This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 2318251 - [RFE] Set encryption via nova instance flavor
Summary: [RFE] Set encryption via nova instance flavor
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 17.1 (Wallaby)
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: OSP DFG:Compute
QA Contact: OSP DFG:Compute
URL:
Whiteboard:
: 2318250 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-11 21:11 UTC by Dustin Ash
Modified: 2025-01-14 21:00 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2025-01-14 21:00:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-32943 0 None None None 2024-10-11 21:12:11 UTC
Red Hat Issue Tracker   OSPRH-12 0 None None None 2025-01-14 21:00:34 UTC

Description Dustin Ash 2024-10-11 21:11:59 UTC 
Description of problem:
Customer is requesting the ability to set encryption via nova instances flavors

Version-Release number of selected component (if applicable):
OpenStack 17.1.3
puppet-nova-18.6.1-17.1.20230621090443.a21eae4.el9ost.noarch

How reproducible:
Always

Steps to Reproduce:
1.Create instance specifying encryption via flavor
2.
3.

Actual results:
Currently not possible in OpenStack. Customer has used this feature in vmware but appears to be available outside of openstack via VMware extensions

Expected results:
Would create instance with desired encryption specified via flavor

Additional info:
Sosreport collected
Previous information provided by engineering
Volume Encryption is an aspect of the cinder volume type, not via flavor. Ephemeral storage encryption has no baring on cinder type. It may be possible to set a default volume type per keystone project, but OpenStack does not allow you configure default volume types in flavors or images

Currently this type of function is not available via flavor as customer is requesting
Comment 1 Dustin Ash 2024-10-15 12:56:05 UTC 
*** Bug 2318250 has been marked as a duplicate of this bug. ***
Comment 3 melanie witt 2024-10-16 22:44:34 UTC 
We discussed this during the team triage call and agree this is a reasonable request.

For context, Cinder volume encryption is request by the volume type [1].

As Sean mentioned, you actually can do this today with images by using the 'cinder_img_volume_type' image property on the image [2]. Nova will call Cinder API and when Cinder sees 'cinder_img_volume_type' on the image, it will use it as the volume type.

While not flavors, it is possible today to request a volume type when creating a server in the Nova API [3] by specifying the 'block_device_mapping_v2' request parameter and API microversion 2.67 [4] or later. For example with OSC [5] it would look something like this:

  openstack server create --flavor FLAVOR --network NETWORK --block-device uuid=IMAGE_UUID,source_type=image,destination_type=volume,volume_size=SIZE_GB,boot_index=0,volume_type=VOLUME_TYPE SERVER_NAME

The above are mentioned FYI in case either of those methods work for you and you want to have something immediately.

For the flavor extra spec, it will take some time for development upstream and then if possible, backport it to older versions.


[1] https://docs.openstack.org/cinder/latest/configuration/block-storage/volume-encryption.html#volume-encryption
[2] https://docs.openstack.org/cinder/latest/cli/cli-manage-volumes.html#cinder-img-volume-type
[3] https://docs.openstack.org/api-ref/compute/#create-server
[4] https://docs.openstack.org/nova/latest/reference/api-microversion-history.html#id61
[5] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/server.html#server-create
Note You need to log in before you can comment on or make changes to this bug.