[libvirt] Add support for (qcow*) volume encryption (v4)
by Miloslav Trmač
Hello,
the following patches add full support for qcow/qcow2 volume encryption,
assuming a client that supports it.
(Main changes since the previous version:
* Add "flags" argument to virSecretDefineXML(), virSecretGetXMLDesc(),
virSecretSetValue(), virSecretGetValue()
* Various clean-ups and bug fixes in the local secret storage driver
* Make the Python API more consistent with other objects
See the specific patch change logs for more details; patches without
change logs are unchanged.)
New XML tags are defined to represent encryption parameters (currently
format and passphrase, more can be added in the future), e.g.
<encryption format='qcow'>
<secret type='passphrase'
uuid='724d95f2-0ed2-6ff9-84d0-0f3d1618428d'/>
</encryption>
The <encryption> tag can be added to a <volume> node passed to
virStorageVolCreateXML() to create an encrypted volume, or to a
<disk> node inside a <domain> to specify what encryption parameters to
use for a domain.
uuid above refers to a separately-managed secret, which was created
using virSecretDefineXML() and set using virSecretSetValue(). Other
properties of the secret can be managed using an XML representation.
Detailed documentation of the formats and features is inside the patches.
15 years, 2 months
Re: [libvirt] [PATCH 15/20] Provide missing passphrase when creating a volume.
by Miloslav Trmac
----- "Daniel P. Berrange" <berrange(a)redhat.com> wrote:
> On Thu, Aug 20, 2009 at 08:18:13PM +0200, Miloslav Trma?? wrote:
> > If the <encryption format='qcow'> element does not specify a secret
> > during volume creation, generate a suitable secret and add it to the
> > <encryption> tag. The caller can view the updated <encryption> tag
> > using virStorageVolGetXMLDesc().
> >
> > Similarly, when <encryption format='default'/> is specified while
> > creating a qcow or qcow2-formatted volume, change the format to "qcow"
> > and generate a secret as described above.
> > + virBufferAddLit(&buf, "<secret ephemeral='no' private='no'>");
> > + /* <uuid/> is chosen by the secret driver */
> > + virBufferEscapeString(&buf,
> > + "<description>qcow passphrase for %s</description>",
> > + vol->target.path);
> > + virBufferEscapeString(&buf, "<volume>%s</volume>", vol->target.path);
> > + virBufferAddLit(&buf, "</secret>");
> > + if (virBufferError(&buf)) {
> > + virReportOOMError(conn);
> > + goto cleanup;
> > + }
> > + xml = virBufferContentAndReset(&buf);
>
> This is the first place where we should be just calling into an
> internal secret_conf.h API for formatting XML from a struct,
> rather than duplicating the XML formatting.
OK.
> > + /* A qcow passphrase is up to 16 bytes, with any data following a NUL
> > + ignored. Prohibit control and non-ASCII characters to avoid possible
> > + unpleasant surprises with the qemu monitor input mechanism. */
> > + fd = open("/dev/urandom", O_RDONLY);
> > + if (fd < 0) {
> > + virStorageReportError(conn, VIR_ERR_INTERNAL_ERROR, "%s",
> > + _("Cannot open /dev/urandom"));
> > + goto cleanup;
> > + }
> > + i = 0;
> > + while (i < sizeof (value)) {
> > + ssize_t r;
> > +
> > + while ((r = read(fd, value + i, 1)) == -1 && errno == EINTR)
> > + ;
> > + if (r <= 0) {
> > + virStorageReportError(conn, VIR_ERR_INTERNAL_ERROR, "%s",
> > + _("Cannot read from /dev/urandom"));
> > + goto cleanup;
> > + }
> > + if (value[i] >= 0x20 && value[i] <= 0x7E)
> > + i++; /* Got an acceptable character */
> > + }
> > + close(fd);
>
> I reckon this snippet of code could usefully be put into the util.h file
> as virFileGenerateRandomkey(), or alternatively perhaps secret_conf.h,
> as virSecretGenerateRandomKey(unsigned char *buf, size_t buflen);
This code, with its limitation to ASCII characters, is qcow/qemu-specific.
Mirek
15 years, 2 months
Re: [libvirt] [PATCH 11/20] Add volume encryption information handling.
by Miloslav Trmac
----- "Maximilian Wilhelm" <max(a)rfc2324.org> wrote:
> Anno domini 2009 Miloslav Trmač scripsit:
>
> > diff --git a/src/storage_encryption.c b/src/storage_encryption.c
> > new file mode 100644
> > index 0000000..ccb29ed
> > --- /dev/null
> > +++ b/src/storage_encryption.c
> > @@ -0,0 +1,241 @@
>
> [...]
> > +#include "base64.h"
> [...]
>
> Is there any special need for this include?
Not in this file, I forgot to clean it up.
> If so, where does this include file come from?
gnulib.
>
> My buildbot refused to compile this code as it did not have any
> base64.h header file. As removing this include solved the build
> problem for me, I would suggest the following patch if noone objects.
That change looks correct.
Mirek
15 years, 2 months
[libvirt] Create a Domain from windows client
by anuj rampal
Hi all,
I'm trying to call the libvirt API from my Windows machine.
When i try to create to a Domain using "virDomainDefineXML" function
I have to pass an XML file containing the Description of the Domain.
Here is the part of the XML file that im using:
<domain type='qemu' id='1'>
..
..
<devices>
<emulator>/usr/bin/qemu</emulator>
<disk type='file' device='disk'>
<source file='/var/lib/libvirt/images/WinXp.img'/>
<target dev='hda' bus='ide'/>
</disk>
<disk type='file' device='cdrom'>
<source file='/home/anuj/ISOs/WinXpSp3/Windows_XP_SP3.iso'/>
<target dev='hdc' bus='ide'/>
<readonly/>
</disk>
..
..
</domain>
<source file='/var/lib/libvirt/images/WinXp.img'/>
This is the path which contains the img file for the Domain.
I have created this file using this command:
qemu-img create -f raw /var/lib/libvirt/images/WinXp.img 10G
*Now: my question is:*
Is there a way by which i can create this img file using some libvirt call
directly and then use this for my domain creation.
Or modify the XML file itself so that virDomainDefineXML call creates the
img file at the path and the size that i specify.
Could someone also give me some example for the same.
Regards
Anuj
15 years, 2 months
[libvirt] libvirt and "kvm -cpu=qemu32" problem
by Scaldov M.V.
Problem is that the images of windows 2003 server, windows 2000 and
some other do not start and go to BSOD due to processor mismatch if
they were created under either qemu or vmware, or from
bare-metal installed OS.
By default libvirt starts kvm with "-cpu=qemu32" option instead of, for
example, "-cpu=pentium3".
There is patch for libvirt-0.6.5 to avoid this problem.
Now libvirt takes into account <cpumodel> node from .xml domain config,
which overrides libvirt's default -cpu option for kvm.
I think, this patch is vital, because of it helps to avoid a waste of
time with reinstalling and reconfiguring windows server images.
<domain type='kvm'>
<name>w2k3s</name>
<uuid>e2725d10-7ada-4f71-eea7-fa6cc1a541ee</uuid>
<memory>262144</memory>
<currentMemory>262144</currentMemory>
<vcpu>1</vcpu>
<cpumodel>pentium3</cpumodel> <------
<os>
<type arch='i686'>hvm</type>
<boot dev='hd'/>
</os>
Sorry for not patching GIT-version, GIT is hard to compile in a small
time.
15 years, 2 months