Volume encryption feature

Signed-off-by: Marcus Sorensen <[email protected]>

Author: Marcus Sorensen

api/src/main/java/com/cloud/agent/api/to/DiskTO.java

@@ -40,6 +40,7 @@ public class DiskTO {
     public static final String VMDK = "vmdk";
     public static final String EXPAND_DATASTORE = "expandDatastore";
     public static final String TEMPLATE_RESIGN = "templateResign";
+    public static final String SECRET_CONSUMER_DETAIL = "storageMigrateSecretConsumer";
 
     private DataTO data;
     private Long diskSeq;

api/src/main/java/com/cloud/host/Host.java

@@ -53,6 +53,7 @@ public static String[] toStrings(Host.Type... types) {
         }
     }
     public static final String HOST_UEFI_ENABLE = "host.uefi.enable";
+    public static final String HOST_VOLUME_ENCRYPTION = "host.volume.encryption";
 
     /**
      * @return name of the machine.

api/src/main/java/com/cloud/offering/DiskOffering.java

@@ -149,4 +149,8 @@ public String toString() {
     boolean isComputeOnly();
 
     boolean getDiskSizeStrictness();
+
+    boolean getEncrypt();
+
+    void setEncrypt(boolean encrypt);
 }

api/src/main/java/com/cloud/storage/Storage.java

@@ -130,32 +130,34 @@ public static enum TemplateType {
     }
 
     public static enum StoragePoolType {
-        Filesystem(false, true), // local directory
-        NetworkFilesystem(true, true), // NFS
-        IscsiLUN(true, false), // shared LUN, with a clusterfs overlay
-        Iscsi(true, false), // for e.g., ZFS Comstar
-        ISO(false, false), // for iso image
-        LVM(false, false), // XenServer local LVM SR
-        CLVM(true, false),
-        RBD(true, true), // http://libvirt.org/storage.html#StorageBackendRBD
-        SharedMountPoint(true, false),
-        VMFS(true, true), // VMware VMFS storage
-        PreSetup(true, true), // for XenServer, Storage Pool is set up by customers.
-        EXT(false, true), // XenServer local EXT SR
-        OCFS2(true, false),
-        SMB(true, false),
-        Gluster(true, false),
-        PowerFlex(true, true), // Dell EMC PowerFlex/ScaleIO (formerly VxFlexOS)
-        ManagedNFS(true, false),
-        Linstor(true, true),
-        DatastoreCluster(true, true); // for VMware, to abstract pool of clusters
+        Filesystem(false, true, true), // local directory
+        NetworkFilesystem(true, true, true), // NFS
+        IscsiLUN(true, false, false), // shared LUN, with a clusterfs overlay
+        Iscsi(true, false, false), // for e.g., ZFS Comstar
+        ISO(false, false, false), // for iso image
+        LVM(false, false, false), // XenServer local LVM SR
+        CLVM(true, false, false),
+        RBD(true, true, false), // http://libvirt.org/storage.html#StorageBackendRBD
+        SharedMountPoint(true, false, true),
+        VMFS(true, true, false), // VMware VMFS storage
+        PreSetup(true, true, false), // for XenServer, Storage Pool is set up by customers.
+        EXT(false, true, false), // XenServer local EXT SR
+        OCFS2(true, false, false),
+        SMB(true, false, false),
+        Gluster(true, false, false),
+        PowerFlex(true, true, true), // Dell EMC PowerFlex/ScaleIO (formerly VxFlexOS)
+        ManagedNFS(true, false, false),
+        Linstor(true, true, false),
+        DatastoreCluster(true, true, false); // for VMware, to abstract pool of clusters
 
         private final boolean shared;
         private final boolean overprovisioning;
+        private final boolean encryption;
 
-        StoragePoolType(boolean shared, boolean overprovisioning) {
+        StoragePoolType(boolean shared, boolean overprovisioning, boolean encryption) {
             this.shared = shared;
             this.overprovisioning = overprovisioning;
+            this.encryption = encryption;
         }
 
         public boolean isShared() {
@@ -165,6 +167,8 @@ public boolean isShared() {
         public boolean supportsOverProvisioning() {
             return overprovisioning;
         }
+
+        public boolean supportsEncryption() { return encryption; }
     }
 
     public static List<StoragePoolType> getNonSharedStoragePoolTypes() {

api/src/main/java/com/cloud/storage/Volume.java

@@ -247,4 +247,12 @@ enum Event {
     String getExternalUuid();
 
     void setExternalUuid(String externalUuid);
+
+    public Long getPassphraseId();
+
+    public void setPassphraseId(Long id);
+
+    public String getEncryptFormat();
+
+    public void setEncryptFormat(String encryptFormat);
 }

api/src/main/java/com/cloud/vm/DiskProfile.java

@@ -44,6 +44,7 @@ public class DiskProfile {
     private String cacheMode;
     private Long minIops;
     private Long maxIops;
+    private boolean requiresEncryption;
 
     private HypervisorType hyperType;
 
@@ -63,6 +64,12 @@ public DiskProfile(long volumeId, Volume.Type type, String name, long diskOfferi
         this.volumeId = volumeId;
     }
 
