NAS backup: compression, encryption, bandwidth throttle, integrity check

[jmsperu]

Summary

Adds four optional, zone-scoped features to NAS backup operations on KVM, all disabled by default:

• Compression (-c): Uses qcow2 internal compression (qemu-img convert -c) to reduce backup size
• LUKS Encryption (-e): Encrypts backup files at rest using LUKS via qemu-img convert --object secret
• Bandwidth Throttle (-b): Limits backup I/O — virsh blockjob --bandwidth for running VMs, qemu-img convert -r + ionice for stopped VMs
• Integrity Check (--verify): Runs qemu-img check on each backup file after creation

Configuration Keys (Zone scope)

Setting	Type	Default	Description
nas.backup.compression.enabled	Boolean	false	Enable qcow2 compression for backup files
nas.backup.encryption.enabled	Boolean	false	Enable LUKS encryption for backup files
nas.backup.encryption.passphrase	String (Secure)	""	Passphrase for LUKS encryption
nas.backup.bandwidth.limit.mbps	Integer	0	Bandwidth limit in MiB/s (0 = unlimited)
nas.backup.integrity.check	Boolean	false	Run qemu-img check after backup

Architecture

1. NASBackupProvider reads zone-scoped ConfigKeys and populates a details map on TakeBackupCommand
2. TakeBackupCommand carries the details map from management server to KVM agent
3. LibvirtTakeBackupCommandWrapper extracts the details and translates them to nasbackup.sh CLI flags
4. nasbackup.sh implements the actual compression, encryption, throttling, and verification logic

Files Changed

• scripts/vm/hypervisor/kvm/nasbackup.sh — new -c, -b, -e, --verify flags with encrypt_backup() and verify_backup() functions
• core/.../TakeBackupCommand.java — added details map (HashMap) with getter/setter/addDetail
• plugins/backup/nas/.../NASBackupProvider.java — 5 new ConfigKeys, populate command details in takeBackup()
• plugins/hypervisors/kvm/.../LibvirtTakeBackupCommandWrapper.java — extract details, build dynamic CLI args, temp passphrase file lifecycle

Notes

• All existing functionality (quiesce, cleanup, RBD support, stats) is preserved unchanged
• Encryption passphrase is written to a temp file on the KVM host and deleted after backup completes
• The passphrase ConfigKey uses the "Secure" category so it is not exposed in API responses
• Combines and supersedes PRs nasbackup.sh: add optional backup compression via -c flag #12844, nasbackup.sh: add bandwidth throttle via -b flag #12846, nasbackup.sh: add LUKS encryption for backup files via -e flag #12848, nasbackup.sh: verify backup integrity with qemu-img check #12845

Test plan

• Verify backup works with all four features disabled (default) — no behavioral change
• Enable nas.backup.compression.enabled at zone scope, take backup, verify qcow2 files are compressed
• Enable nas.backup.bandwidth.limit.mbps (e.g. 50), take backup of running VM, verify virsh blockjob bandwidth is applied
• Enable nas.backup.bandwidth.limit.mbps, take backup of stopped VM, verify qemu-img -r rate limit is applied
• Enable nas.backup.encryption.enabled with passphrase, take backup, verify files are LUKS encrypted (qemu-img info shows encryption)
• Enable nas.backup.integrity.check, take backup, verify qemu-img check runs and passes
• Test with multiple features enabled simultaneously (compression + integrity check)
• Verify restore still works for backups created with compression/encryption
• Test with RBD storage pools — verify bandwidth throttle applies correctly

[codecov]

Codecov Report

❌ Patch coverage is 18.84058% with 56 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.60%. Comparing base (c1af36f) to head (2c40fdd).

Files with missing lines	Patch %	Lines
...ource/wrapper/LibvirtTakeBackupCommandWrapper.java	0.00%	36 Missing ⚠️
...rg/apache/cloudstack/backup/NASBackupProvider.java	52.17%	7 Missing and 4 partials ⚠️
...rg/apache/cloudstack/backup/TakeBackupCommand.java	10.00%	9 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.22   #12898      +/-   ##
============================================
- Coverage     17.61%   17.60%   -0.01%     
+ Complexity    15676    15671       -5     
============================================
  Files          5917     5917              
  Lines        531537   531601      +64     
  Branches      64985    64997      +12     
============================================
- Hits          93610    93602       -8     
- Misses       427369   427439      +70     
- Partials      10558    10560       +2     

Flag	Coverage Δ
uitests	3.70% <ø> (ø)
unittests	18.67% <18.84%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds optional, zone-scoped enhancements for KVM NAS backups (compression, LUKS encryption, bandwidth throttling, and post-backup integrity verification) by plumbing config from management server → TakeBackupCommand details → KVM agent wrapper → nasbackup.sh flags.

Changes:

• Add new CLI flags and implementation in nasbackup.sh for compression (-c), encryption (-e), bandwidth throttling (-b), and verification (--verify).
• Extend TakeBackupCommand with a details map to carry optional settings to the agent.
• Add zone-scoped NAS backup ConfigKeys and populate command details; update KVM wrapper to translate details into script args and manage a temporary passphrase file.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 10 comments.

