vmware: Encrypt vmotion if flavor requires it, or don't

Vmotions should be encrypted, but not for really large RAM sizes
because encryption impacts vmotion performance too much. So let the
flavor define one of "required", "disabled" or "opportunistic". If
not set, null/None defaults to "opportunistic".

Change-Id: Iba0fd2f2edc8fae210f6c4bab0218703e87ecfbc

Author: grandchild

nova/tests/unit/virt/vmwareapi/test_vm_util.py

@@ -426,6 +426,7 @@ def test_get_resize_spec(self):
         expected.memoryAllocation = memoryAllocation
         expected.extraConfig = []
         expected.memoryReservationLockedToMax = False
+        expected.migrateEncryption = None
 
         self.assertEqual(expected, result)
 
@@ -459,6 +460,7 @@ def test_get_resize_spec_with_limits(self):
         expected.memoryAllocation = memoryAllocation
         expected.extraConfig = []
         expected.memoryReservationLockedToMax = False
+        expected.migrateEncryption = None
 
         self.assertEqual(expected, result)
 
@@ -883,6 +885,7 @@ def _create_vm_config_spec(self):
         spec.name = self._instance.uuid
         spec.instanceUuid = self._instance.uuid
         spec.deviceChange = []
+        spec.migrateEncryption = None
         spec.numCPUs = 2
 
         spec.version = None
@@ -963,6 +966,7 @@ def test_get_vm_create_spec_with_allocations(self):
                                             extra_specs)
         expected = fake_factory.create('ns0:VirtualMachineConfigSpec')
         expected.deviceChange = []
+        expected.migrateEncryption = None
         expected.guestId = constants.DEFAULT_OS_TYPE
         expected.instanceUuid = self._instance.uuid
         expected.memoryMB = self._instance.memory_mb
@@ -1018,6 +1022,7 @@ def test_get_vm_create_spec_with_limit(self):
         expected.instanceUuid = self._instance.uuid
         expected.name = self._instance.uuid
         expected.deviceChange = []
+        expected.migrateEncryption = None
         expected.extraConfig = []
 
         extra_config = fake_factory.create("ns0:OptionValue")
@@ -1072,6 +1077,7 @@ def test_get_vm_create_spec_with_share(self):
         expected.instanceUuid = self._instance.uuid
         expected.name = self._instance.uuid
         expected.deviceChange = []
+        expected.migrateEncryption = None
 
         expected.extraConfig = []
         extra_config = fake_factory.create('ns0:OptionValue')
@@ -1125,6 +1131,7 @@ def test_get_vm_create_spec_with_share_custom(self):
         expected.instanceUuid = self._instance.uuid
         expected.name = self._instance.uuid
         expected.deviceChange = []
+        expected.migrateEncryption = None
 
         expected.extraConfig = []
         extra_config = fake_factory.create('ns0:OptionValue')
@@ -1173,6 +1180,7 @@ def test_get_vm_create_spec_with_metadata(self):
         expected.name = self._instance.uuid
         expected.instanceUuid = self._instance.uuid
         expected.deviceChange = []
+        expected.migrateEncryption = None
         expected.numCPUs = 2
 
         expected.version = None
@@ -1216,6 +1224,7 @@ def test_get_vm_create_spec_with_firmware(self):
         expected.name = self._instance.uuid
         expected.instanceUuid = self._instance.uuid
         expected.deviceChange = []
+        expected.migrateEncryption = None
         expected.numCPUs = 2
 
         expected.version = None
@@ -2058,6 +2067,7 @@ def test_get_vm_create_spec_with_console_delay(self):
         expected.name = self._instance.uuid
         expected.instanceUuid = self._instance.uuid
         expected.deviceChange = []
+        expected.migrateEncryption = None
         expected.numCPUs = 2
 
