On Thu, Apr 19, 2018 at 02:21:43PM -0400, John Ferlan wrote:
[...]
>> Oh, OK - well I didn't find that to be obvious... So there is a way
>> using secret objects to create a qcow[2] encrypted volume?
>
> Sure, the exact same syntax as with luks volumes - you just specify
> "qcow" instead of "luks" as the type.
>
So I've been working on doing as suggested, there's slight differences
for qcow:
Sorry, when it say it is the same as luks volumes, i mean qcow encryption
in qcow2, is the same syntax as luks encryption in qcow2. I didn't mean
to refer to luks on raw, which does have different syntax.
1. Usage of "encrypt.key-secret" instead of just "key-secret"
2. Usage of "encrypt.format=aes" (or qcow works too) instead of
"encryption=on"
3. Don't need change the "type" value like is done for "luks"
in
virStorageBackendCreateQemuImgCmdFromVol.
The result is (testing mode only):
qemu-img create -f qcow2 \
--object secret,id=x0,format=raw,data=letmein \
-o encrypt.format=aes,encrypt.key-secret=x0 \
x0.img 1048576K
Yes, that is right.
NB: Using "-b /dev/null" and ",backing_fmt=raw" works just fine as
would
usage of other -o options such as "compat=1.1,", "compat=0.10",
"lazy_refcounts,", and "preallocation={off|metadata|falloc|full}".
However, storagevolxml2argvtest.c also generates qemu-img convert
options. And this is where things go down hill. The former commands
would for example do:
[snip]
Ok, yes, the convert command gets difficult due to qemu code limitations.
Essentially the problem is that 'convert' has to do two jobs with the
target file, create it and then open it to write data.
Unfortunately you need two incompatible syntaxes for these jobs :-(
When creating the file, the filename must be a plain name, and any
options given via '-o', but to open the file, the filename must be
in the dotted syntax with options inline. There is no way to convert
between these two syntaxes in QEMU.
Essentially you can't run the convert command as you are describing.
All is not lost though, you simply have to turn it into a two stage
process. First, use 'qemu-img create' to create the target image with
the right size, as we already have code todo.
Then you pass the '-n' flag to 'convert' which tells it that the image
has been pre-created, so it can skip the create step. Now it only has
one job todo, which is to open the target image, so you can use the
dotted filename syntax.
Note, you must pass the '--image-opts' flag to tell it that the source
filename is using dotted syntax, and also pass '--target-image-opts'
to tell it the target filanem is using dotted syntax.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|