feat(storage): local primary LUKS qcow2 creation only

Keep KVM LUKS agent params on InstantiateVolumeMsg / InstantiateVolumeOnPrimaryStorageMsg
(VolumeLuksAgentSpec), premium pre-instantiate DEK path, and LocalStorageKvmBackend wiring.
Shared MergeSnapshotCmd encrypt fields removed; helper script commit-push-three-repos.sh at repo root.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: zhong.zhou

commit-push-three-repos.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+# Run from zstack repo root. For each repo: git add -A, then amend HEAD when index non-empty
+# (git commit --amend), then git push --force-with-lease origin <current-branch>.
+#
+# Repositories:
+#   1) zstack (directory containing this script)
+#   2) ../zstack-utility (sibling directory)
+#   3) ./premium (nested repo)
+#
+# Usage:
+#   ./commit-push-three-repos.sh [--dry-run]               # amend --no-edit (keep message)
+#   ./commit-push-three-repos.sh [--dry-run] "new subject" # amend -m "..."
+#   COMMIT_MSG="msg" ./commit-push-three-repos.sh [--dry-run]
+#
+set -euo pipefail
+
+ZSTACK_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+DRY_RUN=0
+COMMIT_MSG="${COMMIT_MSG:-}"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -n|--dry-run)
+      DRY_RUN=1
+      shift
+      ;;
+    -h|--help)
+      sed -n '2,16p' "$0"
+      exit 0
+      ;;
+    *)
+      if [[ -z "${COMMIT_MSG}" ]]; then
+        COMMIT_MSG="$1"
+      else
+        COMMIT_MSG+=" $1"
+      fi
+      shift
+      ;;
+  esac
+done
+
+UTILITY_ROOT=""
+if [[ -d "${ZSTACK_ROOT}/../zstack-utility" ]]; then
+  UTILITY_ROOT="$(cd "${ZSTACK_ROOT}/../zstack-utility" && pwd)"
+fi
+PREMIUM_ROOT="${ZSTACK_ROOT}/premium"
+
+is_git_repo() {
+  local d="$1"
+  [[ -d "${d}/.git" || -f "${d}/.git" ]]
+}
+
+commit_and_push() {
+  local name="$1"
+  local dir="$2"
+
+  if [[ ! -d "${dir}" ]]; then
+    echo "skip ${name}: directory missing (${dir})"
+    return 0
+  fi
+
+  if ! is_git_repo "${dir}"; then
+    echo "skip ${name}: not a git repo (${dir})"
+    return 0
+  fi
+
+  echo "=== ${name}: ${dir} ==="
+
+  local branch
+  branch="$(git -C "${dir}" rev-parse --abbrev-ref HEAD)"
+
+  if [[ "${DRY_RUN}" -eq 1 ]]; then
+    echo "[dry-run] git -C ${dir} add -A"
+    if [[ -n "${COMMIT_MSG}" ]]; then
+      echo "[dry-run] git -C ${dir} commit --amend -m \"${COMMIT_MSG}\"   # only if index non-empty"
+    else
+      echo "[dry-run] git -C ${dir} commit --amend --no-edit   # only if index non-empty"
+    fi
+    echo "[dry-run] git -C ${dir} push --force-with-lease origin ${branch}"
+    echo
+    return 0
+  fi
+
+  git -C "${dir}" add -A
+
+  if git -C "${dir}" diff --cached --quiet; then
+    echo "nothing staged after add -A; skip amend"
+  else
+    if [[ -n "${COMMIT_MSG}" ]]; then
+      git -C "${dir}" commit --amend -m "${COMMIT_MSG}"
+    else
+      git -C "${dir}" commit --amend --no-edit
+    fi
+  fi
+
+  git -C "${dir}" push --force-with-lease origin "${branch}"
+  echo "pushed origin/${branch}"
+  echo
+}
+
+commit_and_push "zstack" "${ZSTACK_ROOT}"
+
+if [[ -n "${UTILITY_ROOT}" ]]; then
+  commit_and_push "zstack-utility" "${UTILITY_ROOT}"
+else
+  echo "skip zstack-utility: ../zstack-utility not found"
+fi
+
+commit_and_push "premium" "${PREMIUM_ROOT}"
+
+echo "done."

header/src/main/java/org/zstack/header/storage/primary/InstantiateVolumeOnPrimaryStorageMsg.java

