make zero fill configurable

Author: Pearl1594

engine/storage/volume/src/main/java/org/apache/cloudstack/storage/datastore/provider/DefaultHostListener.java

@@ -43,6 +43,7 @@
 import com.cloud.storage.StoragePool;
 import com.cloud.storage.StoragePoolHostVO;
 import com.cloud.storage.StorageService;
+import com.cloud.storage.VolumeApiServiceImpl;
 import com.cloud.storage.dao.StoragePoolHostDao;
 import com.cloud.utils.exception.CloudRuntimeException;
 
@@ -139,6 +140,15 @@ public boolean hostConnect(long hostId, long poolId) throws StorageConflictExcep
         Map<String, String> nfsMountOpts = storageManager.getStoragePoolNFSMountOpts(pool, null).first();
 
         Optional.ofNullable(nfsMountOpts).ifPresent(detailsMap::putAll);
+
+        if (pool.getPoolType() == Storage.StoragePoolType.CLVM) {
+            Boolean clvmSecureZeroFill = VolumeApiServiceImpl.CLVMSecureZeroFill.valueIn(poolId);
+            if (clvmSecureZeroFill != null) {
+                detailsMap.put("clvmsecurezerofill", String.valueOf(clvmSecureZeroFill));
+                logger.debug("Added CLVM secure zero-fill setting: {} for storage pool: {}", clvmSecureZeroFill, pool);
+            }
+        }
+
         ModifyStoragePoolCommand cmd = new ModifyStoragePoolCommand(true, pool, detailsMap);
         cmd.setWait(modifyStoragePoolCommandWait);
         HostVO host = hostDao.findById(hostId);

plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtModifyStoragePoolCommandWrapper.java

@@ -52,9 +52,19 @@ public Answer execute(final ModifyStoragePoolCommand command, final LibvirtCompu
 
         final KVMStoragePool storagepool;
         try {
+            Map<String, String> poolDetails = command.getDetails();
+            if (poolDetails == null) {
+                poolDetails = new HashMap<>();
+            }
+
+            // Ensure CLVM secure zero-fill setting has a default value if not provided by MS
+            if (!poolDetails.containsKey(KVMStoragePool.CLVM_SECURE_ZERO_FILL)) {
+                poolDetails.put(KVMStoragePool.CLVM_SECURE_ZERO_FILL, "false");
+            }
+
             storagepool =
                     storagePoolMgr.createStoragePool(command.getPool().getUuid(), command.getPool().getHost(), command.getPool().getPort(), command.getPool().getPath(), command.getPool()
-                            .getUserInfo(), command.getPool().getType(), command.getDetails());
+                            .getUserInfo(), command.getPool().getType(), poolDetails);
             if (storagepool == null) {
                 return new Answer(command, false, " Failed to create storage pool");
             }

plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStoragePool.java

@@ -38,6 +38,8 @@ public interface KVMStoragePool {
     public static final long HeartBeatUpdateMaxTries = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_MAX_TRIES);
     public static final long HeartBeatUpdateRetrySleep = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_RETRY_SLEEP);
     public static final long HeartBeatCheckerTimeout = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_CHECKER_TIMEOUT);
+    public static final String CLVM_SECURE_ZERO_FILL = "clvmsecurezerofill";
+
 
     public default KVMPhysicalDisk createPhysicalDisk(String volumeUuid, PhysicalDiskFormat format, Storage.ProvisioningType provisioningType, long size, Long usableSize, byte[] passphrase) {
         return createPhysicalDisk(volumeUuid, format, provisioningType, size, passphrase);

plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/LibvirtStorageAdaptor.java

@@ -1452,6 +1452,12 @@ public boolean deletePhysicalDisk(String uuid, KVMStoragePool pool, Storage.Imag
         }
     }
 
+    private boolean shouldSecureZeroFill(KVMStoragePool pool) {
+        Map<String, String> details = pool.getDetails();
+        String secureZeroFillStr = (details != null) ? details.get(KVMStoragePool.CLVM_SECURE_ZERO_FILL) : null;
+        return Boolean.parseBoolean(secureZeroFillStr);
+    }
+
     /**
      * Clean up CLVM volume and its snapshots directly using LVM commands.
      * This is used as a fallback when libvirt cannot find or delete the volume.
@@ -1492,8 +1498,14 @@ private boolean cleanupCLVMVolume(String uuid, KVMStoragePool pool) {
 
             logger.info("Volume {} exists, proceeding with cleanup", uuid);
 
-            logger.info("Step 1: Zero-filling volume {} for security", uuid);
-            secureZeroFillVolume(lvPath, uuid);
+            boolean secureZeroFillEnabled = shouldSecureZeroFill(pool);
+
+            if (secureZeroFillEnabled) {
+                logger.info("Step 1: Zero-filling volume {} for security", uuid);
+                secureZeroFillVolume(lvPath, uuid);
+            } else {
+                logger.info("Secure zero-fill is disabled, skipping zero-filling for volume {}", uuid);
+            }
 
             logger.info("Step 2: Removing volume {}", uuid);
             Script removeLv = new Script("lvremove", 10000, logger);

server/src/main/java/com/cloud/storage/VolumeApiServiceImpl.java

@@ -412,6 +412,9 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
     public static final ConfigKey<Boolean> AllowCheckAndRepairVolume = new ConfigKey<>("Advanced", Boolean.class, "volume.check.and.repair.leaks.before.use", "false",
             "To check and repair the volume if it has any leaks before performing volume attach or VM start operations", true, ConfigKey.Scope.StoragePool);
 
+    public static final ConfigKey<Boolean> CLVMSecureZeroFill = new ConfigKey<>("Advanced", Boolean.class, "clvm.secure.zero.fill", "false",
+            "When enabled, CLVM volumes to be zero-filled at the time of deletion to prevent data from being recovered by VMs reusing the space, as thick LVM volumes write data linearly", true, ConfigKey.Scope.StoragePool);
+
     private final StateMachine2<Volume.State, Volume.Event, Volume> _volStateMachine;
 
     private static final Set<Volume.State> STATES_VOLUME_CANNOT_BE_DESTROYED = new HashSet<>(Arrays.asList(Volume.State.Destroy, Volume.State.Expunging, Volume.State.Expunged, Volume.State.Allocated));
@@ -5861,7 +5864,8 @@ public ConfigKey<?>[] getConfigKeys() {
                 MatchStoragePoolTagsWithDiskOffering,
                 UseHttpsToUpload,
                 WaitDetachDevice,
-                AllowCheckAndRepairVolume
+                AllowCheckAndRepairVolume,
+                CLVMSecureZeroFill
         };
     }
 }