File	Description
scripts/vm/hypervisor/kvm/nasbackup.sh	Implements compression/encryption/throttle/verify logic and argument parsing for NAS backup operations.
core/src/main/java/org/apache/cloudstack/backup/TakeBackupCommand.java	Adds a details map to carry optional backup feature settings from management to agent.
plugins/backup/nas/src/main/java/org/apache/cloudstack/backup/NASBackupProvider.java	Introduces zone-scoped ConfigKeys and passes enabled settings into TakeBackupCommand details.
plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtTakeBackupCommandWrapper.java	Builds dynamic nasbackup.sh command args from TakeBackupCommand details and writes an encryption passphrase temp file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

encrypt_backup calls exit 1 on missing/invalid passphrase file, which bypasses cleanup()/unmount logic and can leave the NAS mount + temp dir behind. Prefer returning a non-zero status and letting callers invoke cleanup() (or add a trap-based cleanup) so failures don’t leak mounts/directories.

[Copilot]

verify_backup exits directly on failure, which skips cleanup()/unmount in the calling backup paths and can leave the NAS store mounted and temp directories behind. Return failure to the caller and perform cleanup/unmount before exiting.

[Copilot]

If details indicates encryption is enabled but the passphrase is missing/empty, the wrapper silently skips adding -e and the backup proceeds unencrypted. This should fail the command (or at least log and return an error) to avoid reporting a successful encrypted backup when encryption was requested.

Suggested change

	}
	}
	} else {
	logger.error("Encryption requested for backup but no encryption passphrase was provided");
	return new BackupAnswer(command, false, "Encryption requested but encryption_passphrase is missing or empty");

[Copilot]

When encryption is enabled at zone scope, the code sets the encryption detail even if the passphrase is missing/empty, which will currently result in an unencrypted backup on the agent side. Since the passphrase is required, fail fast here with a clear error instead of proceeding (e.g., throw a CloudRuntimeException / mark backup failed).

Suggested change

	command.addDetail("encryption", "true");
	String passphrase = NASBackupEncryptionPassphrase.valueIn(zoneId);
	if (passphrase != null && !passphrase.isEmpty()) {
	command.addDetail("encryption_passphrase", passphrase);
	}
	String passphrase = NASBackupEncryptionPassphrase.valueIn(zoneId);
	if (passphrase == null || passphrase.trim().isEmpty()) {
	throw new CloudRuntimeException(String.format(
	"NAS backup encryption is enabled for zone %d but no encryption passphrase is configured",
	zoneId));
	}
	command.addDetail("encryption", "true");
	command.addDetail("encryption_passphrase", passphrase);

[Copilot]

The new zone-scoped feature flags are translated into TakeBackupCommand details here, but the existing NASBackupProviderTest.takeBackupSuccessfully doesn’t assert the details map contents. Add/extend unit tests to verify the correct details are added for each config (compression, bandwidth limit, integrity check, and encryption+passphrase; and that encryption without passphrase fails).

[Copilot]

details may carry sensitive values (e.g., an encryption passphrase). CloudStack’s Gson logging uses LoggingExclusionStrategy with @LogLevel to exclude fields, so leaving this unannotated can leak secrets in debug logs. Annotate details with @LogLevel(Off) (or avoid putting secrets in this map).

Suggested change

	private String mountOptions;
	private String mountOptions;
	@LogLevel(LogLevel.Log4jLevel.Off)

[Copilot]

setDetails assigns the map directly and can set it to null; later addDetail will NPE. Normalize null to an empty map inside setDetails (or remove the setter / keep details final) to make the command robust.

Suggested change

	this.details = details;
	this.details = details != null ? details : new HashMap<>();

[Copilot]

On qemu-img convert failure, this calls cleanup but then continues execution (no exit/return). If cleanup succeeds, the function proceeds to later steps with an unmounted/removed dest, which can cause confusing follow-on failures and potentially report incorrect results. Exit the script (or return 1) after cleanup here.

Suggested change

	cleanup
	cleanup
	return 1

[Copilot]

This redirects stdout to > "$logFile", which truncates /var/log/cloudstack/agent/agent.log each time a stopped-VM disk conversion runs (and for every disk). Use append (>>) or pipe through tee -a to avoid destroying the agent log.

Suggested change

	if ! ionice -c 3 qemu-img convert $([[ "$COMPRESS" == "true" ]] && echo "-c") $([[ -n "$BANDWIDTH" ]] && echo "-r" "${BANDWIDTH}M") -O qcow2 "$disk" "$output" > "$logFile" 2> >(cat >&2); then
	if ! ionice -c 3 qemu-img convert $([[ "$COMPRESS" == "true" ]] && echo "-c") $([[ -n "$BANDWIDTH" ]] && echo "-r" "${BANDWIDTH}M") -O qcow2 "$disk" "$output" >> "$logFile" 2> >(cat >&2); then

[Copilot]

The temp passphrase file can be left behind if an exception is thrown after createTempFile succeeds (e.g., FileWriter fails) because the catch returns without deleting it. Also consider setting strict permissions (0600) and using an explicit charset (UTF-8) when writing the passphrase.