@@ -4,13 +4,15 @@
 import org.zstack.header.message.NeedReplyMessage;
 import org.zstack.header.message.ReplayableMessage;
 import org.zstack.header.volume.VolumeInventory;
+import org.zstack.header.volume.VolumeLuksAgentSpec;
 
 public class InstantiateVolumeOnPrimaryStorageMsg extends NeedReplyMessage implements PrimaryStorageMessage, ReplayableMessage {
     private HostInventory destHost;
     private VolumeInventory volume;
     private String primaryStorageUuid;
     private boolean skipIfExisting;
     private String allocatedInstallUrl;
+    private VolumeLuksAgentSpec volumeLuksAgentSpec;
 
     public String getAllocatedInstallUrl() {
         return allocatedInstallUrl;
@@ -53,6 +55,14 @@ public void setSkipIfExisting(boolean skipIfExisting) {
         this.skipIfExisting = skipIfExisting;
     }
 
+    public VolumeLuksAgentSpec getVolumeLuksAgentSpec() {
+        return volumeLuksAgentSpec;
+    }
+
+    public void setVolumeLuksAgentSpec(VolumeLuksAgentSpec volumeLuksAgentSpec) {
+        this.volumeLuksAgentSpec = volumeLuksAgentSpec;
+    }
+
     @Override
     public String getResourceUuid() {
         return volume.getUuid();

header/src/main/java/org/zstack/header/volume/InstantiateVolumeMsg.java

@@ -12,6 +12,8 @@ public class InstantiateVolumeMsg extends NeedReplyMessage implements VolumeMess
     private boolean primaryStorageAllocated;
     private boolean skipIfExisting;
     private String allocatedInstallUrl;
+    /** Present only for this instantiate RPC chain; not stored as system tags */
+    private VolumeLuksAgentSpec volumeLuksAgentSpec;
 
     public String getAllocatedInstallUrl() {
         return allocatedInstallUrl;
@@ -61,4 +63,12 @@ public boolean isSkipIfExisting() {
     public void setSkipIfExisting(boolean skipIfExisting) {
         this.skipIfExisting = skipIfExisting;
     }
+
+    public VolumeLuksAgentSpec getVolumeLuksAgentSpec() {
+        return volumeLuksAgentSpec;
+    }
+
+    public void setVolumeLuksAgentSpec(VolumeLuksAgentSpec volumeLuksAgentSpec) {
+        this.volumeLuksAgentSpec = volumeLuksAgentSpec;
+    }
 }

header/src/main/java/org/zstack/header/volume/VolumeLuksAgentSpec.java

@@ -0,0 +1,44 @@
+package org.zstack.header.volume;
+
+import java.io.Serializable;
+
+/**
+ * QEMU qcow2 LUKS parameters passed with volume instantiation messages to kvmagent (not persisted as system tags).
+ */
+public class VolumeLuksAgentSpec implements Serializable {
+    private static final long serialVersionUID = 1L;
+
+    private String encryptSecretUuid;
+    private String encryptPassphraseBase64;
+    /** e.g. {@code luks}; defaults via {@link #getEncryptFormat()} when unset */
+    private String encryptFormat;
+
+    public boolean isComplete() {
+        return encryptSecretUuid != null && !encryptSecretUuid.isEmpty()
+                && encryptPassphraseBase64 != null && !encryptPassphraseBase64.isEmpty();
+    }
+
+    public String getEncryptSecretUuid() {
+        return encryptSecretUuid;
+    }
+
+    public void setEncryptSecretUuid(String encryptSecretUuid) {
+        this.encryptSecretUuid = encryptSecretUuid;
+    }
+
+    public String getEncryptPassphraseBase64() {
+        return encryptPassphraseBase64;
+    }
+
+    public void setEncryptPassphraseBase64(String encryptPassphraseBase64) {
+        this.encryptPassphraseBase64 = encryptPassphraseBase64;
+    }
+
+    public String getEncryptFormat() {
+        return encryptFormat != null && !encryptFormat.isEmpty() ? encryptFormat : "luks";
+    }
+
+    public void setEncryptFormat(String encryptFormat) {
+        this.encryptFormat = encryptFormat;
+    }
+}

plugin/localstorage/src/main/java/org/zstack/storage/primary/local/LocalStorageFactory.java

@@ -1079,6 +1079,7 @@ public void instantiateDataVolumeOnCreation(InstantiateVolumeMsg msg, VolumeInve
 
         imsg.setVolume(volume);
         imsg.setPrimaryStorageUuid(msg.getPrimaryStorageUuid());
+        imsg.setVolumeLuksAgentSpec(msg.getVolumeLuksAgentSpec());
         imsg.setDestHost(HostInventory.valueOf(dbf.findByUuid(hostUuid, HostVO.class)));
         bus.makeTargetServiceIdByResourceUuid(imsg, PrimaryStorageConstant.SERVICE_ID, msg.getPrimaryStorageUuid());
         bus.send(imsg, new CloudBusCallBack(completion) {

plugin/localstorage/src/main/java/org/zstack/storage/primary/local/LocalStorageHypervisorBackend.java