+    public DiskProfile(long volumeId, Volume.Type type, String name, long diskOfferingId, long size, String[] tags, boolean useLocalStorage, boolean recreatable,
+            Long templateId, boolean requiresEncryption) {
+        this(volumeId, type, name, diskOfferingId, size, tags, useLocalStorage, recreatable, templateId);
+        this.requiresEncryption = requiresEncryption;
+    }
+
     public DiskProfile(Volume vol, DiskOffering offering, HypervisorType hyperType) {
         this(vol.getId(),
             vol.getVolumeType(),
@@ -75,6 +82,7 @@ public DiskProfile(Volume vol, DiskOffering offering, HypervisorType hyperType)
             null);
         this.hyperType = hyperType;
         this.provisioningType = offering.getProvisioningType();
+        this.requiresEncryption = offering.getEncrypt() || vol.getPassphraseId() != null;
     }
 
     public DiskProfile(DiskProfile dp) {
@@ -230,7 +238,6 @@ public String getCacheMode() {
         return cacheMode;
     }
 
-
     public Long getMinIops() {
         return minIops;
     }
@@ -247,4 +254,7 @@ public void setMaxIops(Long maxIops) {
         this.maxIops = maxIops;
     }
 
+    public boolean requiresEncryption() { return requiresEncryption; }
+
+    public void setEncryption(boolean encrypt) { this.requiresEncryption = encrypt; }
 }

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -109,6 +109,9 @@ public class ApiConstants {
     public static final String CUSTOM_JOB_ID = "customjobid";
     public static final String CURRENT_START_IP = "currentstartip";
     public static final String CURRENT_END_IP = "currentendip";
+    public static final String ENCRYPT = "encrypt";
+    public static final String ENCRYPT_ROOT = "encryptroot";
+    public static final String ENCRYPTION_SUPPORTED = "encryptionsupported";
     public static final String MIN_IOPS = "miniops";
     public static final String MAX_IOPS = "maxiops";
     public static final String HYPERVISOR_SNAPSHOT_RESERVE = "hypervisorsnapshotreserve";

api/src/main/java/org/apache/cloudstack/api/command/admin/offering/CreateDiskOfferingCmd.java

@@ -163,9 +163,14 @@ public class CreateDiskOfferingCmd extends BaseCmd {
     @Parameter(name = ApiConstants.DISK_SIZE_STRICTNESS, type = CommandType.BOOLEAN, description = "To allow or disallow the resize operation on the disks created from this disk offering, if the flag is true then resize is not allowed", since = "4.17")
     private Boolean diskSizeStrictness;
 
+    @Parameter(name = ApiConstants.ENCRYPT, type = CommandType.BOOLEAN, required=false, description = "Volumes using this offering should be encrypted", since = "4.18")
+    private Boolean encrypt;
+
     @Parameter(name = ApiConstants.DETAILS, type = CommandType.MAP, description = "details to specify disk offering parameters", since = "4.16")
     private Map details;
 
+
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -202,6 +207,13 @@ public Long getMaxIops() {
         return maxIops;
     }
 
+    public boolean getEncrypt() {
+        if (encrypt == null) {
+            return false;
+        }
+        return encrypt;
+    }
+
     public List<Long> getDomainIds() {
         if (CollectionUtils.isNotEmpty(domainIds)) {
             Set<Long> set = new LinkedHashSet<>(domainIds);

api/src/main/java/org/apache/cloudstack/api/command/admin/offering/CreateServiceOfferingCmd.java

@@ -242,6 +242,10 @@ public class CreateServiceOfferingCmd extends BaseCmd {
             since = "4.17")
     private Boolean diskOfferingStrictness;
 
+    @Parameter(name = ApiConstants.ENCRYPT_ROOT, type = CommandType.BOOLEAN, description = "VMs using this offering require root volume encryption", since="4.18")
+    private Boolean encryptRoot;
+
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -472,6 +476,13 @@ public boolean getDiskOfferingStrictness() {
         return diskOfferingStrictness == null ? false : diskOfferingStrictness;
     }
 
+    public boolean getEncryptRoot() {
+        if (encryptRoot != null) {
+            return encryptRoot;
+        }
+        return false;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////

api/src/main/java/org/apache/cloudstack/api/command/user/offering/ListDiskOfferingsCmd.java

@@ -58,6 +58,9 @@ public class ListDiskOfferingsCmd extends BaseListDomainResourcesCmd {
     @Parameter(name = ApiConstants.STORAGE_ID, type = CommandType.UUID, entityType = StoragePoolResponse.class, description = "The ID of the storage pool, tags of the storage pool are used to filter the offerings", since = "4.17")
     private Long storagePoolId;
 
+    @Parameter(name = ApiConstants.ENCRYPT, type = CommandType.BOOLEAN, description = "listed offerings support disk encryption", since = "4.18")
+    private Boolean encrypt;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -78,9 +81,9 @@ public Long getVolumeId() {
         return volumeId;
     }
 
-    public Long getStoragePoolId() {
-        return storagePoolId;
-    }
+    public Long getStoragePoolId() { return storagePoolId; }
+
+    public Boolean getEncrypt() { return encrypt; }
 
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////