XXX: cinder disk encryption works

hertrste · hertrste · commit 26b2836620c1 · 2026-04-30T08:22:53.000+02:00
Signed-off-by: Stefan Kober &lt;stefan.kober@cyberus-technology.de&gt;
On-behalf-of: SAP stefan.kober@sap.com
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -7,6 +7,13 @@
       url = "github:cachix/pre-commit-hooks.nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    nova-src = {
+      url = "git+file:/home/skober/repos/nova";
+      # url = "git+ssh://git@gitlab.cyberus-technology.de/cyberus/cloud/openstack-nova.git";
+      # url = "git+https://github.com/sapcc/nova?ref=stable/2023.2-m3";
+      flake = false;
+    };
+
   };
 
   outputs =
@@ -15,13 +22,30 @@
       nixpkgs,
       flake-utils,
       pre-commit-hooks-nix,
+      nova-src,
       ...
     }:
     flake-utils.lib.eachSystem [ "x86_64-linux" ] (
       system:
       let
         pkgs = import nixpkgs { inherit system; };
         pre-commit-hooks-run = pre-commit-hooks-nix.lib.${system}.run;
+        # The PBR setup does not work on the plain source code because no
+        # package version can be determined.
+        # We add a PKG-INFO file with the missing information to make it work.
+        # We use the version info of the original Nova package from
+        # openstack-nix.
+        fixedNovaSrc = pkgs.runCommand "add-package-info" { } ''
+          mkdir -p $out
+
+          cp -r ${nova-src}/. $out
+
+          cat >$out/PKG-INFO <<EOL
+          Metadata-Version: 2.1
+          Name: nova
+          Version: 30.0.0
+          EOL
+        '';
       in
       rec {
         formatter = pkgs.nixfmt-rfc-style;
@@ -45,13 +69,21 @@
         };
 
         packages = import ./packages { inherit (pkgs) callPackage python3Packages; };
+        novaPkg = packages.nova.overrideAttrs (_: {
+          src = fixedNovaSrc;
+          doInstallCheck = false;
+        });
+
+        packages2 = packages // {
+          nova = novaPkg;
+        };
 
         checks = import ./checks { inherit pkgs pre-commit-hooks-run; };
 
         nixosModules = import ./modules { openstackPkgs = packages; };
 
         tests = import ./tests/default.nix {
-          inherit pkgs nixosModules;
+          inherit pkgs nixosModules novaPkg;
           inherit (lib) generateRootwrapConf;
         };
       }
diff --git a/modules/compute/nova.nix b/modules/compute/nova.nix
@@ -27,6 +27,7 @@ let
     compute_driver = libvirt.LibvirtDriver
     my_ip = 10.0.0.39
     transport_url = rabbit://openstack:openstack@controller
+    debug = true
 
     [api]
     auth_strategy = keystone
@@ -53,6 +54,9 @@ let
 
     [libvirt]
     virt_type = kvm
+    images_type = default
+    images_format = raw
+    force_raw_images = true
 
     [neutron]
     auth_url = http://controller:5000
@@ -201,6 +205,7 @@ in
     environment.systemPackages = with pkgs; [
       openiscsi
       nfs-utils
+      cryptsetup
     ];
 
     systemd.services.nova-compute = {
@@ -220,6 +225,7 @@ in
           lvm2
           openiscsi
           nfs-utils
+          cryptsetup
         ]
         ++ cfg.extraPkgs;
       environment.PYTHONPATH = "${nova_env}/${pkgs.python3.sitePackages}";
diff --git a/modules/controller/cinder.nix b/modules/controller/cinder.nix
@@ -17,6 +17,8 @@ let
     auth_strategy = keystone
     my_ip = controller
     verify_glance_signatures = disabled
+    image_conversion_disable = false
+    volume_format = raw
 
     [database]
     connection = mysql+pymysql://cinder:cinder@controller/cinder
@@ -31,9 +33,14 @@ let
     project_name = service
     username = cinder
     password = cinder
+    service_token_roles_required = true
+    service_token_roles = admin
 
     [oslo_concurrency]
     lock_path = /var/lib/cinder/tmp
+
+    [key_manager]
+    backend = barbican
   '';
 in
 {
@@ -94,6 +101,11 @@ in
             argument = "${cinder}/etc/cinder/api-paste.ini";
           };
         };
+        "/etc/cinder/resource_filters.json" = {
+          L = {
+            argument = "${cinder}/etc/cinder/resource_filters.json";
+          };
+        };
         "/etc/cinder/cinder.conf" = {
           L = {
             argument = "${cinderConf}";
diff --git a/modules/storage/cinder-storage-node.nix b/modules/storage/cinder-storage-node.nix
@@ -89,7 +89,9 @@ let
     rootwrap_config = ${rootwrapConf}
     glance_api_servers = http://controller:9292
     verify_glance_signatures = disabled
+    image_conversion_disable = false
     log_dir = /var/log/cinder
+    volume_format = raw
 
     [database]
     connection = mysql+pymysql://cinder:cinder@controller/cinder
@@ -104,6 +106,8 @@ let
     project_name = service
     username = cinder
     password = cinder
+    service_token_roles_required = true
+    service_token_roles = admin
 
     [oslo_concurrency]
     lock_path = /var/lib/cinder/tmp
@@ -112,6 +116,10 @@ let
     volume_driver = cinder.volume.drivers.nfs.NfsDriver
     nfs_shares_config = /etc/cinder/nfs_shares
     nfs_mount_options = vers=3
+    volume_backend_name = NFS
+    volume_format = raw
+    nfs_sparsed_volumes = false
+    nfs_qcow2_volumes = false
   '';
 
   cinderTgtConf = pkgs.writeText "cinder.conf" ''
diff --git a/packages/nova.nix b/packages/nova.nix
@@ -77,6 +77,7 @@ let
     pyyaml
     requests
     requests-mock
+    requests-unixsocket
     retrying
     rfc3986
     routes
@@ -125,6 +126,7 @@ python3Packages.buildPythonPackage (rec {
     lxml
     microversion-parse
     netaddr
+    requests-unixsocket
     netifaces
     openstacksdk
     os-brick
diff --git a/tests/default.nix b/tests/default.nix
@@ -2,10 +2,13 @@
   pkgs,
   nixosModules,
   generateRootwrapConf,
+  novaPkg,
 }:
 let
   tests = {
-    openstack-default-setup = pkgs.callPackage ./openstack-default-setup.nix { inherit nixosModules; };
+    openstack-default-setup = pkgs.callPackage ./openstack-default-setup.nix {
+      inherit nixosModules novaPkg;
+    };
     openstack-live-migration = pkgs.callPackage ./openstack-live-migration.nix {
       inherit nixosModules generateRootwrapConf;
     };
diff --git a/tests/openstack-default-setup.nix b/tests/openstack-default-setup.nix
@@ -1,6 +1,7 @@
 {
   pkgs,
   nixosModules,
+  novaPkg,
 }:
 pkgs.nixosTest {
   name = "OpenStack default setup test";
@@ -11,6 +12,12 @@ pkgs.nixosTest {
       imports = [
         nixosModules.controllerModule
         nixosModules.testModules.testController
+        (
+          { ... }:
+          {
+            config.nova.novaPackage = novaPkg;
+          }
+        )
       ];
     };
 
@@ -20,6 +27,12 @@ pkgs.nixosTest {
       imports = [
         nixosModules.computeModule
         nixosModules.testModules.testCompute
+        (
+          { ... }:
+          {
+            config.nova.novaPackage = novaPkg;
+          }
+        )
       ];
     };
 
