linstor: fix encrypted volume snapshot backup and restore

[rp-]

Description

This PR fixes a bug that was reported on the linstor-server github project: LINBIT/linstor-server#495

Encrypted Linstor volumes use a LUKS layer inside the DRBD stack, so the storage-layer snapshot device holds ciphertext while the DRBD device CloudStack restores to is the decrypted view. Backing up the raw snapshot and writing it back to the decrypted device corrupted the volume (different data, unbootable root).

Back up encrypted snapshots from the decrypted DRBD device (forcing the temporary-resource path) and store them as a LUKS-encrypted qcow2 using the volume passphrase, so snapshots are not kept in clear text on secondary storage. On revert, decrypt the qcow2 and write plaintext to the DRBD device; the LUKS layer re-encrypts it. The qemu-img shrink is skipped for encrypted volumes (the DRBD device is already net-sized).

Add an integration test (test_linstor_encrypted_snapshots.py): the encrypted-root snapshot revert round-trip, that
create-volume-from-encrypted-snapshot is rejected by CloudStack core, and a best-effort check that the backed-up qcow2 is LUKS-encrypted at rest.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

Added/Run integration tests to restore encrypted volumes.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 32 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.67%. Comparing base (288f9a9) to head (b44339a).

Files with missing lines	Patch %	Lines
...e/wrapper/LinstorBackupSnapshotCommandWrapper.java	0.00%	18 Missing ⚠️
...per/LinstorRevertBackupSnapshotCommandWrapper.java	0.00%	9 Missing ⚠️
...tore/driver/LinstorPrimaryDataStoreDriverImpl.java	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##               4.22   #13486   +/-   ##
=========================================
  Coverage     17.67%   17.67%           
- Complexity    15790    15793    +3     
=========================================
  Files          5922     5922           
  Lines        533173   533196   +23     
  Branches      65209    65217    +8     
=========================================
+ Hits          94218    94227    +9     
- Misses       428309   428322   +13     
- Partials      10646    10647    +1     

Flag	Coverage Δ
uitests	3.69% <ø> (ø)
unittests	18.74% <0.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.