType NetworkFilesystem = new StoragePoolType("NetworkFilesystem", true, true, true);
-        public static final StoragePoolType IscsiLUN = new StoragePoolType("IscsiLUN", true, false, false);
-        public static final StoragePoolType Iscsi = new StoragePoolType("Iscsi", true, false, false);
-        public static final StoragePoolType ISO = new StoragePoolType("ISO", false, false, false);
-        public static final StoragePoolType LVM = new StoragePoolType("LVM", false, false, false);
-        public static final StoragePoolType CLVM = new StoragePoolType("CLVM", true, false, false);
-        public static final StoragePoolType RBD = new StoragePoolType("RBD", true, true, false);
-        public static final StoragePoolType SharedMountPoint = new StoragePoolType("SharedMountPoint", true, true, true);
-        public static final StoragePoolType VMFS = new StoragePoolType("VMFS", true, true, false);
-        public static final StoragePoolType PreSetup = new StoragePoolType("PreSetup", true, true, false);
-        public static final StoragePoolType EXT = new StoragePoolType("EXT", false, true, false);
-        public static final StoragePoolType OCFS2 = new StoragePoolType("OCFS2", true, false, false);
-        public static final StoragePoolType SMB = new StoragePoolType("SMB", true, false, false);
-        public static final StoragePoolType Gluster = new StoragePoolType("Gluster", true, false, false);
-        public static final StoragePoolType PowerFlex = new StoragePoolType("PowerFlex", true, true, true);
-        public static final StoragePoolType ManagedNFS = new StoragePoolType("ManagedNFS", true, false, false);
-        public static final StoragePoolType Linstor = new StoragePoolType("Linstor", true, true, false);
-        public static final StoragePoolType DatastoreCluster = new StoragePoolType("DatastoreCluster", true, true, false);
-        public static final StoragePoolType StorPool = new StoragePoolType("StorPool", true,true,true);
-        public static final StoragePoolType FiberChannel = new StoragePoolType("FiberChannel", true,true,false);
-
+    public static enum StoragePoolType {
+        Filesystem(false, true, EncryptionSupport.Hypervisor), // local directory
+        NetworkFilesystem(true, true, EncryptionSupport.Hypervisor), // NFS
+        IscsiLUN(true, false, EncryptionSupport.Unsupported), // shared LUN, with a clusterfs overlay
+        Iscsi(true, false, EncryptionSupport.Unsupported), // for e.g., ZFS Comstar
+        ISO(false, false, EncryptionSupport.Unsupported), // for iso image
+        LVM(false, false, EncryptionSupport.Unsupported), // XenServer local LVM SR
+        CLVM(true, false, EncryptionSupport.Unsupported),
+        RBD(true, true, EncryptionSupport.Unsupported), // http://libvirt.org/storage.html#StorageBackendRBD
+        SharedMountPoint(true, true, EncryptionSupport.Hypervisor),
+        VMFS(true, true, EncryptionSupport.Unsupported), // VMware VMFS storage
+        PreSetup(true, true, EncryptionSupport.Unsupported), // for XenServer, Storage Pool is set up by customers.
+        EXT(false, true, EncryptionSupport.Unsupported), // XenServer local EXT SR
+        OCFS2(true, false, EncryptionSupport.Unsupported),
+        SMB(true, false, EncryptionSupport.Unsupported),
+        Gluster(true, false, EncryptionSupport.Unsupported),
+        PowerFlex(true, true, EncryptionSupport.Hypervisor), // Dell EMC PowerFlex/ScaleIO (formerly VxFlexOS)
+        ManagedNFS(true, false, EncryptionSupport.Unsupported),
+        Linstor(true, true, EncryptionSupport.Storage),
+        DatastoreCluster(true, true, EncryptionSupport.Unsupported), // for VMware, to abstract pool of clusters
+        StorPool(true, true, EncryptionSupport.Hypervisor),
+        FiberChannel(true, true, EncryptionSupport.Unsupported); // Fiber Channel Pool for KVM hypervisors is used to find the volume by WWN value (/dev/disk/by-id/wwn-<wwnvalue>)
 
         private final String name;
         private final boolean shared;
         private final boolean overProvisioning;
-        private final boolean encryption;
+        private final EncryptionSupport encryption;
 
-        /**
-         * New StoragePoolType, set the name to check with it in Dao (Note: Do not register it into the map of pool types).
-         * @param name name of the StoragePoolType.
-         */
-        public StoragePoolType(String name) {
-            this.name = name;
-            this.shared = false;
-            this.overProvisioning = false;
-            this.encryption = false;
-        }
-
-        /**
-         * Define a new StoragePoolType, and register it into the map of pool types known to the management server.
-         * @param name Simple unique name of the StoragePoolType.
-         * @param shared Storage pool is shared/accessible to multiple hypervisors
-         * @param overProvisioning Storage pool supports overProvisioning
-         * @param encryption Storage pool supports encrypted volumes
-         */
-        public StoragePoolType(String name, boolean shared, boolean overProvisioning, boolean encryption) {
-            this.name = name;
+        StoragePoolType(boolean shared, boolean overProvisioning, EncryptionSupport encryption) {
             this.shared = shared;
             this.overProvisioning = overProvisioning;
             this.encryption = encryption;
@@ -216,6 +209,10 @@ public boolean supportsOverProvisioning() {
         }
 
         public boolean supportsEncryption() {
+            return encryption == EncryptionSupport.Hypervisor || encryption == EncryptionSupport.Storage;
+        }
+
+        public EncryptionSupport encryptionSupportMode() {
             return encryption;
         }
 

plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java

@@ -3586,7 +3586,8 @@ public int compare(final DiskTO arg0, final DiskTO arg1) {
                     disk.setCacheMode(DiskDef.DiskCacheMode.valueOf(volumeObjectTO.getCacheMode().toString().toUpperCase()));
                 }
 
