Linstor: encryption support (apache#10126)

This introduces a new encryption mode, instead of a simple bool.
Now also storage driver can just provide encrypted volumes to CloudStack.

Author: rp-

api/src/main/java/com/cloud/storage/Storage.java

@@ -129,34 +129,51 @@ public static enum TemplateType {
         ISODISK /* Template corresponding to a iso (non root disk) present in an OVA */
     }
 
+    public enum EncryptionSupport {
+        /**
+         * Encryption not supported.
+         */
+        Unsupported,
+        /**
+         * Will use hypervisor encryption driver (qemu -> luks)
+         */
+        Hypervisor,
+        /**
+         * Storage pool handles encryption and just provides an encrypted volume
+         */
+        Storage
+    }
+
     public static enum StoragePoolType {
-        Filesystem(false, true), // local directory
-        NetworkFilesystem(true, true), // NFS
-        IscsiLUN(true, false), // shared LUN, with a clusterfs overlay
-        Iscsi(true, false), // for e.g., ZFS Comstar
-        ISO(false, false), // for iso image
-        LVM(false, false), // XenServer local LVM SR
-        CLVM(true, false),
-        RBD(true, true), // http://libvirt.org/storage.html#StorageBackendRBD
-        SharedMountPoint(true, false),
-        VMFS(true, true), // VMware VMFS storage
-        PreSetup(true, true), // for XenServer, Storage Pool is set up by customers.
-        EXT(false, true), // XenServer local EXT SR
-        OCFS2(true, false),
-        SMB(true, false),
-        Gluster(true, false),
-        PowerFlex(true, true), // Dell EMC PowerFlex/ScaleIO (formerly VxFlexOS)
-        ManagedNFS(true, false),
-        Linstor(true, true),
-        DatastoreCluster(true, true), // for VMware, to abstract pool of clusters
-        StorPool(true, true);
+        Filesystem(false, true, EncryptionSupport.Hypervisor), // local directory
+        NetworkFilesystem(true, true, EncryptionSupport.Hypervisor), // NFS
+        IscsiLUN(true, false, EncryptionSupport.Unsupported), // shared LUN, with a clusterfs overlay
+        Iscsi(true, false, EncryptionSupport.Unsupported), // for e.g., ZFS Comstar
+        ISO(false, false, EncryptionSupport.Unsupported), // for iso image
+        LVM(false, false, EncryptionSupport.Unsupported), // XenServer local LVM SR
+        CLVM(true, false, EncryptionSupport.Unsupported),
+        RBD(true, true, EncryptionSupport.Unsupported), // http://libvirt.org/storage.html#StorageBackendRBD
+        SharedMountPoint(true, false, EncryptionSupport.Hypervisor),
+        VMFS(true, true, EncryptionSupport.Unsupported), // VMware VMFS storage
+        PreSetup(true, true, EncryptionSupport.Unsupported), // for XenServer, Storage Pool is set up by customers.
+        EXT(false, true, EncryptionSupport.Unsupported), // XenServer local EXT SR
+        OCFS2(true, false, EncryptionSupport.Unsupported),
+        SMB(true, false, EncryptionSupport.Unsupported),
+        Gluster(true, false, EncryptionSupport.Unsupported),
+        PowerFlex(true, true, EncryptionSupport.Hypervisor), // Dell EMC PowerFlex/ScaleIO (formerly VxFlexOS)
+        ManagedNFS(true, false, EncryptionSupport.Unsupported),
+        Linstor(true, true, EncryptionSupport.Storage),
+        DatastoreCluster(true, true, EncryptionSupport.Unsupported), // for VMware, to abstract pool of clusters
+        StorPool(true, true, EncryptionSupport.Unsupported);
 
         private final boolean shared;
         private final boolean overprovisioning;
+        private final EncryptionSupport encryption;
 
-        StoragePoolType(boolean shared, boolean overprovisioning) {
+        StoragePoolType(boolean shared, boolean overprovisioning, EncryptionSupport encryption) {
             this.shared = shared;
             this.overprovisioning = overprovisioning;
+            this.encryption = encryption;
         }
 
         public boolean isShared() {
@@ -166,6 +183,14 @@ public boolean isShared() {
         public boolean supportsOverProvisioning() {
             return overprovisioning;
         }
+
+        public boolean supportsEncryption() {
+            return encryption == EncryptionSupport.Hypervisor || encryption == EncryptionSupport.Storage;
+        }
+
+        public EncryptionSupport encryptionSupportMode() {
+            return encryption;
+        }
     }
 
     public static List<StoragePoolType> getNonSharedStoragePoolTypes() {

plugins/storage/volume/linstor/CHANGELOG.md

@@ -11,6 +11,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Volume snapshots on zfs used the wrong dataset path to hide/unhide snapdev
 
