NAS backup: compression, encryption, bandwidth throttle, integrity check

[jmsperu]

Summary

Adds four optional, zone-scoped features to NAS backup operations on KVM, all disabled by default:

• Compression (-c): Uses qcow2 internal compression (qemu-img convert -c) to reduce backup size
• LUKS Encryption (-e): Encrypts backup files at rest using LUKS via qemu-img convert --object secret
• Bandwidth Throttle (-b): Limits backup I/O — virsh blockjob --bandwidth for running VMs, qemu-img convert -r + ionice for stopped VMs
• Integrity Check (--verify): Runs qemu-img check on each backup file after creation

Configuration Keys (Zone scope)

Setting	Type	Default	Description
nas.backup.compression.enabled	Boolean	false	Enable qcow2 compression for backup files
nas.backup.encryption.enabled	Boolean	false	Enable LUKS encryption for backup files
nas.backup.encryption.passphrase	String (Secure)	""	Passphrase for LUKS encryption
nas.backup.bandwidth.limit.mbps	Integer	0	Bandwidth limit in MiB/s (0 = unlimited)
nas.backup.integrity.check	Boolean	false	Run qemu-img check after backup

Architecture

1. NASBackupProvider reads zone-scoped ConfigKeys and populates a details map on TakeBackupCommand
2. TakeBackupCommand carries the details map from management server to KVM agent
3. LibvirtTakeBackupCommandWrapper extracts the details and translates them to nasbackup.sh CLI flags
4. nasbackup.sh implements the actual compression, encryption, throttling, and verification logic

Files Changed

• scripts/vm/hypervisor/kvm/nasbackup.sh — new -c, -b, -e, --verify flags with encrypt_backup() and verify_backup() functions
• core/.../TakeBackupCommand.java — added details map (HashMap) with getter/setter/addDetail
• plugins/backup/nas/.../NASBackupProvider.java — 5 new ConfigKeys, populate command details in takeBackup()
• plugins/hypervisors/kvm/.../LibvirtTakeBackupCommandWrapper.java — extract details, build dynamic CLI args, temp passphrase file lifecycle

Notes

• All existing functionality (quiesce, cleanup, RBD support, stats) is preserved unchanged
• Encryption passphrase is written to a temp file on the KVM host and deleted after backup completes
• The passphrase ConfigKey uses the "Secure" category so it is not exposed in API responses
• Combines and supersedes PRs nasbackup.sh: add optional backup compression via -c flag #12844, nasbackup.sh: add bandwidth throttle via -b flag #12846, nasbackup.sh: add LUKS encryption for backup files via -e flag #12848, nasbackup.sh: verify backup integrity with qemu-img check #12845

Test plan

• Verify backup works with all four features disabled (default) — no behavioral change
• Enable nas.backup.compression.enabled at zone scope, take backup, verify qcow2 files are compressed
• Enable nas.backup.bandwidth.limit.mbps (e.g. 50), take backup of running VM, verify virsh blockjob bandwidth is applied
• Enable nas.backup.bandwidth.limit.mbps, take backup of stopped VM, verify qemu-img -r rate limit is applied
• Enable nas.backup.encryption.enabled with passphrase, take backup, verify files are LUKS encrypted (qemu-img info shows encryption)
• Enable nas.backup.integrity.check, take backup, verify qemu-img check runs and passes
• Test with multiple features enabled simultaneously (compression + integrity check)
• Verify restore still works for backups created with compression/encryption
• Test with RBD storage pools — verify bandwidth throttle applies correctly