On Tue, Jul 21, 2009 at 01:11:56PM +0200, Miloslav Trma?? wrote:
Hello,
the following patches add full support for qcow/qcow2 volume encryption,
assuming a client that supports it.
New XML tags are defined to represent encryption parameters (currently
format and passphrase, more can be added in the future), e.g.
<encryption format='qcow'>
<passphrase>c2lsbHk=</passphrase>
</encryption>
(passphrase content uses base64)
I don't think we need 'format=qcow' in there - the guest XML already
has ability to have a <driver name='qemu' type='qcow2'/> element,
and the storage vol XML also has a <format type='qcow2'/> element.
I think it would be good to change the naming of the inner element
a little too. I think having it called 'secret' and then a 'type'
attribute would be a little nicer. eg
<encryption>
<secret type='passphrase'/>c2lsbHk=</secret>
</encryption>
It might be desirable to add encryption algorithm, but that can probably
wait since qcow doesn't support multiple algorithms at this time.
The <encryption> tag can be added to a <volume> node
passed to
virStorageVolCreateXML() to create an encrypted volume, or to a
<disk> node inside a <domain> to specify what encryption parameters to
use for a domain. If the domain is persistent, the parameters
(including the passphrase) will be saved unencrypted in /etc/libvirtd;
the primary use case is to store the parameters outside of libvirtd,
(perhaps by virt-manager in a GNOME keyring).
Possible enhancements:
- Documentation and test cases. I'll write both if the code is acceptable,
I wanted to make the code available for review first.
- Support for "dumb" clients that don't know anything about encryption
formats and the required parameters: adding an encryption format to libvirt
would automatically make it supported in all clients.
Such a client would only request that a volume should be created when
creating it, and libvirt would choose an appropriate format, parameters
and passphrase/key and return it to the client, who could later pass it
unmodified inside a <domain>.
This requires public API additions to let libvirt return the encryption
information as one of the results of a volume creation operation.
- Support for storing the passphrases/keys used by persistent domains
outside of the main XML files, e.g. in a separate passphrase-encrypted
file that must be entered on libvirtd startup.
I think these two points overlap quite alot. I'll use 'secret' to refer
to a passphrase or key here
As you say there are two initial approaches to persistence of secrets
- Keep the keys in the domain XML files
- Use a separate keystore
For the separate keystore, there are probably 3 interesting targets
to consider
1. A simple text (or pkcs11) file managed by libvirtd on the host
This would be useful for the privileged libvirtd to use in
ad-hoc, small scale deployments. Perhaps allowing it to be
shared between a small number of hosts on NFS, or GFS etc
2. A desktop key agent (eg gnome-keyring)
This would be useful for the unprivileged libvirtd instances
that run in the context of the desktop login session. Users
already have SSH, GPG, website keys stored here, so having
keys for their VM disks is obviously desirable
3. A off-node key management server
This would be useful for a large scale data center / cluster
cloud deployment. This is good to allow management scalability
and better separation of responsiblities of adminstration.
If no keystore is in use, then I clearly all keys must go in & out
of libvirt using the XML, which is pretty much what you're doing
in this series. I would say though, there is no point in clearing
the secret from the virStorageVolDefPtr instance/XML after volume
creation, since the secret is going to be kept in memory forever
for any guest using the volume. By not clearing the secret, an
app could create a volume, requesting automatic key generation,
then just do virStorageVolDumpXML(vol, VIR_STORAGE_VOL_XML_SECURE)
to extract it and pass to onto the XML for the guest that's created
If a keystore is in use, then I'd suggest we should have explicit
APIs for secret management, and forbid the use of the actual secrets
in the XML everywhere.
Instead, either pass in a pre-created key UUID when creating a volume
or defining a guest eg, the XML fragment would look like this
<encryption>
<secret type='keyuuid'>123456-1234-1245-1234-124512345</secret>
</encryption>
Internally libvirt would then get the real passphrase from the keystore
by looking up the associated UUID.
Or request auto-creation of a key by leaving out the data
<encryption>
<secret type='keyuuid'/>
</encryption>
Internally libvirt would add a key to its database, and fillin the UUID
which you could then see via DumpXML.
With a keystore we'd likely need a handful of APIs
- create a secret providing a passphrase
- list all known secret UUIDs
- get the passphrase assoicated with a secret
- delete a secret based on UUID
- lookup a secret UUID based on the a disk path
The nice thing about separating the passphrases out of the XML completely
is that we would then have the ability to do fine grained access control.
eg, you could give people ability to create new guests / volumes, using
encryption without them ever specifying, or having access to the secrets.
A seperate role could be given ability to create/list/delete secrets.
This would also let us associate one secret with many disks, which
might be a useful scenario for some people.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o-
http://people.redhat.com/berrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org -o-
http://ovirt.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|