+## [2024-12-19]
+
+### Added
+- Native CloudStack encryption support
+
 ## [2024-12-13]
 
 ### Fixed

plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LinstorBackupSnapshotCommandWrapper.java

@@ -96,18 +96,23 @@ private String convertImageToQCow2(
         // NOTE: the qemu img will also contain the drbd metadata at the end
         final QemuImg qemu = new QemuImg(waitMilliSeconds);
         qemu.convert(srcFile, dstFile);
-        s_logger.info("Backup snapshot " + srcFile + " to " + dstPath);
+        s_logger.info(String.format("Backup snapshot '%s' to '%s'", srcPath, dstPath));
         return dstPath;
     }
 
     private SnapshotObjectTO setCorrectSnapshotSize(final SnapshotObjectTO dst, final String dstPath) {
         final File snapFile = new File(dstPath);
-        final long size = snapFile.exists() ? snapFile.length() : 0;
+        long size;
+        if (snapFile.exists()) {
+            size = snapFile.length();
+        } else {
+            s_logger.warn(String.format("Snapshot file %s does not exist. Reporting size 0", dstPath));
+            size = 0;
+        }
 
-        final SnapshotObjectTO snapshot = new SnapshotObjectTO();
-        snapshot.setPath(dst.getPath() + File.separator + dst.getName());
-        snapshot.setPhysicalSize(size);
-        return snapshot;
+        dst.setPath(dst.getPath() + File.separator + dst.getName());
+        dst.setPhysicalSize(size);
+        return dst;
     }
 
     @Override
@@ -157,6 +162,7 @@ public CopyCmdAnswer execute(LinstorBackupSnapshotCommand cmd, LibvirtComputingR
             s_logger.info("Backup shrunk " + dstPath + " to actual size " + src.getVolume().getSize());
 
             SnapshotObjectTO snapshot = setCorrectSnapshotSize(dst, dstPath);
+            s_logger.info(String.format("Actual file size for '%s' is %d", dstPath, snapshot.getPhysicalSize()));
             return new CopyCmdAnswer(snapshot);
         } catch (final Exception e) {
             final String error = String.format("Failed to backup snapshot with id [%s] with a pool %s, due to %s",

plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/storage/LinstorStorageAdaptor.java

@@ -407,7 +407,7 @@ private boolean tryDisconnectLinstor(String volumePath, KVMStoragePool pool)
                 if (rsc.getFlags() != null &&
                         rsc.getFlags().contains(ApiConsts.FLAG_DRBD_DISKLESS) &&
                         !rsc.getFlags().contains(ApiConsts.FLAG_TIE_BREAKER)) {
-                    ApiCallRcList delAnswers = api.resourceDelete(rsc.getName(), localNodeName);
+                    ApiCallRcList delAnswers = api.resourceDelete(rsc.getName(), localNodeName, true);
                     logLinstorAnswers(delAnswers);
                 }
             } catch (ApiException apiEx) {

plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/datastore/driver/LinstorPrimaryDataStoreDriverImpl.java

@@ -21,11 +21,14 @@
 import com.linbit.linstor.api.DevelopersApi;
 import com.linbit.linstor.api.model.ApiCallRc;
 import com.linbit.linstor.api.model.ApiCallRcList;
+import com.linbit.linstor.api.model.AutoSelectFilter;
+import com.linbit.linstor.api.model.LayerType;
 import com.linbit.linstor.api.model.Properties;
 import com.linbit.linstor.api.model.ResourceDefinition;
 import com.linbit.linstor.api.model.ResourceDefinitionCloneRequest;
 import com.linbit.linstor.api.model.ResourceDefinitionCloneStarted;
 import com.linbit.linstor.api.model.ResourceDefinitionCreate;
+import com.linbit.linstor.api.model.ResourceGroup;
 import com.linbit.linstor.api.model.ResourceGroupSpawn;
 import com.linbit.linstor.api.model.ResourceMakeAvailable;
 import com.linbit.linstor.api.model.Snapshot;
@@ -34,6 +37,7 @@
 import com.linbit.linstor.api.model.VolumeDefinitionModify;
 