-                if (volumeObjectTO.requiresEncryption()) {
+                if (volumeObjectTO.requiresEncryption() &&
+                        pool.getType().encryptionSupportMode() == Storage.EncryptionSupport.Hypervisor ) {
                     String secretUuid = createLibvirtVolumeSecret(conn, volumeObjectTO.getPath(), volumeObjectTO.getPassphrase());
                     DiskDef.LibvirtDiskEncryptDetails encryptDetails = new DiskDef.LibvirtDiskEncryptDetails(secretUuid, QemuObject.EncryptFormat.enumValue(volumeObjectTO.getEncryptFormat()));
                     disk.setLibvirtDiskEncryptDetails(encryptDetails);

plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStorageProcessor.java

@@ -128,6 +128,7 @@
 import com.cloud.storage.JavaStorageLayer;
 import com.cloud.storage.MigrationOptions;
 import com.cloud.storage.ScopeType;
+import com.cloud.storage.Storage;
 import com.cloud.storage.Storage.ImageFormat;
 import com.cloud.storage.Storage.StoragePoolType;
 import com.cloud.storage.StorageLayer;
@@ -1517,7 +1518,8 @@ protected synchronized void attachOrDetachDisk(final Connect conn, final boolean
                     }
                 }
 
-                if (encryptDetails != null) {
+                if (encryptDetails != null &&
+                        attachingPool.getType().encryptionSupportMode() == Storage.EncryptionSupport.Hypervisor) {
                     diskdef.setLibvirtDiskEncryptDetails(encryptDetails);
                 }
 

plugins/storage/volume/linstor/CHANGELOG.md

@@ -11,6 +11,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Volume snapshots on zfs used the wrong dataset path to hide/unhide snapdev
 
+## [2024-12-19]
+
+### Added
+- Native CloudStack encryption support
+
 ## [2024-12-13]
 
 ### Fixed

plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LinstorBackupSnapshotCommandWrapper.java

@@ -97,18 +97,23 @@ private String convertImageToQCow2(
         // NOTE: the qemu img will also contain the drbd metadata at the end
         final QemuImg qemu = new QemuImg(waitMilliSeconds);
         qemu.convert(srcFile, dstFile);
-        LOGGER.info("Backup snapshot " + srcFile + " to " + dstPath);
+        LOGGER.info("Backup snapshot '{}' to '{}'", srcPath, dstPath);
         return dstPath;
     }
 
     private SnapshotObjectTO setCorrectSnapshotSize(final SnapshotObjectTO dst, final String dstPath) {
         final File snapFile = new File(dstPath);
-        final long size = snapFile.exists() ? snapFile.length() : 0;
+        long size;
+        if (snapFile.exists()) {
+            size = snapFile.length();
+        } else {
+            LOGGER.warn("Snapshot file {} does not exist. Reporting size 0", dstPath);
+            size = 0;
+        }
 
-        final SnapshotObjectTO snapshot = new SnapshotObjectTO();
-        snapshot.setPath(dst.getPath() + File.separator + dst.getName());
-        snapshot.setPhysicalSize(size);
-        return snapshot;
+        dst.setPath(dst.getPath() + File.separator + dst.getName());
+        dst.setPhysicalSize(size);
+        return dst;
     }
 
     @Override
@@ -158,6 +163,7 @@ public CopyCmdAnswer execute(LinstorBackupSnapshotCommand cmd, LibvirtComputingR
             LOGGER.info("Backup shrunk " + dstPath + " to actual size " + src.getVolume().getSize());
 
             SnapshotObjectTO snapshot = setCorrectSnapshotSize(dst, dstPath);
+            LOGGER.info("Actual file size for '{}' is {}", dstPath, snapshot.getPhysicalSize());
             return new CopyCmdAnswer(snapshot);
         } catch (final Exception e) {
             final String error = String.format("Failed to backup snapshot with id [%s] with a pool %s, due to %s",
@@ -171,4 +177,4 @@ public CopyCmdAnswer execute(LinstorBackupSnapshotCommand cmd, LibvirtComputingR
             }
         }
     }
-}
+}

plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/storage/LinstorStorageAdaptor.java

@@ -410,7 +410,7 @@ private boolean tryDisconnectLinstor(String volumePath, KVMStoragePool pool)
                 if (rsc.getFlags() != null &&
                         rsc.getFlags().contains(ApiConsts.FLAG_DRBD_DISKLESS) &&
                         !rsc.getFlags().contains(ApiConsts.FLAG_TIE_BREAKER)) {
-                    ApiCallRcList delAnswers = api.resourceDelete(rsc.getName(), localNodeName);
+                    ApiCallRcList delAnswers = api.resourceDelete(rsc.getName(), localNodeName, true);
                     logLinstorAnswers(delAnswers);
                 }
             } catch (ApiException apiEx) {