jmsperu opened a new pull request, #12898: URL: https://github.com/apache/cloudstack/pull/12898
## Summary Adds four optional, zone-scoped features to NAS backup operations on KVM, all disabled by default: - **Compression** (`-c`): Uses qcow2 internal compression (`qemu-img convert -c`) to reduce backup size - **LUKS Encryption** (`-e`): Encrypts backup files at rest using LUKS via `qemu-img convert --object secret` - **Bandwidth Throttle** (`-b`): Limits backup I/O — `virsh blockjob --bandwidth` for running VMs, `qemu-img convert -r` + `ionice` for stopped VMs - **Integrity Check** (`--verify`): Runs `qemu-img check` on each backup file after creation ### Configuration Keys (Zone scope) | Setting | Type | Default | Description | |---------|------|---------|-------------| | `nas.backup.compression.enabled` | Boolean | false | Enable qcow2 compression for backup files | | `nas.backup.encryption.enabled` | Boolean | false | Enable LUKS encryption for backup files | | `nas.backup.encryption.passphrase` | String (Secure) | "" | Passphrase for LUKS encryption | | `nas.backup.bandwidth.limit.mbps` | Integer | 0 | Bandwidth limit in MiB/s (0 = unlimited) | | `nas.backup.integrity.check` | Boolean | false | Run qemu-img check after backup | ### Architecture 1. **NASBackupProvider** reads zone-scoped ConfigKeys and populates a `details` map on `TakeBackupCommand` 2. **TakeBackupCommand** carries the details map from management server to KVM agent 3. **LibvirtTakeBackupCommandWrapper** extracts the details and translates them to `nasbackup.sh` CLI flags 4. **nasbackup.sh** implements the actual compression, encryption, throttling, and verification logic ### Files Changed - `scripts/vm/hypervisor/kvm/nasbackup.sh` — new `-c`, `-b`, `-e`, `--verify` flags with `encrypt_backup()` and `verify_backup()` functions - `core/.../TakeBackupCommand.java` — added `details` map (HashMap) with getter/setter/addDetail - `plugins/backup/nas/.../NASBackupProvider.java` — 5 new ConfigKeys, populate command details in `takeBackup()` - `plugins/hypervisors/kvm/.../LibvirtTakeBackupCommandWrapper.java` — extract details, build dynamic CLI args, temp passphrase file lifecycle ### Notes - All existing functionality (quiesce, cleanup, RBD support, stats) is preserved unchanged - Encryption passphrase is written to a temp file on the KVM host and deleted after backup completes - The passphrase ConfigKey uses the "Secure" category so it is not exposed in API responses - Combines and supersedes PRs #12844, #12846, #12848, #12845 ## Test plan - [ ] Verify backup works with all four features disabled (default) — no behavioral change - [ ] Enable `nas.backup.compression.enabled` at zone scope, take backup, verify qcow2 files are compressed - [ ] Enable `nas.backup.bandwidth.limit.mbps` (e.g. 50), take backup of running VM, verify `virsh blockjob` bandwidth is applied - [ ] Enable `nas.backup.bandwidth.limit.mbps`, take backup of stopped VM, verify `qemu-img -r` rate limit is applied - [ ] Enable `nas.backup.encryption.enabled` with passphrase, take backup, verify files are LUKS encrypted (`qemu-img info` shows encryption) - [ ] Enable `nas.backup.integrity.check`, take backup, verify `qemu-img check` runs and passes - [ ] Test with multiple features enabled simultaneously (compression + integrity check) - [ ] Verify restore still works for backups created with compression/encryption - [ ] Test with RBD storage pools — verify bandwidth throttle applies correctly -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
