libvirt: support ephemeral disk encryption

Registered by sean mooney

This spec introduces the libvirt driver implementation of the flavour and
image defined ephemeral encryption feature

Blueprint information

Status:
Not started
Approver:
sean mooney
Priority:
Undefined
Drafter:
Lee Yarwood
Direction:
Approved
Assignee:
melanie witt
Definition:
Approved
Series goal:
Accepted for 2024.1
Implementation:
Deferred
Milestone target:
None

Related branches

Sprints

Whiteboard

[20211123 bauzas] Spec was merged yesterday https://review.opendev.org/c/openstack/nova-specs/+/810868

[20220225 bauzas] Implementation hit by FeatureFreeze, please repropose the blueprint/spec for the Zed release.

Implementation patches : https://review.opendev.org/q/topic:specs%252Fyoga%252Fapproved%252Fephemeral-encryption-libvirt

[20220614 bauzas] Spec was approved for the Zed cycle https://review.opendev.org/c/openstack/nova-specs/+/836075

[20221115 bauzas] Spec got approved for Antelope https://review.opendev.org/c/openstack/nova-specs/+/864147

Gerrit topic: https://review.opendev.org/#/q/topic:specs/yoga/approved/ephemeral-encryption-libvirt

Addressed by: https://review.opendev.org/c/openstack/nova/+/826755
    imagebackend: Add support to libvirt_info for LUKS based encryption

Addressed by: https://review.opendev.org/c/openstack/nova/+/826756
    imagebackend: Cache the key manager when disk is encrypted

Addressed by: https://review.opendev.org/c/openstack/nova/+/772273
    libvirt: Introduce support for qcow2 with LUKS

Addressed by: https://review.opendev.org/c/openstack/nova/+/826754
    libvirt: Configure and teardown ephemeral encryption secrets

Addressed by: https://review.opendev.org/c/openstack/nova/+/870932
    Support create with ephemeral encryption for qcow2

Addressed by: https://review.opendev.org/c/openstack/nova/+/870933
    Support resize with ephemeral encryption

Addressed by: https://review.opendev.org/c/openstack/nova/+/870934
    Add encryption support to convert_image

Addressed by: https://review.opendev.org/c/openstack/nova/+/870935
    Add hw_ephemeral_encryption_secret_uuid image property

Addressed by: https://review.opendev.org/c/openstack/nova/+/870936
    Add encryption support to qemu-img rebase

Addressed by: https://review.opendev.org/c/openstack/nova/+/870937
    Support snapshot with ephemeral encryption

Addressed by: https://review.opendev.org/c/openstack/nova/+/870938
    Add reset_encryption_fields() and save_all() to BlockDeviceMappingList

Addressed by: https://review.opendev.org/c/openstack/nova/+/870939
    Update driver BDMs with ephemeral encryption image properties

Addressed by: https://review.opendev.org/c/openstack/nova/+/873675
    Support rescue with ephemeral encryption

[20230307 bauzas] Deferred as implementation not merged in 2023.1

Addressed by: https://review.opendev.org/c/openstack/nova/+/862416
    DNM test ephemeral encryption + resize: qcow2, raw

Addressed by: https://review.opendev.org/c/openstack/nova/+/884312
    block_device: Add encryption attributes to swap disks

Addressed by: https://review.opendev.org/c/openstack/nova/+/884313
    WIP raw imagebackend support

[20230628 bauzas] Spec got approved for Bobcat https://review.opendev.org/c/openstack/nova-specs/+/887012

Addressed by: https://review.opendev.org/c/openstack/nova/+/889912
    WIP libvirt: Introduce support for rbd with LUKS

[20230905 bauzas] Deferred as implementation not merged in 2023.2

Addressed by: https://review.opendev.org/c/openstack/nova-specs/+/897502
    Re-propose spec for ephemeral storage encryption

[20231114 bauzas] Spec got approved again for Caracal
Addressed by: https://review.opendev.org/c/openstack/nova-specs/+/897503
    Re-propose spec for ephemeral encryption for libvirt

Addressed by: https://review.opendev.org/c/openstack/nova/+/904240
    Reject resize API requests with conflicting ephemeral encryption

Addressed by: https://review.opendev.org/c/openstack/nova/+/905512
    WIP Suppport migration with ephemeral encryption

Addressed by: https://review.opendev.org/c/openstack/nova/+/905515
    WIP libvirt: make <encryption> a subelement of <source>

Addressed by: https://review.opendev.org/c/openstack/nova/+/907960
    Add backing_encryption_secret_uuid to BlockDeviceMapping

Addressed by: https://review.opendev.org/c/openstack/nova/+/907961
    WIP Support encrypted backing files for qcow2

Addressed by: https://review.opendev.org/c/openstack/nova/+/909595
    Support cross cell resize with ephemeral encryption for qcow2

Addressed by: https://review.opendev.org/c/openstack/nova/+/909945
    Report ephemeral disk encryption in the metadata API

Addressed by: https://review.opendev.org/c/openstack/nova/+/909947
    Deprecate legacy ephemeral storage encryption using dm-crypt

Addressed by: https://review.opendev.org/c/openstack/nova/+/910034
    Documentation for ephemeral encryption

Addressed by: https://review.opendev.org/c/openstack/nova/+/910571
    testing: Add ephemeral encryption support to fixtures

Addressed by: https://review.opendev.org/c/openstack/nova-specs/+/907654
    Re-propose specs for ephemeral encryption

Addressed by: https://review.opendev.org/c/openstack/nova/+/912094
    Consolidate vTPM and ephemeral encryption secret creation

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.