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 import javax.inject.Inject;
 
 import java.util.Arrays;
@@ -42,6 +46,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 import com.cloud.agent.api.Answer;
 import com.cloud.agent.api.storage.ResizeVolumeAnswer;
@@ -101,8 +106,11 @@
 import org.apache.cloudstack.storage.to.SnapshotObjectTO;
 import org.apache.cloudstack.storage.to.VolumeObjectTO;
 import org.apache.cloudstack.storage.volume.VolumeObject;
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.log4j.Logger;
 
+import java.nio.charset.StandardCharsets;
+
 public class LinstorPrimaryDataStoreDriverImpl implements PrimaryDataStoreDriver {
     private static final Logger s_logger = Logger.getLogger(LinstorPrimaryDataStoreDriverImpl.class);
     @Inject private PrimaryDataStoreDao _storagePoolDao;
@@ -391,11 +399,56 @@ private String getRscGrp(StoragePoolVO storagePoolVO) {
             storagePoolVO.getUserInfo() : "DfltRscGrp";
     }
 
+    /**
+     * Returns the layerlist of the resourceGroup with encryption(LUKS) added above STORAGE.
+     * If the resourceGroup layer list already contains LUKS this layer list will be returned.
+     * @param api Linstor developers API
+     * @param resourceGroup Resource group to get the encryption layer list
+     * @return layer list with LUKS added
+     */
+    public List<LayerType> getEncryptedLayerList(DevelopersApi api, String resourceGroup) {
+        try {
+            List<ResourceGroup> rscGrps = api.resourceGroupList(
+                    Collections.singletonList(resourceGroup), Collections.emptyList(), null, null);
+
+            if (CollectionUtils.isEmpty(rscGrps)) {
+                throw new CloudRuntimeException(
+                        String.format("Resource Group %s not found on Linstor cluster.", resourceGroup));
+            }
+
+            final ResourceGroup rscGrp = rscGrps.get(0);
+            List<LayerType> layers = Arrays.asList(LayerType.DRBD, LayerType.LUKS, LayerType.STORAGE);
+            List<String> curLayerStack = rscGrp.getSelectFilter() != null ?
+                    rscGrp.getSelectFilter().getLayerStack() : Collections.emptyList();
+            if (CollectionUtils.isNotEmpty(curLayerStack)) {
+                layers = curLayerStack.stream().map(LayerType::valueOf).collect(Collectors.toList());
+                if (!layers.contains(LayerType.LUKS)) {
+                    layers.add(layers.size() - 1, LayerType.LUKS); // lowest layer is STORAGE
+                }
+            }
+            return layers;
+        } catch (ApiException e) {
+            throw new CloudRuntimeException(
+                    String.format("Resource Group %s not found on Linstor cluster.", resourceGroup));
+        }
+    }
+
     private String createResourceBase(
-        String rscName, long sizeInBytes, String volName, String vmName, DevelopersApi api, String rscGrp) {
+            String rscName, long sizeInBytes, String volName, String vmName,
+            @Nullable Long passPhraseId, @Nullable byte[] passPhrase, DevelopersApi api, String rscGrp) {
         ResourceGroupSpawn rscGrpSpawn = new ResourceGroupSpawn();
         rscGrpSpawn.setResourceDefinitionName(rscName);
         rscGrpSpawn.addVolumeSizesItem(sizeInBytes / 1024);
+        if (passPhraseId != null) {
+            AutoSelectFilter asf = new AutoSelectFilter();
+            List<LayerType> luksLayers = getEncryptedLayerList(api, rscGrp);
+            asf.setLayerStack(luksLayers.stream().map(LayerType::toString).collect(Collectors.toList()));
+            rscGrpSpawn.setSelectFilter(asf);
+            if (passPhrase != null) {
+                String utf8Passphrase = new String(passPhrase, StandardCharsets.UTF_8);
+                rscGrpSpawn.setVolumePassphrases(Collections.singletonList(utf8Passphrase));
+            }
+        }
 
         try
         {
@@ -420,7 +473,8 @@ private String createResource(VolumeInfo vol, StoragePoolVO storagePoolVO) {
 
         final String rscName = LinstorUtil.RSC_PREFIX + vol.getUuid();
         String deviceName = createResourceBase(
-            rscName, vol.getSize(), vol.getName(), vol.getAttachedVmName(), linstorApi, rscGrp);
+            rscName, vol.getSize(), vol.getName(), vol.getAttachedVmName(), vol.getPassphraseId(), vol.getPassphrase(),
+                linstorApi, rscGrp);
 
