imagebackend: Add support to libvirt_info for LUKS based encryption

Related to blueprint ephemeral-encryption-libvirt Change-Id: I909c86ab722179efcb673b66f1f81121ab8b5f66
2022-01-27 15:14:41 +00:00 · 2022-01-27 15:14:41 +00:00 · 3391ac2656
parent 177c184e40
commit 3391ac2656
2 changed files with 50 additions and 0 deletions
--- a/nova/tests/unit/virt/libvirt/test_imagebackend.py
+++ b/nova/tests/unit/virt/libvirt/test_imagebackend.py
@ -27,6 +27,7 @@ import fixtures
 from oslo_concurrency import lockutils
 from oslo_config import fixture as config_fixture
 from oslo_service import loopingcall
+from oslo_utils.fixture import uuidsentinel as uuids
 from oslo_utils import imageutils
 from oslo_utils import units
 from oslo_utils import uuidutils
@ -227,6 +228,42 @@ class _ImageTestCase(object):
    def test_libvirt_info_scsi_with_unit(self, disk_unit):
        self._test_libvirt_info_scsi_with_unit(disk_unit)

+    def test_libvirt_info_with_encryption(self):
+        disk_info = {
+            'bus': 'virtio',
+            'dev': '/dev/vda',
+            'type': 'disk',
+            'encrypted': True,
+            'encryption_format': 'luks',
+            'encryption_secret_uuid': uuids.secret,
+        }
+        image = self.image_class(
+            self.INSTANCE, self.NAME, disk_info_mapping=disk_info)
+
+        if not image.SUPPORTS_LUKS:
+            classname = type(image).__name__
+            self.skipTest(
+                f"LUKS encryption is not supported with {classname}")
+
+        disk = image.libvirt_info(
+            cache_mode="none", extra_specs={}, boot_order="1")
+
+        self.assertIsInstance(disk, vconfig.LibvirtConfigGuestDisk)
+        self.assertEqual("/dev/vda", disk.target_dev)
+        self.assertEqual("virtio", disk.target_bus)
+        self.assertEqual("none", disk.driver_cache)
+        self.assertEqual("disk", disk.source_device)
+        self.assertEqual("1", disk.boot_order)
+
+        self.assertIsInstance(
+            disk.encryption, vconfig.LibvirtConfigGuestDiskEncryption)
+        self.assertIsInstance(
+            disk.encryption.secret,
+            vconfig.LibvirtConfigGuestDiskEncryptionSecret)
+        self.assertEqual("passphrase", disk.encryption.secret.type)
+        self.assertEqual(uuids.secret, disk.encryption.secret.uuid)
+        self.assertEqual("luks", disk.encryption.format)
+

 class FlatTestCase(_ImageTestCase, test.NoDBTestCase):

--- a/nova/virt/libvirt/imagebackend.py
+++ b/nova/virt/libvirt/imagebackend.py
@ -185,6 +185,19 @@ class Image(metaclass=abc.ABCMeta):
        info.source_path = self.path
        info.boot_order = boot_order

+        if (self.SUPPORTS_LUKS and
+            self.disk_info_mapping and
+            self.disk_info_mapping.get('encrypted') and
+            self.disk_info_mapping.get('encryption_format') == 'luks'
+        ):
+            encryption = vconfig.LibvirtConfigGuestDiskEncryption()
+            secret = vconfig.LibvirtConfigGuestDiskEncryptionSecret()
+            secret.type = 'passphrase'
+            secret.uuid = self.disk_info_mapping.get('encryption_secret_uuid')
+            encryption.secret = secret
+            encryption.format = self.disk_info_mapping.get('encryption_format')
+            info.encryption = encryption
+
        if disk_bus == 'scsi':
            self.disk_scsi(info, disk_unit)