From 3391ac2656d794ebadd83540d0b4fd353f369d4a Mon Sep 17 00:00:00 2001 From: Lee Yarwood Date: Thu, 27 Jan 2022 15:14:41 +0000 Subject: [PATCH] imagebackend: Add support to libvirt_info for LUKS based encryption Related to blueprint ephemeral-encryption-libvirt Change-Id: I909c86ab722179efcb673b66f1f81121ab8b5f66 --- .../unit/virt/libvirt/test_imagebackend.py | 37 +++++++++++++++++++ nova/virt/libvirt/imagebackend.py | 13 +++++++ 2 files changed, 50 insertions(+) diff --git a/nova/tests/unit/virt/libvirt/test_imagebackend.py b/nova/tests/unit/virt/libvirt/test_imagebackend.py index 0dc1009c920a..2da6a349b93b 100644 --- a/nova/tests/unit/virt/libvirt/test_imagebackend.py +++ b/nova/tests/unit/virt/libvirt/test_imagebackend.py @@ -27,6 +27,7 @@ import fixtures from oslo_concurrency import lockutils from oslo_config import fixture as config_fixture from oslo_service import loopingcall +from oslo_utils.fixture import uuidsentinel as uuids from oslo_utils import imageutils from oslo_utils import units from oslo_utils import uuidutils @@ -227,6 +228,42 @@ class _ImageTestCase(object): def test_libvirt_info_scsi_with_unit(self, disk_unit): self._test_libvirt_info_scsi_with_unit(disk_unit) + def test_libvirt_info_with_encryption(self): + disk_info = { + 'bus': 'virtio', + 'dev': '/dev/vda', + 'type': 'disk', + 'encrypted': True, + 'encryption_format': 'luks', + 'encryption_secret_uuid': uuids.secret, + } + image = self.image_class( + self.INSTANCE, self.NAME, disk_info_mapping=disk_info) + + if not image.SUPPORTS_LUKS: + classname = type(image).__name__ + self.skipTest( + f"LUKS encryption is not supported with {classname}") + + disk = image.libvirt_info( + cache_mode="none", extra_specs={}, boot_order="1") + + self.assertIsInstance(disk, vconfig.LibvirtConfigGuestDisk) + self.assertEqual("/dev/vda", disk.target_dev) + self.assertEqual("virtio", disk.target_bus) + self.assertEqual("none", disk.driver_cache) + self.assertEqual("disk", disk.source_device) + self.assertEqual("1", disk.boot_order) + + self.assertIsInstance( + disk.encryption, vconfig.LibvirtConfigGuestDiskEncryption) + self.assertIsInstance( + disk.encryption.secret, + vconfig.LibvirtConfigGuestDiskEncryptionSecret) + self.assertEqual("passphrase", disk.encryption.secret.type) + self.assertEqual(uuids.secret, disk.encryption.secret.uuid) + self.assertEqual("luks", disk.encryption.format) + class FlatTestCase(_ImageTestCase, test.NoDBTestCase): diff --git a/nova/virt/libvirt/imagebackend.py b/nova/virt/libvirt/imagebackend.py index 0a64ef43dd2a..d46dd05e1da0 100644 --- a/nova/virt/libvirt/imagebackend.py +++ b/nova/virt/libvirt/imagebackend.py @@ -185,6 +185,19 @@ class Image(metaclass=abc.ABCMeta): info.source_path = self.path info.boot_order = boot_order + if (self.SUPPORTS_LUKS and + self.disk_info_mapping and + self.disk_info_mapping.get('encrypted') and + self.disk_info_mapping.get('encryption_format') == 'luks' + ): + encryption = vconfig.LibvirtConfigGuestDiskEncryption() + secret = vconfig.LibvirtConfigGuestDiskEncryptionSecret() + secret.type = 'passphrase' + secret.uuid = self.disk_info_mapping.get('encryption_secret_uuid') + encryption.secret = secret + encryption.format = self.disk_info_mapping.get('encryption_format') + info.encryption = encryption + if disk_bus == 'scsi': self.disk_scsi(info, disk_unit)