kiranchavala opened a new issue, #13188: URL: https://github.com/apache/cloudstack/issues/13188
### problem Don't allow vmsnapshot and volume snapshot operation on a vm which has encrypted volumes attached ### versions ACS 4.22 ### The steps to reproduce the bug 1. Have a Cloudstack kvm host which supports volume encryption <img width="1038" height="491" alt="Image" src="https://github.com/user-attachments/assets/a741ea9c-9805-426d-aa15-6e3a9634c917"; /> 2. Create a compute offering and disk offering which has encryption enabled <img width="796" height="512" alt="Image" src="https://github.com/user-attachments/assets/9525262e-6804-4147-ae7d-590fc986f261"; /> <img width="643" height="430" alt="Image" src="https://github.com/user-attachments/assets/4ef6eca7-2832-4e00-89ec-c46aa8bc822d"; /> 3. Launch a vm with encrypted compute offering and data disk offering > vm launched successfullt 4. Take a vm snapshot of the vm <img width="639" height="496" alt="Image" src="https://github.com/user-attachments/assets/2468028f-6ace-40ad-8f1e-54e43c11035a"; /> <img width="1158" height="338" alt="Image" src="https://github.com/user-attachments/assets/030362cb-087c-4cf6-a5ce-549b9c1df00b"; /> 5. Stop the vm 6. Start the vm > Exception <img width="702" height="280" alt="Image" src="https://github.com/user-attachments/assets/e958c73a-829b-4458-9a2f-470280b31323"; /> ``` 2026-05-19 08:12:53,372 WARN [resource.wrapper.LibvirtStartCommandWrapper] (AgentRequest-Handler-2:[]) (logid:757a3937) LibvirtException org.libvirt.LibvirtException: internal error: Unexpected enum value 0 for virStorageEncryptionEngine at org.libvirt.ErrorHandler.processError(Unknown Source) at org.libvirt.ErrorHandler.processError(Unknown Source) at org.libvirt.Connect.domainCreateXML(Unknown Source) at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.startVM(LibvirtComputingResource.java:2241) at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.startVM(LibvirtComputingResource.java:2210) at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtStartCommandWrapper.execute(LibvirtStartCommandWrapper.java:91) at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtStartCommandWrapper.execute(LibvirtStartCommandWrapper.java:52) at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtRequestWrapper.execute(LibvirtRequestWrapper.java:78) at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:2280) at com.cloud.agent.Agent.processRequest(Agent.java:813) at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:1295) at com.cloud.utils.nio.Task.call(Task.java:83) at com.cloud.utils.nio.Task.call(Task.java:29) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:840) ``` 7. Try to destroy/expunge the vm >> Exception <img width="702" height="280" alt="Image" src="https://github.com/user-attachments/assets/219dd624-6295-4308-9d21-711ac325226a"; /> ``` 2026-05-19 08:15:08,143 DEBUG [c.c.a.t.Request] (AgentManager-Handler-8:[]) (logid:) Seq 1-6388356071425053772: Processing: { Ans: , MgmtId: 32988351955983, via: 1, Ver: v1, Flags: 10, [{"com.cloud.agent.api.Answer":{"result":"false","details":"Exception: org.apache.cloudstack.utils.qemu.QemuImgException Message: qemu-img: Could not open '/mnt/c2498341-cfff-3eee-86df-fff0fcae419d/7b84527f-6513-4138-a477-6187b880af77': Could not open backing file: Parameter 'encrypt.key-secret' is required for cipher Stack: org.apache.cloudstack.utils.qemu.QemuImgException: qemu-img: Could not open '/mnt/c2498341-cfff-3eee-86df-fff0fcae419d/7b84527f-6513-4138-a477-6187b880af77': Could not open backing file: Parameter 'encrypt.key-secret' is required for cipher at org.apache.cloudstack.utils.qemu.QemuImg.commit(QemuImg.java:871) at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.mergeDiskOnlySnapshotsForStoppedVM(LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.java:86) at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.execute(LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.java:62) at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.execute(LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.java:51) at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtRequestWrapper.execute(LibvirtRequestWrapper.java:78) at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:2280) at com.cloud.agent.Agent.processRequest(Agent.java:813) at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:1295) at com.cloud.utils.nio.Task.call(Task.java:83) at com.cloud.utils.nio.Task.call(Task.java:29) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:840) 2026-05-19 08:15:08,180 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-56:[ctx-5f20d751, job-219]) (logid:c1458150) Unexpected exception while executing org.apache.cloudstack.api.command.admin.vm.DestroyVMCmdByAdmin com.cloud.utils.exception.CloudRuntimeException: Failed to destroy vm with specified vmId at com.cloud.vm.UserVmManagerImpl.destroyVm(UserVmManagerImpl.java:5999) at