@@ -108,9 +108,8 @@ public LocalStorageHypervisorBackend(PrimaryStorageVO self) {
 
     abstract void deleteBits(String path, String hostUuid, Completion completion);
 
-    abstract void createEmptyVolume(VolumeInventory volume, String hostUuid, ReturnValueCompletion<VolumeStats> completion);
-
-    abstract void createEmptyVolumeWithBackingFile(VolumeInventory volume, String hostUuid, String backingFile, ReturnValueCompletion<VolumeStats> completion);
+    abstract void createEmptyVolume(VolumeInventory volume, String hostUuid, String backingFile,
+            VolumeLuksAgentSpec volumeLuksAgentSpec, ReturnValueCompletion<VolumeStats> completion);
 
     abstract void checkHostAttachedPSMountPath(String hostUuid, ReturnValueCompletion<LocalStorageKvmBackend.CheckInitializedFileRsp> completion);
 

plugin/localstorage/src/main/java/org/zstack/storage/primary/local/LocalStorageKvmBackend.java

@@ -205,6 +205,9 @@ public static class CreateEmptyVolumeCmd extends AgentCommand {
         private String volumeUuid;
         private String backingFile;
         private String volumeFormat;
+        private String encryptFormat;
+        private String encryptPassphraseBase64;
+        private String encryptSecretUuid;
 
         public String getBackingFile() {
             return backingFile;
@@ -222,6 +225,30 @@ public void setVolumeFormat(String volumeFormat) {
             this.volumeFormat = volumeFormat;
         }
 
+        public String getEncryptFormat() {
+            return encryptFormat;
+        }
+
+        public void setEncryptFormat(String encryptFormat) {
+            this.encryptFormat = encryptFormat;
+        }
+
+        public String getEncryptPassphraseBase64() {
+            return encryptPassphraseBase64;
+        }
+
+        public void setEncryptPassphraseBase64(String encryptPassphraseBase64) {
+            this.encryptPassphraseBase64 = encryptPassphraseBase64;
+        }
+
+        public String getEncryptSecretUuid() {
+            return encryptSecretUuid;
+        }
+
+        public void setEncryptSecretUuid(String encryptSecretUuid) {
+            this.encryptSecretUuid = encryptSecretUuid;
+        }
+
         public String getInstallUrl() {
             return installUrl;
         }
@@ -317,6 +344,34 @@ public long getVirtualSize() {
         public void setVirtualSize(long virtualSize) {
             this.virtualSize = virtualSize;
         }
+
+        private String encryptFormat;
+        private String encryptPassphraseBase64;
+        private String encryptSecretUuid;
+
+        public String getEncryptFormat() {
+            return encryptFormat;
+        }
+
+        public void setEncryptFormat(String encryptFormat) {
+            this.encryptFormat = encryptFormat;
+        }
+
+        public String getEncryptPassphraseBase64() {
+            return encryptPassphraseBase64;
+        }
+
+        public void setEncryptPassphraseBase64(String encryptPassphraseBase64) {
+            this.encryptPassphraseBase64 = encryptPassphraseBase64;
+        }
+
+        public String getEncryptSecretUuid() {
+            return encryptSecretUuid;
+        }
+
+        public void setEncryptSecretUuid(String encryptSecretUuid) {
+            this.encryptSecretUuid = encryptSecretUuid;
+        }
     }
 
     public static class CreateVolumeFromCacheRsp extends AgentResponse {
@@ -329,6 +384,9 @@ public static class CreateVolumeWithBackingCmd extends AgentCommand {
         public String installPath;
         public String volumeUuid;
         public long virtualSize;
+        public String encryptFormat;
+        public String encryptPassphraseBase64;
+        public String encryptSecretUuid;
     }
 
     public static class CreateVolumeWithBackingRsp extends AgentResponse {
@@ -1309,7 +1367,7 @@ private void createTemporaryEmptyVolume(InstantiateTemporaryVolumeOnPrimaryStora
     }
 
     private void createEmptyVolume(InstantiateVolumeOnPrimaryStorageMsg msg, ReturnValueCompletion<InstantiateVolumeOnPrimaryStorageReply> completion) {
-        createEmptyVolume(msg.getVolume(), msg.getDestHost().getUuid(), new ReturnValueCompletion<VolumeStats>(completion) {
+        createEmptyVolume(msg.getVolume(), msg.getDestHost().getUuid(), null, msg.getVolumeLuksAgentSpec(), new ReturnValueCompletion<VolumeStats>(completion) {
             @Override
             public void success(VolumeStats returnValue) {
                 InstantiateVolumeOnPrimaryStorageReply r = new InstantiateVolumeOnPrimaryStorageReply();
@@ -1332,11 +1390,27 @@ public void fail(ErrorCode errorCode) {
         });
     }
 
