Merge "hardware: Fix image_meta.id within get_mem_encryption_constraint"

nova/tests/unit/virt/test_hardware.py

@@ -5503,6 +5503,16 @@ class MemEncryptionRequestedWithInvalidMachineTypeTestCase(
                                                    enc_image_prop,
                                                    image_props, error_data)
 
+    def _test_encrypted_memory_support_pc_image_id(self, image_meta,
+                                                       error_data):
+        extra_specs = {'hw:mem_encryption': True}
+        flavor = objects.Flavor(name=self.flavor_name,
+                                extra_specs=extra_specs)
+        exc = self.assertRaises(self.expected_exception,
+                                    hw.get_mem_encryption_constraint,
+                                    flavor, image_meta)
+        self.assertEqual(self.expected_error % error_data, str(exc))
+
     def test_flavor_requires_encrypted_memory_support_pc(self):
         for extra_spec in ('1', 'true', 'True'):
             self._test_encrypted_memory_support_pc(extra_spec, None)
@@ -5517,6 +5527,31 @@ class MemEncryptionRequestedWithInvalidMachineTypeTestCase(
                 self._test_encrypted_memory_support_pc(
                     extra_spec, image_prop)
 
+    def test_encrypted_memory_support_pc_no_image_id(self):
+        image_props = {'hw_mem_encryption': True,
+                       'hw_firmware_type': 'uefi',
+                       'hw_machine_type': 'pc'}
+        image_meta = fake_image_obj(
+            {'name': self.image_name}, {}, image_props)
+        error_data = {'image_id': '<no-id>',
+                      'image_name': self.image_name,
+                      'mtype': 'pc'}
+        self._test_encrypted_memory_support_pc_image_id(image_meta,
+                                                        error_data)
+
+    def test_encrypted_memory_support_pc_has_image_id(self):
+        image_props = {'hw_mem_encryption': True,
+                       'hw_firmware_type': 'uefi',
+                       'hw_machine_type': 'pc'}
+        image_meta = fake_image_obj(
+            {'id': self.image_id, 'name': self.image_name},
+            {}, image_props)
+        error_data = {'image_id': self.image_id,
+                      'image_name': self.image_name,
+                      'mtype': 'pc'}
+        self._test_encrypted_memory_support_pc_image_id(image_meta,
+                                                        error_data)
+
 
 class MemEncryptionRequiredTestCase(test.NoDBTestCase):
     flavor_name = "m1.faketiny"
@@ -5593,6 +5628,34 @@ class MemEncryptionRequiredTestCase(test.NoDBTestCase):
                           hw.get_mem_encryption_constraint, flavor,
                           image_meta)
 
+    @mock.patch.object(hw, 'LOG')
+    def test_encrypted_memory_support_no_id_for_volume(self, mock_log):
+        extra_specs = {'hw:mem_encryption': True}
+        flavor = objects.Flavor(name=self.flavor_name,
+                                extra_specs=extra_specs)
+
+        image_props = {'hw_mem_encryption': True,
+                       'hw_firmware_type': 'uefi'}
+        image_meta = objects.ImageMeta.from_dict({
+            'min_disk': 0,
+            'min_ram': 0,
+            'properties': image_props,
+            'size': 0,
+            'status': 'active'})
+
+        self.assertTrue(hw.get_mem_encryption_constraint(flavor,
+                                                         image_meta))
+
+        requesters = "hw:mem_encryption extra spec in %s flavor and " \
+                     "hw_mem_encryption property of image %s" % \
+                      (self.flavor_name, '<no-id>')
+        # Confirm that it can handle the situation that there is
+        # no image_id when booting from volume. We set it to
+        # '<no-id>' that we can detect later.
+        mock_log.debug.assert_has_calls([
+            mock.call("Memory encryption requested by %s", requesters)
+        ])
+
 
 class PCINUMAAffinityPolicyTest(test.NoDBTestCase):
 

nova/virt/hardware.py

@@ -1205,13 +1205,18 @@ def get_mem_encryption_constraint(
     # If we get this far, either the extra spec or image property explicitly
     # specified a requirement regarding memory encryption, and if both did,
     # they are asking for the same thing.
+    # NOTE(jie, sean): When creating a volume booted instance with memory
+    # encryption enabled, image_meta has no id key. See bug #2041511.
+    # So we check whether id exists. If there is no value, we set it
+    # to a sentinel value we can detect later. i.e. '<no-id>'.
     requesters = []
     if flavor_mem_enc:
         requesters.append("hw:mem_encryption extra spec in %s flavor" %
                           flavor.name)
     if image_mem_enc:
+        image_id = (image_meta.id if 'id' in image_meta else '<no-id>')
         requesters.append("hw_mem_encryption property of image %s" %
-                          image_meta.id)
+                          image_id)
 
     _check_mem_encryption_uses_uefi_image(requesters, image_meta)
     _check_mem_encryption_machine_type(image_meta, machine_type)
@@ -1289,12 +1294,14 @@ def _check_mem_encryption_machine_type(image_meta, machine_type=None):
 
     # image_meta.name is not set if image object represents root Cinder volume.
     image_name = (image_meta.name if 'name' in image_meta else None)
+    # image_meta.id is not set when booting from volume.
+    image_id = (image_meta.id if 'id' in image_meta else '<no-id>')
     # Could be something like pc-q35-2.11 if a specific version of the
     # machine type is required, so do substring matching.
     if 'q35' not in mach_type:
         raise exception.InvalidMachineType(
             mtype=mach_type,
-            image_id=image_meta.id, image_name=image_name,
+            image_id=image_id, image_name=image_name,
             reason=_("q35 type is required for SEV to work"))