Volume encryption feature

api/src/main/java/com/cloud/agent/api/to/DiskTO.java

@@ -40,6 +40,7 @@ public class DiskTO {
     public static final String VMDK = "vmdk";
     public static final String EXPAND_DATASTORE = "expandDatastore";
     public static final String TEMPLATE_RESIGN = "templateResign";
+    public static final String SECRET_CONSUMER_DETAIL = "storageMigrateSecretConsumer";
 
     private DataTO data;
     private Long diskSeq;

api/src/main/java/com/cloud/agent/api/to/StorageFilerTO.java

@@ -16,6 +16,7 @@
 // under the License.
 package com.cloud.agent.api.to;
 
+import com.cloud.agent.api.LogLevel;
 import com.cloud.storage.Storage.StoragePoolType;
 import com.cloud.storage.StoragePool;
 
@@ -24,6 +25,7 @@ public class StorageFilerTO {
     String uuid;
     String host;
     String path;
+    @LogLevel(LogLevel.Log4jLevel.Off)
     String userInfo;
     int port;
     StoragePoolType type;

api/src/main/java/com/cloud/host/Host.java

@@ -53,6 +53,7 @@ public static String[] toStrings(Host.Type... types) {
         }
     }
     public static final String HOST_UEFI_ENABLE = "host.uefi.enable";
+    public static final String HOST_VOLUME_ENCRYPTION = "host.volume.encryption";
 
     /**
      * @return name of the machine.

api/src/main/java/com/cloud/offering/DiskOffering.java

@@ -149,4 +149,8 @@ public String toString() {
     boolean isComputeOnly();
 
     boolean getDiskSizeStrictness();
+
+    boolean getEncrypt();
+
+    void setEncrypt(boolean encrypt);
 }

api/src/main/java/com/cloud/storage/MigrationOptions.java

@@ -25,6 +25,7 @@ public class MigrationOptions implements Serializable {
     private String srcPoolUuid;
     private Storage.StoragePoolType srcPoolType;
     private Type type;
+    private ScopeType scopeType;
     private String srcBackingFilePath;
     private boolean copySrcTemplate;
     private String srcVolumeUuid;
@@ -37,18 +38,20 @@ public enum Type {
     public MigrationOptions() {
     }
 
-    public MigrationOptions(String srcPoolUuid, Storage.StoragePoolType srcPoolType, String srcBackingFilePath, boolean copySrcTemplate) {
+    public MigrationOptions(String srcPoolUuid, Storage.StoragePoolType srcPoolType, String srcBackingFilePath, boolean copySrcTemplate, ScopeType scopeType) {
         this.srcPoolUuid = srcPoolUuid;
         this.srcPoolType = srcPoolType;
         this.type = Type.LinkedClone;
+        this.scopeType = scopeType;
         this.srcBackingFilePath = srcBackingFilePath;
         this.copySrcTemplate = copySrcTemplate;
     }
 
-    public MigrationOptions(String srcPoolUuid, Storage.StoragePoolType srcPoolType, String srcVolumeUuid) {
+    public MigrationOptions(String srcPoolUuid, Storage.StoragePoolType srcPoolType, String srcVolumeUuid, ScopeType scopeType) {
         this.srcPoolUuid = srcPoolUuid;
         this.srcPoolType = srcPoolType;
         this.type = Type.FullClone;
+        this.scopeType = scopeType;
         this.srcVolumeUuid = srcVolumeUuid;
     }
 
@@ -60,6 +63,8 @@ public Storage.StoragePoolType getSrcPoolType() {
         return srcPoolType;
     }
 
+    public ScopeType getScopeType() { return scopeType; }
+
     public String getSrcBackingFilePath() {
         return srcBackingFilePath;
     }

