[QUESTION]: How can I enable virtual disk encrypted with module "redfish_storage_volume"

[dafoyiming]

How can the team help?

Details: ?

Team,

I am using the module redfish_storage_volume to create volume and I suppose the encrypted shall be enabled too while my playbook ran, but it doesn't work.

VD can be created successfully, but not any encryption job be scheduled. Please advise if this is a bug and what next step if I want to achieve this within one task.

• name: Create a volume with supported options dellemc.openmanage.redfish_storage_volume: baseuri: "192.168.0.1" username: "username" password: "password" ca_path: "/path/to/ca_cert.pem" state: "present" volume_type: "Mirrored" name: "VD0" controller_id: "RAID.Slot.1-1" drives:
  • Disk.Bay.5:Enclosure.Internal.0-1:RAID.Slot.1-1
  • Disk.Bay.6:Enclosure.Internal.0-1:RAID.Slot.1-1 block_size_bytes: 512 capacity_bytes: 299439751168 optimum_io_size_bytes: 65536 encryption_types: NativeDriveEncryption encrypted: true

[dafoyiming]

@meshuga any idea? THX

[anupamaloke]

@dafoyiming, thank you for submitting the question. You need to enable the encryption on the storage controller. See iDRAC 9 Encrypting virtual disks for details.

You can use the idrac_redfish_storage_controller module to set the encryption key on the storage controller:

- name: Set controller encryption key
  dellemc.openmanage.idrac_redfish_storage_controller:
    baseuri: "192.168.0.1:443"
    username: "{{ idrac_user }}"
    password: "{{ idrac_password }}"
    validate_certs: False
    command: "SetControllerKey"
    controller_id: "RAID.Slot.1-1"
    key: "PassPhrase@123"
    key_id: "mykeyid123"

[dafoyiming]

@anupamaloke . thank you!

I had enabled the encryption key on its PERC. But, right now, I am trying to enable encryption on the virtual disk which I have created with this module "redfish_storage_volume". I can see the VD can be created without problem but the encryption is NOT even though I set the parameters as 'encrypted: true' BTW, I tested with 3 different choices with "encryption_types", but no luck

[anupamaloke]

@dafoyiming , let me check it internally and come back to you.

[anupamaloke]

@dafoyiming, In iDRAC firmware versions < 6.00.00.00, there is no one single action to do both create VD and secure it. So you'll have to execute to create VD, and then use iDRAC OEM extension to secure the VD. iDRAC firmware version >=6.00.00.00, which just got released, supports virtual drive encryption. So Step 2 listed below is not needed. The redfish_storage_volume module will create and encrypt the VD

1. Create a VD using redfish_storage_volume module - this will create a VD and encrypt it in iDRAC >=v6.00.00.00
2. Call the iDRAC OEM API to secure the virtual disk - this is needed only for iDRAC < 6.00.00.00. Following are the tasks listed in the example playbook below:
   1. Call the REST API using ansible.builtin.uri module. This will create a iDRAC job for encypting the virtual disk if the virtual disk is not encrypted already. You might want to execute these tasks conditionally i.e. execute them only when the iDRAC firmware version < 6.00.00.00 and the virtual disk is not already encrypted.
   2. Track the job till it is successfully completed or fails.

- name: encrypt virtual disk
  ansible.builtin.uri:
    url: "https://{{ idrac_ip }}/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRaidService/Actions/DellRaidService.LockVirtualDisk"
    user: "{{ idrac_user }}"
    password: "{{ idrac_password }}"
    validate_certs: "{{ validate_certs }}"
    force_basic_auth: True
    method: POST
    headers:
      Content-Type: "application/json"
      OData-Version: "4.0"
    body:
      - TargetFQDD: "{{ virtual_disk_fqdd }}"
    body_format: json
    status_code: [202]
  register: lock_virtual_disk_response
  delegate_to: localhost

- block:
  when: lock_virtual_disk_response.status == 202
    - name: extract the lock virtual disk command job id
      ansible.builtin.set_fact:
        lock_virtual_disk_job_id: "{{ lock_virtual_disk_response.location.split('/')[-1] }}"

    - name: track the job till completion
      dellemc.openmanage.idrac_lifecycle_controller_job_status_info:
        idrac_ip: "{{ idrac_ip }}"
        idrac_user: "{{ idrac_user }}"
        idrac_password: "{{ idrac_password }}"
        job_id: "{{ lock_virtual_disk_job_id }}"
      register: lock_virtual_disk_job_status
      until: lock_virtual_disk_job_status.job_info.Status == "Completed" or
             lock_virtual_disk_job_status.job_info.Status == "Completed with Errors" or
             lock_virtual_disk_job_status.job_info.Status == "Failed" or
             lock_virtual_disk_job_status.job_info.Status == "Deleted"
      failed_when: lock_virtual_disk_job_status.job_info.Status == "Failed"
      changed_when: lock_virtual_disk_job_status.job_info.Status == "Completed" or
                    lock_virtual_disk_job_status.job_info.Status == "Completed with Errors"
      retries: "{{ job_polling_retries }}"
      delay: "{{ job_polling_interval }}"
      delegate_to: localhost

[anupamaloke]

Created #433 to add support for encyrpting VD for iDRAC FW versions < 6.00.00.00

[dafoyiming]

@anupamaloke thank you for your support and I have encrypted the VD with your suggestion on step2. Looking forward to the module can be workable with no compatibility issue with iDrac<6.0 on #433 BTW, I think here is typo "//" in the URL you provided "https://{{ idrac_ip }}/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRaidService/Actions/DellRaidService.LockVirtualDisk"

[anupamaloke]

@dafoyiming, thanks for pointing out the typo 👍 I have corrected it now.

[anupamaloke]

Closing this issue. The support for encrypting the virtual disk is going to be tracked with #433