6:15 a.m.
On Thu, Oct 07, 2021 at 14:21:20 -0500, Or Ozeri wrote:
rbd encryption is new in qemu 6.1.0.
This commit adds a new encryption engine property which
allows the user to use this new encryption engine.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
docs/formatstorageencryption.html.in | 7 +-
docs/schemas/storagecommon.rng | 1 +
src/conf/storage_encryption_conf.c | 2 +-
src/conf/storage_encryption_conf.h | 1 +
src/qemu/qemu_block.c | 26 +++++++
src/qemu/qemu_domain.c | 34 +++++++++
...sk-network-rbd-encryption.x86_64-6.0.0.err | 1 +
...-network-rbd-encryption.x86_64-latest.args | 45 ++++++++++++
.../disk-network-rbd-encryption.xml | 63 +++++++++++++++++
tests/qemuxml2argvtest.c | 2 +
...k-network-rbd-encryption.x86_64-latest.xml | 70 +++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
12 files changed, 251 insertions(+), 2 deletions(-)
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
create mode 100644
tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
create mode 100644
tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index 178fcd0d7c..02ee8f8ca3 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -27,7 +27,12 @@
The <code>encryption</code> tag supports an optional
<code>engine</code>
tag, which allows selecting which component actually handles
the encryption. Currently defined values of <code>engine</code> are
- <code>qemu</code>.
+ <code>qemu</code> and <code>librbd</code>.
+ Both <code>qemu</code> and <code>librbd</code> require
using the qemu driver.
+ The <code>librbd</code> engine requires qemu version >= 6.1.0,
+ and is only applicable for RBD network disks.
+ If the engine tag is not specified, the <code>qemu</code> engine will
be
+ used by default (assuming the qemu driver is used).
Okay, this is slightly better but it doesn't specify what's happening in
the storage driver.
</p>
<p>
The <code>encryption</code> tag can currently contain a sequence of
[...]
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 354f65c6d5..13869dd79b 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -4814,6 +4814,40 @@ qemuDomainValidateStorageSource(virStorageSource *src,
if (src->encryption) {
switch (src->encryption->engine) {
case VIR_STORAGE_ENCRYPTION_ENGINE_QEMU:
+ switch ((virStorageEncryptionFormatType) src->encryption->format)
{
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+ break;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+ default:
+ virReportEnumRangeError(virStorageEncryptionFormatType,
+ src->encryption->format);
+ return -1;
This here is okay, because both are basically impossible.
+ }
+
+ break;
+ case VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD:
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_RBD_ENCRYPTION)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("librbd encryption is not supported by this
QEMU binary"));
+ return -1;
+ }
+
+ switch ((virStorageEncryptionFormatType) src->encryption->format)
{
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+ break;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+ default:
+ virReportEnumRangeError(virStorageEncryptionFormatType,
+ src->encryption->format);
This creates an error message which is not very informative.
Specifically for VIR_STORAGE_ENCRYPTION_FORMAT_QCOW which is a
legitimate configuration we need a proper error message.
+ return -1;
+ }
+
break;
case VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT:
case VIR_STORAGE_ENCRYPTION_ENGINE_LAST:
[...]
The test input files are okay. The output files will need some tweaking
after recent changes. I think adding the error message is trivial enough
so that I'll do it before pushing if you are okay with it.
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>