api/src/main/java/com/cloud/storage/Storage.java

@@ -130,33 +130,35 @@ public static enum TemplateType {
     }
 
     public static enum StoragePoolType {
-        Filesystem(false, true), // local directory
-        NetworkFilesystem(true, true), // NFS
-        IscsiLUN(true, false), // shared LUN, with a clusterfs overlay
-        Iscsi(true, false), // for e.g., ZFS Comstar
-        ISO(false, false), // for iso image
-        LVM(false, false), // XenServer local LVM SR
-        CLVM(true, false),
-        RBD(true, true), // http://libvirt.org/storage.html#StorageBackendRBD
-        SharedMountPoint(true, false),
-        VMFS(true, true), // VMware VMFS storage
-        PreSetup(true, true), // for XenServer, Storage Pool is set up by customers.
-        EXT(false, true), // XenServer local EXT SR
-        OCFS2(true, false),
-        SMB(true, false),
-        Gluster(true, false),
-        PowerFlex(true, true), // Dell EMC PowerFlex/ScaleIO (formerly VxFlexOS)
-        ManagedNFS(true, false),
-        Linstor(true, true),
-        DatastoreCluster(true, true), // for VMware, to abstract pool of clusters
-        StorPool(true, true);
+        Filesystem(false, true, true), // local directory
+        NetworkFilesystem(true, true, true), // NFS
+        IscsiLUN(true, false, false), // shared LUN, with a clusterfs overlay
+        Iscsi(true, false, false), // for e.g., ZFS Comstar
+        ISO(false, false, false), // for iso image
+        LVM(false, false, false), // XenServer local LVM SR
+        CLVM(true, false, false),
+        RBD(true, true, false), // http://libvirt.org/storage.html#StorageBackendRBD
+        SharedMountPoint(true, false, true),
+        VMFS(true, true, false), // VMware VMFS storage
+        PreSetup(true, true, false), // for XenServer, Storage Pool is set up by customers.
+        EXT(false, true, false), // XenServer local EXT SR
+        OCFS2(true, false, false),
+        SMB(true, false, false),
+        Gluster(true, false, false),
+        PowerFlex(true, true, true), // Dell EMC PowerFlex/ScaleIO (formerly VxFlexOS)
+        ManagedNFS(true, false, false),
+        Linstor(true, true, false),
+        DatastoreCluster(true, true, false), // for VMware, to abstract pool of clusters
+        StorPool(true, true, false);
 
         private final boolean shared;
         private final boolean overprovisioning;
+        private final boolean encryption;
 
-        StoragePoolType(boolean shared, boolean overprovisioning) {
+        StoragePoolType(boolean shared, boolean overprovisioning, boolean encryption) {
             this.shared = shared;
             this.overprovisioning = overprovisioning;
+            this.encryption = encryption;
         }
 
         public boolean isShared() {
@@ -166,6 +168,8 @@ public boolean isShared() {
         public boolean supportsOverProvisioning() {
             return overprovisioning;
         }
+
+        public boolean supportsEncryption() { return encryption; }
     }
 
     public static List<StoragePoolType> getNonSharedStoragePoolTypes() {

api/src/main/java/com/cloud/storage/Volume.java

@@ -247,4 +247,12 @@ enum Event {
     String getExternalUuid();
 
     void setExternalUuid(String externalUuid);
+
+    public Long getPassphraseId();
+
+    public void setPassphraseId(Long id);
+
+    public String getEncryptFormat();
+
+    public void setEncryptFormat(String encryptFormat);
 }

api/src/main/java/com/cloud/vm/DiskProfile.java

@@ -44,6 +44,7 @@ public class DiskProfile {
     private String cacheMode;
     private Long minIops;
     private Long maxIops;
+    private boolean requiresEncryption;
 
     private HypervisorType hyperType;
 
@@ -63,6 +64,12 @@ public DiskProfile(long volumeId, Volume.Type type, String name, long diskOfferi
         this.volumeId = volumeId;
     }
 
+    public DiskProfile(long volumeId, Volume.Type type, String name, long diskOfferingId, long size, String[] tags, boolean useLocalStorage, boolean recreatable,
+            Long templateId, boolean requiresEncryption) {
+        this(volumeId, type, name, diskOfferingId, size, tags, useLocalStorage, recreatable, templateId);
+        this.requiresEncryption = requiresEncryption;
+    }
+
     public DiskProfile(Volume vol, DiskOffering offering, HypervisorType hyperType) {
         this(vol.getId(),
             vol.getVolumeType(),
@@ -75,6 +82,7 @@ public DiskProfile(Volume vol, DiskOffering offering, HypervisorType hyperType)
             null);
         this.hyperType = hyperType;
         this.provisioningType = offering.getProvisioningType();
+        this.requiresEncryption = offering.getEncrypt() || vol.getPassphraseId() != null;
     }
 
     public DiskProfile(DiskProfile dp) {
@@ -230,7 +238,6 @@ public String getCacheMode() {
         return cacheMode;
     }
 