         try
         {
@@ -461,6 +515,14 @@ private String cloneResource(long csCloneId, VolumeInfo volumeInfo, StoragePoolV
                 s_logger.info("Clone resource definition " + cloneRes + " to " + rscName);
                 ResourceDefinitionCloneRequest cloneRequest = new ResourceDefinitionCloneRequest();
                 cloneRequest.setName(rscName);
+                if (volumeInfo.getPassphraseId() != null) {
+                    List<LayerType> encryptionLayer = getEncryptedLayerList(linstorApi, getRscGrp(storagePoolVO));
+                    cloneRequest.setLayerList(encryptionLayer);
+                    if (volumeInfo.getPassphrase() != null) {
+                        String utf8Passphrase = new String(volumeInfo.getPassphrase(), StandardCharsets.UTF_8);
+                        cloneRequest.setVolumePassphrases(Collections.singletonList(utf8Passphrase));
+                    }
+                }
                 ResourceDefinitionCloneStarted cloneStarted = linstorApi.resourceDefinitionClone(
                     cloneRes, cloneRequest);
 
@@ -913,6 +975,8 @@ private Answer copyTemplate(DataObject srcData, DataObject dstData) {
             tInfo.getSize(),
             tInfo.getName(),
             "",
+            null,
+            null,
             api,
             getRscGrp(pool));
 

plugins/storage/volume/linstor/src/test/java/org/apache/cloudstack/storage/datastore/driver/LinstorPrimaryDataStoreDriverImplTest.java

@@ -0,0 +1,87 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.storage.datastore.driver;
+
+import com.linbit.linstor.api.ApiException;
+import com.linbit.linstor.api.DevelopersApi;
+import com.linbit.linstor.api.model.AutoSelectFilter;
+import com.linbit.linstor.api.model.LayerType;
+import com.linbit.linstor.api.model.ResourceGroup;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class LinstorPrimaryDataStoreDriverImplTest {
+
+    private DevelopersApi api;
+
+    @InjectMocks
+    private LinstorPrimaryDataStoreDriverImpl linstorPrimaryDataStoreDriver;
+
+    @Before
+    public void setUp() {
+        api = mock(DevelopersApi.class);
+    }
+
+    @Test
+    public void testGetEncryptedLayerList() throws ApiException  {
+        ResourceGroup dfltRscGrp = new ResourceGroup();
+        dfltRscGrp.setName("DfltRscGrp");
+
+        ResourceGroup bCacheRscGrp = new ResourceGroup();
+        bCacheRscGrp.setName("BcacheGrp");
+        AutoSelectFilter asf = new AutoSelectFilter();
+        asf.setLayerStack(Arrays.asList(LayerType.DRBD.name(), LayerType.BCACHE.name(), LayerType.STORAGE.name()));
+        asf.setStoragePool("nvmePool");
+        bCacheRscGrp.setSelectFilter(asf);
+
+        ResourceGroup encryptedGrp = new ResourceGroup();
+        encryptedGrp.setName("EncryptedGrp");
+        AutoSelectFilter asf2 = new AutoSelectFilter();
+        asf2.setLayerStack(Arrays.asList(LayerType.DRBD.name(), LayerType.LUKS.name(), LayerType.STORAGE.name()));
+        asf2.setStoragePool("ssdPool");
+        encryptedGrp.setSelectFilter(asf2);
+
+        when(api.resourceGroupList(Collections.singletonList("DfltRscGrp"), Collections.emptyList(), null, null))
+                .thenReturn(Collections.singletonList(dfltRscGrp));
+        when(api.resourceGroupList(Collections.singletonList("BcacheGrp"), Collections.emptyList(), null, null))
+                .thenReturn(Collections.singletonList(bCacheRscGrp));
+        when(api.resourceGroupList(Collections.singletonList("EncryptedGrp"), Collections.emptyList(), null, null))
+                .thenReturn(Collections.singletonList(encryptedGrp));
+
+        List<LayerType> layers = linstorPrimaryDataStoreDriver.getEncryptedLayerList(api, "DfltRscGrp");
+        Assert.assertEquals(Arrays.asList(LayerType.DRBD, LayerType.LUKS, LayerType.STORAGE), layers);
+
+        layers = linstorPrimaryDataStoreDriver.getEncryptedLayerList(api, "BcacheGrp");
+        Assert.assertEquals(Arrays.asList(LayerType.DRBD, LayerType.BCACHE, LayerType.LUKS, LayerType.STORAGE), layers);
+
+        layers = linstorPrimaryDataStoreDriver.getEncryptedLayerList(api, "EncryptedGrp");
+        Assert.assertEquals(Arrays.asList(LayerType.DRBD, LayerType.LUKS, LayerType.STORAGE), layers);
+    }
+}