OpenStack Compute (nova)

libvirt: support ephemeral disk encryption

Registered by sean mooney on 2021-04-01

This spec introduces the libvirt driver implementation of the flavour and
image defined ephemeral encryption feature

Read the full specification

Blueprint information

Status:: Not started

Approver:: sean mooney

Priority:: Undefined

Drafter:: Lee Yarwood

Direction:: Approved

Assignee:: melanie witt

Definition:: Approved

Series goal:: Accepted for bobcat

Implementation:: Deferred

Milestone target:: None

Related branches

Related bugs

Sprints

Whiteboard

[20211123 bauzas] Spec was merged yesterday https://review.opendev.org/c/openstack/nova-specs/+/810868

[20220225 bauzas] Implementation hit by FeatureFreeze, please repropose the blueprint/spec for the Zed release.

Implementation patches : https://review.opendev.org/q/topic:specs%252Fyoga%252Fapproved%252Fephemeral-encryption-libvirt

[20220614 bauzas] Spec was approved for the Zed cycle https://review.opendev.org/c/openstack/nova-specs/+/836075

[20221115 bauzas] Spec got approved for Antelope https://review.opendev.org/c/openstack/nova-specs/+/864147

Gerrit topic: https://review.opendev.org/#/q/topic:specs/yoga/approved/ephemeral-encryption-libvirt

Addressed by: https://review.opendev.org/c/openstack/nova/+/826755
imagebackend: Add support to libvirt_info for LUKS based encryption

Addressed by: https://review.opendev.org/c/openstack/nova/+/826756
imagebackend: Cache the key manager when disk is encrypted

Addressed by: https://review.opendev.org/c/openstack/nova/+/772273
libvirt: Introduce support for qcow2 with LUKS

Addressed by: https://review.opendev.org/c/openstack/nova/+/826754
libvirt: Configure and teardown ephemeral encryption secrets

Addressed by: https://review.opendev.org/c/openstack/nova/+/870932
Support create with ephemeral encryption for qcow2

Addressed by: https://review.opendev.org/c/openstack/nova/+/870933
Support resize with ephemeral encryption

Addressed by: https://review.opendev.org/c/openstack/nova/+/870934
Add encryption support to convert_image

Addressed by: https://review.opendev.org/c/openstack/nova/+/870935
Add hw_ephemeral_encryption_secret_uuid image property

Addressed by: https://review.opendev.org/c/openstack/nova/+/870936
Add encryption support to qemu-img rebase

Addressed by: https://review.opendev.org/c/openstack/nova/+/870937
Support snapshot with ephemeral encryption

Addressed by: https://review.opendev.org/c/openstack/nova/+/870938
Add reset_encryption_fields() and save_all() to BlockDeviceMappingList

Addressed by: https://review.opendev.org/c/openstack/nova/+/870939
Update driver BDMs with ephemeral encryption image properties

Addressed by: https://review.opendev.org/c/openstack/nova/+/873675
Support rescue with ephemeral encryption

[20230307 bauzas] Deferred as implementation not merged in 2023.1

Addressed by: https://review.opendev.org/c/openstack/nova/+/862416
DNM test ephemeral encryption + resize: qcow2, raw

Addressed by: https://review.opendev.org/c/openstack/nova/+/884312
block_device: Add encryption attributes to swap disks

Addressed by: https://review.opendev.org/c/openstack/nova/+/884313
WIP raw imagebackend support

[20230628 bauzas] Spec got approved for Bobcat https://review.opendev.org/c/openstack/nova-specs/+/887012

Addressed by: https://review.opendev.org/c/openstack/nova/+/889912
WIP libvirt: Introduce support for rbd with LUKS

[20230905 bauzas] Deferred as implementation not merged in 2023.2

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.