-
     public Long getMinIops() {
         return minIops;
     }
@@ -247,4 +254,7 @@ public void setMaxIops(Long maxIops) {
         this.maxIops = maxIops;
     }
 
+    public boolean requiresEncryption() { return requiresEncryption; }
+
+    public void setEncryption(boolean encrypt) { this.requiresEncryption = encrypt; }
 }

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -109,6 +109,9 @@ public class ApiConstants {
     public static final String CUSTOM_JOB_ID = "customjobid";
     public static final String CURRENT_START_IP = "currentstartip";
     public static final String CURRENT_END_IP = "currentendip";
+    public static final String ENCRYPT = "encrypt";
+    public static final String ENCRYPT_ROOT = "encryptroot";
+    public static final String ENCRYPTION_SUPPORTED = "encryptionsupported";
     public static final String MIN_IOPS = "miniops";
     public static final String MAX_IOPS = "maxiops";
     public static final String HYPERVISOR_SNAPSHOT_RESERVE = "hypervisorsnapshotreserve";

api/src/main/java/org/apache/cloudstack/api/command/admin/offering/CreateDiskOfferingCmd.java

@@ -163,9 +163,14 @@ public class CreateDiskOfferingCmd extends BaseCmd {
     @Parameter(name = ApiConstants.DISK_SIZE_STRICTNESS, type = CommandType.BOOLEAN, description = "To allow or disallow the resize operation on the disks created from this disk offering, if the flag is true then resize is not allowed", since = "4.17")
     private Boolean diskSizeStrictness;
 
+    @Parameter(name = ApiConstants.ENCRYPT, type = CommandType.BOOLEAN, required=false, description = "Volumes using this offering should be encrypted", since = "4.18")
+    private Boolean encrypt;
+
     @Parameter(name = ApiConstants.DETAILS, type = CommandType.MAP, description = "details to specify disk offering parameters", since = "4.16")
     private Map details;
 
+
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -202,6 +207,13 @@ public Long getMaxIops() {
         return maxIops;
     }
 
+    public boolean getEncrypt() {
+        if (encrypt == null) {
+            return false;
+        }
+        return encrypt;
+    }
+
     public List<Long> getDomainIds() {
         if (CollectionUtils.isNotEmpty(domainIds)) {
             Set<Long> set = new LinkedHashSet<>(domainIds);

api/src/main/java/org/apache/cloudstack/api/command/admin/offering/CreateServiceOfferingCmd.java

@@ -242,6 +242,10 @@ public class CreateServiceOfferingCmd extends BaseCmd {
             since = "4.17")
     private Boolean diskOfferingStrictness;
 
+    @Parameter(name = ApiConstants.ENCRYPT_ROOT, type = CommandType.BOOLEAN, description = "VMs using this offering require root volume encryption", since="4.18")
+    private Boolean encryptRoot;
+
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -472,6 +476,13 @@ public boolean getDiskOfferingStrictness() {
         return diskOfferingStrictness == null ? false : diskOfferingStrictness;
     }
 
+    public boolean getEncryptRoot() {
+        if (encryptRoot != null) {
+            return encryptRoot;
+        }
+        return false;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////

api/src/main/java/org/apache/cloudstack/api/command/user/offering/ListDiskOfferingsCmd.java

@@ -58,6 +58,9 @@ public class ListDiskOfferingsCmd extends BaseListDomainResourcesCmd {
     @Parameter(name = ApiConstants.STORAGE_ID, type = CommandType.UUID, entityType = StoragePoolResponse.class, description = "The ID of the storage pool, tags of the storage pool are used to filter the offerings", since = "4.17")
     private Long storagePoolId;
 
+    @Parameter(name = ApiConstants.ENCRYPT, type = CommandType.BOOLEAN, description = "listed offerings support disk encryption", since = "4.18")
+    private Boolean encrypt;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -78,9 +81,9 @@ public Long getVolumeId() {
         return volumeId;
     }
 
-    public Long getStoragePoolId() {
-        return storagePoolId;
-    }
+    public Long getStoragePoolId() { return storagePoolId; }
+
+    public Boolean getEncrypt() { return encrypt; }
 