         expected.version = None
@@ -2102,6 +2112,7 @@ def test_get_vm_create_spec_with_cores_per_socket(self):
                                             extra_specs)
         expected = fake_factory.create('ns0:VirtualMachineConfigSpec')
         expected.deviceChange = []
+        expected.migrateEncryption = None
         expected.guestId = 'otherGuest'
         expected.instanceUuid = self._instance.uuid
         expected.memoryMB = self._instance.memory_mb
@@ -2147,6 +2158,7 @@ def test_get_vm_create_spec_with_memory_allocations(self):
                                             extra_specs)
         expected = fake_factory.create('ns0:VirtualMachineConfigSpec')
         expected.deviceChange = []
+        expected.migrateEncryption = None
         expected.guestId = 'otherGuest'
         expected.instanceUuid = self._instance.uuid
         expected.memoryMB = self._instance.memory_mb

nova/tests/unit/virt/vmwareapi/test_vmops.py

@@ -1399,6 +1399,21 @@ def test_reserve_max_flavor_memory_for_memory_reserved_flavor(self):
         self.assertEqual(specs.memory_limits.reservation,
                          self._instance.flavor.memory_mb)
 
+    def _test_vmotion_encryption(self, encryption, expected=None):
+        if encryption is not None:
+            self._instance.flavor.extra_specs.update({
+                "vmware:vmotion_encryption": encryption})
+        specs = self._vmops._get_extra_specs(self._instance.flavor,
+                                             self._image_meta)
+        self.assertEqual(specs.vmotion_encryption, expected)
+
+    def test_vmotion_encryption_values(self):
+        self._test_vmotion_encryption("required", "required")
+        self._test_vmotion_encryption("opportunistic", "opportunistic")
+        self._test_vmotion_encryption("disabled", "disabled")
+        self._test_vmotion_encryption("INVALID", None)
+        self._test_vmotion_encryption(None)  # no extra_specs entry at all
+
     @mock.patch.object(vmops.VMwareVMOps, '_extend_virtual_disk')
     @mock.patch.object(vmops.VMwareVMOps, '_get_extra_specs')
     @mock.patch.object(ds_util, 'disk_move')

nova/virt/vmwareapi/vm_util.py

@@ -114,7 +114,7 @@ def __init__(self, cpu_limits=None, hw_version=None,
                  vif_limits=None, hv_enabled=None, firmware=None,
                  hw_video_ram=None, numa_prefer_ht=None,
                  numa_vcpu_max_per_virtual_node=None,
-                 migration_data_timeout=None):
+                 migration_data_timeout=None, vmotion_encryption=None):
         """ExtraSpecs object holds extra_specs for the instance."""
         self.cpu_limits = cpu_limits or Limits()
         self.memory_limits = memory_limits or Limits()
@@ -129,6 +129,7 @@ def __init__(self, cpu_limits=None, hw_version=None,
         self.numa_prefer_ht = numa_prefer_ht
         self.numa_vcpu_max_per_virtual_node = numa_vcpu_max_per_virtual_node
         self.migration_data_timeout = migration_data_timeout
+        self.vmotion_encryption = vmotion_encryption
 
 
 class HistoryCollectorItems(six.Iterator):
@@ -419,6 +420,8 @@ def get_vm_create_spec(client_factory, instance, data_store_name,
 
     config_spec.deviceChange = devices
 
+    config_spec.migrateEncryption = extra_specs.vmotion_encryption
+
     # add vm-uuid and iface-id.x values for Neutron
     extra_config = []
     opt = client_factory.create('ns0:OptionValue')
@@ -612,6 +615,8 @@ def get_vm_resize_spec(client_factory, vcpus, memory_mb, extra_specs,
 
     resize_spec.extraConfig = extra_config
 
+    resize_spec.migrateEncryption = extra_specs.vmotion_encryption
+
     if metadata:
         resize_spec.annotation = metadata
     return resize_spec

nova/virt/vmwareapi/vmops.py

@@ -476,6 +476,12 @@ def _get_extra_specs(self, flavor, image_meta=None):
             str(extra_specs.cores_per_socket)
             if utils.is_numa_aligned_flavor(flavor)
             else '')
+
+        vmotion_encryption = flavor.extra_specs.get(
+            "vmware:vmotion_encryption", "opportunistic")
+        if vmotion_encryption in ["disabled", "opportunistic", "required"]:
+            extra_specs.vmotion_encryption = vmotion_encryption
+
         return extra_specs
 
     def _get_storage_policy(self, flavor):