-    public void createEmptyVolume(final VolumeInventory volume, final String hostUuid, final ReturnValueCompletion<VolumeStats> completion) {
-        createEmptyVolumeWithBackingFile(volume, hostUuid, null, completion);
+    private static void applyVolumeLuksAgentSpec(CreateEmptyVolumeCmd cmd, VolumeLuksAgentSpec spec) {
+        if (spec == null || !spec.isComplete()) {
+            return;
+        }
+        cmd.setEncryptFormat(spec.getEncryptFormat());
+        cmd.setEncryptPassphraseBase64(spec.getEncryptPassphraseBase64());
+        cmd.setEncryptSecretUuid(spec.getEncryptSecretUuid());
+    }
+
+    private static void applyVolumeLuksAgentSpec(CreateVolumeFromCacheCmd cmd, VolumeLuksAgentSpec spec) {
+        if (spec == null || !spec.isComplete()) {
+            return;
+        }
+        cmd.setEncryptFormat(spec.getEncryptFormat());
+        cmd.setEncryptPassphraseBase64(spec.getEncryptPassphraseBase64());
+        cmd.setEncryptSecretUuid(spec.getEncryptSecretUuid());
     }
 
-    public void createEmptyVolumeWithBackingFile(final VolumeInventory volume, final String hostUuid, final String backingFile, final ReturnValueCompletion<VolumeStats> completion) {
+    @Override
+    public void createEmptyVolume(final VolumeInventory volume, final String hostUuid, final String backingFile,
+                                  final VolumeLuksAgentSpec volumeLuksAgentSpec, final ReturnValueCompletion<VolumeStats> completion) {
         final CreateEmptyVolumeCmd cmd = new CreateEmptyVolumeCmd();
         cmd.setAccountUuid(acntMgr.getOwnerAccountUuidOfResource(volume.getUuid()));
         if (volume.getInstallPath() != null && !volume.getInstallPath().equals("")) {
@@ -1359,6 +1433,8 @@ public void createEmptyVolumeWithBackingFile(final VolumeInventory volume, final
         cmd.setVolumeUuid(volume.getUuid());
         cmd.setBackingFile(backingFile);
 
+        applyVolumeLuksAgentSpec(cmd, volumeLuksAgentSpec);
+
         httpCall(CREATE_EMPTY_VOLUME_PATH, hostUuid, cmd, CreateEmptyVolumeRsp.class, new ReturnValueCompletion<CreateEmptyVolumeRsp>(completion) {
             @Override
             public void success(CreateEmptyVolumeRsp returnValue) {
@@ -1707,7 +1783,7 @@ private void createRootVolume(final InstantiateRootVolumeFromTemplateOnPrimarySt
         final ImageInventory image = ispec.getInventory();
 
         if (!ImageMediaType.RootVolumeTemplate.toString().equals(image.getMediaType())) {
-            createEmptyVolume(msg.getVolume(), msg.getDestHost().getUuid(), new ReturnValueCompletion<VolumeStats>(completion) {
+            createEmptyVolume(msg.getVolume(), msg.getDestHost().getUuid(), null, msg.getVolumeLuksAgentSpec(), new ReturnValueCompletion<VolumeStats>(completion) {
                 @Override
                 public void success(VolumeStats returnValue) {
                     InstantiateVolumeOnPrimaryStorageReply r = new InstantiateVolumeOnPrimaryStorageReply();
@@ -1778,6 +1854,8 @@ public void run(final FlowTrigger trigger, Map data) {
                             cmd.setVirtualSize(volume.getSize());
                         }
 
+                        applyVolumeLuksAgentSpec(cmd, msg.getVolumeLuksAgentSpec());
+
                         httpCall(CREATE_VOLUME_FROM_CACHE_PATH, hostUuid, cmd, CreateVolumeFromCacheRsp.class, new ReturnValueCompletion<CreateVolumeFromCacheRsp>(trigger) {
                             @Override
                             public void success(CreateVolumeFromCacheRsp returnValue) {
@@ -2359,7 +2437,7 @@ public void run(MessageReply reply) {
 
     @Override
     void handle(LocalStorageCreateEmptyVolumeMsg msg, final ReturnValueCompletion<LocalStorageCreateEmptyVolumeReply> completion) {
-        createEmptyVolumeWithBackingFile(msg.getVolume(), msg.getHostUuid(), msg.getBackingFile(), new ReturnValueCompletion<VolumeStats>(completion) {
+        createEmptyVolume(msg.getVolume(), msg.getHostUuid(), msg.getBackingFile(), null, new ReturnValueCompletion<VolumeStats>(completion) {
             @Override
             public void success(VolumeStats returnValue) {
                 LocalStorageCreateEmptyVolumeReply reply = new LocalStorageCreateEmptyVolumeReply();