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////

api/src/main/java/org/apache/cloudstack/api/command/user/offering/ListServiceOfferingsCmd.java

@@ -83,6 +83,12 @@ public class ListServiceOfferingsCmd extends BaseListDomainResourcesCmd {
             since = "4.15")
     private Integer cpuSpeed;
 
+    @Parameter(name = ApiConstants.ENCRYPT_ROOT,
+        type = CommandType.BOOLEAN,
+        description = "listed offerings support root disk encryption",
+        since = "4.18")
+    private Boolean encryptRoot;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -123,6 +129,8 @@ public Integer getCpuSpeed() {
         return cpuSpeed;
     }
 
+    public Boolean getEncryptRoot() { return encryptRoot; }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////

api/src/main/java/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java

@@ -226,6 +226,10 @@ public void execute() {
                 throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Snapshot from volume [%s] was not found in database.", getVolumeUuid()));
             }
         } catch (Exception e) {
+            if (e.getCause() instanceof UnsupportedOperationException) {
+                throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, String.format("Failed to create snapshot due to unsupported operation: %s", e.getCause().getMessage()));
+            }
+
             String errorMessage = "Failed to create snapshot due to an internal error creating snapshot for volume " + getVolumeUuid();
             s_logger.error(errorMessage, e);
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, errorMessage);

api/src/main/java/org/apache/cloudstack/api/response/DiskOfferingResponse.java

@@ -156,10 +156,15 @@ public class DiskOfferingResponse extends BaseResponseWithAnnotations {
     @Param(description = "the vsphere storage policy tagged to the disk offering in case of VMware", since = "4.15")
     private String vsphereStoragePolicy;
 
+
     @SerializedName(ApiConstants.DISK_SIZE_STRICTNESS)
     @Param(description = "To allow or disallow the resize operation on the disks created from this disk offering, if the flag is true then resize is not allowed", since = "4.17")
     private Boolean diskSizeStrictness;
 
+    @SerializedName(ApiConstants.ENCRYPT)
+    @Param(description = "Whether disks using this offering will be encrypted on primary storage", since = "4.18")
+    private Boolean encrypt;
+
     @SerializedName(ApiConstants.DETAILS)
     @Param(description = "additional key/value details tied with this disk offering", since = "4.17")
     private Map<String, String> details;
@@ -381,6 +386,8 @@ public void setDiskSizeStrictness(Boolean diskSizeStrictness) {
         this.diskSizeStrictness = diskSizeStrictness;
     }
 
+    public void setEncrypt(Boolean encrypt) { this.encrypt = encrypt; }
+
     public void setDetails(Map<String, String> details) {
         this.details = details;
     }

api/src/main/java/org/apache/cloudstack/api/response/HostResponse.java

@@ -270,6 +270,10 @@ public class HostResponse extends BaseResponseWithAnnotations {
     @Param(description = "true if the host has capability to support UEFI boot")
     private Boolean uefiCapabilty;
 
+    @SerializedName(ApiConstants.ENCRYPTION_SUPPORTED)
+    @Param(description = "true if the host supports encryption", since = "4.18")
+    private Boolean encryptionSupported;
+
     @Override
     public String getObjectId() {
         return this.getId();
@@ -533,6 +537,13 @@ public void setDetails(Map details) {
         detailsCopy.remove("username");
         detailsCopy.remove("password");
 
+        if (detailsCopy.containsKey(Host.HOST_VOLUME_ENCRYPTION)) {
+            this.setEncryptionSupported(Boolean.parseBoolean((String) detailsCopy.get(Host.HOST_VOLUME_ENCRYPTION)));
+            detailsCopy.remove(Host.HOST_VOLUME_ENCRYPTION);
+        } else {
+            this.setEncryptionSupported(new Boolean(false)); // default
+        }
+
         this.details = detailsCopy;
     }
 
@@ -718,4 +729,8 @@ public Boolean getHaHost() {
     public void setUefiCapabilty(Boolean hostCapability) {
         this.uefiCapabilty = hostCapability;
     }
+
+    public void setEncryptionSupported(Boolean encryptionSupported) {
+        this.encryptionSupported = encryptionSupported;
+    }
 }