Bug 2318251

Summary: [RFE] Set encryption via nova instance flavor
Product: Red Hat OpenStack Reporter: Dustin Ash <duash>
Component: openstack-novaAssignee: OSP DFG:Compute <osp-dfg-compute>
Status: CLOSED MIGRATED QA Contact: OSP DFG:Compute <osp-dfg-compute>
Severity: medium Docs Contact:
Priority: medium    
Version: 17.1 (Wallaby)CC: alifshit, dasmith, eglynn, jhakimra, kchamart, mwitt, sbauza, sgordon, smooney, vromanso
Target Milestone: ---Keywords: FeatureBackport, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-01-14 21:00:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dustin Ash 2024-10-11 21:11:59 UTC 
Description of problem:
Customer is requesting the ability to set encryption via nova instances flavors

Version-Release number of selected component (if applicable):
OpenStack 17.1.3
puppet-nova-18.6.1-17.1.20230621090443.a21eae4.el9ost.noarch

How reproducible:
Always

Steps to Reproduce:
1.Create instance specifying encryption via flavor
2.
3.

Actual results:
Currently not possible in OpenStack. Customer has used this feature in vmware but appears to be available outside of openstack via VMware extensions

Expected results:
Would create instance with desired encryption specified via flavor

Additional info:
Sosreport collected
Previous information provided by engineering
Volume Encryption is an aspect of the cinder volume type, not via flavor. Ephemeral storage encryption has no baring on cinder type. It may be possible to set a default volume type per keystone project, but OpenStack does not allow you configure default volume types in flavors or images

Currently this type of function is not available via flavor as customer is requesting
Comment 1 Dustin Ash 2024-10-15 12:56:05 UTC 
*** Bug 2318250 has been marked as a duplicate of this bug. ***
Comment 3 melanie witt 2024-10-16 22:44:34 UTC 
We discussed this during the team triage call and agree this is a reasonable request.

For context, Cinder volume encryption is request by the volume type [1].

As Sean mentioned, you actually can do this today with images by using the 'cinder_img_volume_type' image property on the image [2]. Nova will call Cinder API and when Cinder sees 'cinder_img_volume_type' on the image, it will use it as the volume type.

While not flavors, it is possible today to request a volume type when creating a server in the Nova API [3] by specifying the 'block_device_mapping_v2' request parameter and API microversion 2.67 [4] or later. For example with OSC [5] it would look something like this:

  openstack server create --flavor FLAVOR --network NETWORK --block-device uuid=IMAGE_UUID,source_type=image,destination_type=volume,volume_size=SIZE_GB,boot_index=0,volume_type=VOLUME_TYPE SERVER_NAME

The above are mentioned FYI in case either of those methods work for you and you want to have something immediately.

For the flavor extra spec, it will take some time for development upstream and then if possible, backport it to older versions.


[1] https://docs.openstack.org/cinder/latest/configuration/block-storage/volume-encryption.html#volume-encryption
[2] https://docs.openstack.org/cinder/latest/cli/cli-manage-volumes.html#cinder-img-volume-type
[3] https://docs.openstack.org/api-ref/compute/#create-server
[4] https://docs.openstack.org/nova/latest/reference/api-microversion-history.html#id61
[5] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/server.html#server-create