com.cloud.vm.UserVmManagerImpl.destroyVm(UserVmManagerImpl.java:3545) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:569) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java ``` Currently, we disallow the following operations on encrypted volumes, and provide a exception message when user tries to perform the following operation <img width="940" height="375" alt="Image" src="https://github.com/user-attachments/assets/ebc0bb38-d47c-4a2e-80c1-0a8b936a9123"; /> <img width="491" height="233" alt="Image" src="https://github.com/user-attachments/assets/50e29f7b-8f3b-49d9-afbb-847e8ffc6271"; /> ``` 2026-05-19 08:23:10,479 ERROR [c.c.a.ApiServer] (qtp253011924-26:[ctx-fda2c601, ctx-8fb1e3bd]) (logid:5c23248f) unhandled exception executing api command: [Ljava.lang.String;@5a733241 java.lang.UnsupportedOperationException: Cannot create new volumes from encrypted volume snapshots ``` <img width="1581" height="344" alt="Image" src="https://github.com/user-attachments/assets/17dc973c-0ff9-4d9a-a64f-19a2edfd1492"; /> Try to revert volume snapshot which was created from an encrypted volume when the vm is in stopped state Exception <img width="434" height="893" alt="Image" src="https://github.com/user-attachments/assets/786f8835-a630-434f-9e4b-246b0fac016a"; /> logs ``` 2026-05-19 08:35:01,120 DEBUG [o.a.c.s.s.SnapshotServiceImpl] (API-Job-Executor-69:[ctx-f8fad827, job-251, ctx-c5c1b411]) (logid:d410fd2d) revert snapshot failedcom.cloud.utils.exception.CloudRuntimeException: Unable to revert volume [volumeTO {"dataStore":"PrimaryDataStoreTO {\"id\":2,\"name\":\"ref-trl-11676-k-Mol8-kiran-chavala-kvm-pri2\",\"poolType\":\"NetworkFilesystem\",\"uuid\":\"100681f3-60a3-33de-a7d7-2f203d2e299e\"}","id":28,"name":"ROOT-20","path":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf","uuid":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf"}] to snapshot [SnapshotTO[datastore=NfsTO {"_role":"Image","_url":"NFS:\/\/10.0.32.4\/acs\/secondary\/ref-trl-11676-k-Mol8-kiran-chavala\/ref-trl-11676-k-Mol8-kiran-chavala-sec1","nfsVersion":null,"uuid":null}|volume=volumeTO {"dataStore":"PrimaryDataStoreTO {\"id\":2,\"name\":\"ref-trl-11676-k-Mol8-kiran-chavala-kvm-pri2\",\"poolType\":\"NetworkFilesystem\",\"uuid\":\"100681f3-60a3-33de-a7d7-2f203d2e299e\"}","id":28,"name":"ROOT-20","path":"a 7b4cdfc-a3a4-406a-8853-fa63f73992cf","uuid":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf"}|pathsnapshots/2/28/0c96fbe0-0149-4eef-b8c3-a34b8e99028d]] due to [qemu-img: Could not open 'driver=qcow2,file.filename=/mnt/f179ad17-99de-3f02-81ae-88f4dd0c11d7/snapshots/2/28/0c96fbe0-0149-4eef-b8c3-a34b8e99028d': Parameter 'encrypt.key-secret' is required for cipher]. 2026-05-19 08:35:01,130 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-69:[ctx-f8fad827, job-251]) (logid:d410fd2d) Unexpected exception while executing org.apache.cloudstack.api.command.user.snapshot.RevertSnapshotCmd com.cloud.utils.exception.CloudRuntimeException: com.cloud.utils.exception.CloudRuntimeException: Unable to revert volume [volumeTO {"dataStore":"PrimaryDataStoreTO {\"id\":2,\"name\":\"ref-trl-11676-k-Mol8-kiran-chavala-kvm-pri2\",\"poolType\":\"NetworkFilesystem\",\"uuid\":\"100681f3-60a3-33de-a7d7-2f203d2e299e\"}","id":28,"name":"ROOT-20","path":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf","uuid":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf"}] to snapshot [SnapshotTO[datastore=NfsTO {"_role":"Image","_url":"NFS:\/\/10.0.32.4\/acs\/secondary\/ref-trl-11676-k-Mol8-kiran-chavala\/ref-trl-11676-k-Mol8-kiran-chavala-sec1","nfsVersion":null,"uuid":null}|volume=volumeTO {"dataStore":"PrimaryDataStoreTO {\"id\":2,\"name\":\"ref-trl-11676-k-Mol8-kiran-chavala-kvm-pri2\",\"poolT ype\":\"NetworkFilesystem\",\"uuid\":\"100681f3-60a3-33de-a7d7-2f203d2e299e\"}","id":28,"name":"ROOT-20","path":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf","uuid":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf"}|pathsnapshots/2/28/0c96fbe0-0149-4eef-b8c3-a34b8e99028d]] due to [qemu-img: Could not open 'driver=qcow2,file.filename=/mnt/f179ad17-99de-3f02-81ae-88f4dd0c11d7/snapshots/2/28/0c96fbe0-0149-4eef-b8c3-a34b8e99028d': Parameter 'encrypt.key-secret' is required for cipher]. at org.apache.cloudstack.storage.snapshot.SnapshotServiceImpl.revertSnapshot(SnapshotServiceImpl.java:699) at org.apache.cloudstack.storage.snapshot.DefaultSnapshotStrategy.revertSnapshot(DefaultSnapshotStrategy.java:519) at com.cloud.storage.snapshot.SnapshotManagerImpl.revertSnapshot(SnapshotManagerImpl.java:405) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ``` Try to revert volume snapshot which was created from an encrypted volume when the vm is in stopped state Exception <img width="477" height="137" alt="Image" src="https://github.com/user-attachments/assets/0a41a036-b585-4a23-bc5e-dcd1106bb29c"; /> ### What to do about it? Don't allow volume and vm snapshot operation on encrypted volumes -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
