[PATCH v2 0/5] Add support for librbd encryption
Changes from v1: addressed (hopefully) all of Peter's v1 comments (thanks Peter!) Or Ozeri (5): qemu: add disk post parse to qemublocktest qemu: add rbd encryption capability probing conf: add luks2 encryption format conf: add encryption engine property qemu: add librbd encryption engine docs/formatstorageencryption.html.in | 8 +- docs/schemas/domainbackup.rng | 7 + docs/schemas/storagecommon.rng | 9 + src/conf/storage_encryption_conf.c | 33 +++- src/conf/storage_encryption_conf.h | 11 ++ src/qemu/qemu_block.c | 33 ++++ src/qemu/qemu_capabilities.c | 2 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_domain.c | 37 +++- src/qemu/qemu_domain.h | 4 + tests/qemublocktest.c | 3 + .../caps_6.1.0.x86_64.xml | 1 + tests/qemustatusxml2xmldata/upgrade-out.xml | 6 +- ...sk-network-rbd-encryption.x86_64-6.0.0.err | 1 + ...-network-rbd-encryption.x86_64-latest.args | 49 ++++++ .../disk-network-rbd-encryption.xml | 75 +++++++++ tests/qemuxml2argvtest.c | 2 + ...k-network-rbd-encryption.x86_64-latest.xml | 83 +++++++++ tests/qemuxml2xmloutdata/disk-nvme.xml | 65 ++++++- .../disk-slices.x86_64-latest.xml | 4 +- .../encrypted-disk-usage.xml | 38 ++++- tests/qemuxml2xmloutdata/encrypted-disk.xml | 2 +- .../luks-disks-source-qcow2.x86_64-latest.xml | 14 +- .../qemuxml2xmloutdata/luks-disks-source.xml | 10 +- tests/qemuxml2xmloutdata/luks-disks.xml | 47 +++++- tests/qemuxml2xmloutdata/user-aliases.xml | 159 +++++++++++++++++- tests/qemuxml2xmltest.c | 1 + 27 files changed, 678 insertions(+), 27 deletions(-) create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.xml create mode 100644 tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml mode change 120000 => 100644 tests/qemuxml2xmloutdata/disk-nvme.xml mode change 120000 => 100644 tests/qemuxml2xmloutdata/encrypted-disk-usage.xml mode change 120000 => 100644 tests/qemuxml2xmloutdata/luks-disks.xml mode change 120000 => 100644 tests/qemuxml2xmloutdata/user-aliases.xml -- 2.25.1
The post parse callback is part of the real (non-test) processing flow. This commit adds it (for disks) to the qemublocktest flow as well. Signed-off-by: Or Ozeri <oro@il.ibm.com> --- src/qemu/qemu_domain.c | 2 +- src/qemu/qemu_domain.h | 4 ++++ tests/qemublocktest.c | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 25b7f03204..472ff670b1 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -5415,7 +5415,7 @@ qemuDomainDeviceDiskDefPostParseRestoreSecAlias(virDomainDiskDef *disk, } -static int +int qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk, virQEMUCaps *qemuCaps, unsigned int parseFlags) diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index cb1cd968d5..9a784501a0 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -899,6 +899,10 @@ int qemuDomainDefValidateDiskLunSource(const virStorageSource *src) int qemuDomainDeviceDefValidateDisk(const virDomainDiskDef *disk, virQEMUCaps *qemuCaps); +int qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk, + virQEMUCaps *qemuCaps, + unsigned int parseFlags); + int qemuDomainPrepareChannel(virDomainChrDef *chr, const char *domainChannelTargetDir) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); diff --git a/tests/qemublocktest.c b/tests/qemublocktest.c index 4af8862c5b..617e1b8ae1 100644 --- a/tests/qemublocktest.c +++ b/tests/qemublocktest.c @@ -279,6 +279,9 @@ testQemuDiskXMLToProps(const void *opaque) VIR_DOMAIN_DEF_PARSE_STATUS))) return -1; + if (qemuDomainDeviceDiskDefPostParse(disk, data->qemuCaps, 0) < 0) + return -1; + if (!(vmdef = virDomainDefNew(data->driver->xmlopt))) return -1; -- 2.25.1
On Tue, Oct 05, 2021 at 09:41:12 -0500, Or Ozeri wrote:
The post parse callback is part of the real (non-test) processing flow. This commit adds it (for disks) to the qemublocktest flow as well.
Could you please elaborate why this is needed? Specifically qemublocktest takes a few liberties from the "real" code flow since we need to fake a lot of stuff. E.g. see testQemuDiskXMLToJSONFakeSecrets. Specifically I didn't see anything in your patches [1] which would add anything to the post parse callback. [1] Well after my crude rebase of the series. What you've posted didn't apply neither on master nor on the last release. I had to go one version back and it had conflicts which I didn't spend much time thinking about.
On Wed, Oct 06, 2021 at 08:37:16 +0200, Peter Krempa wrote:
On Tue, Oct 05, 2021 at 09:41:12 -0500, Or Ozeri wrote:
The post parse callback is part of the real (non-test) processing flow. This commit adds it (for disks) to the qemublocktest flow as well.
Could you please elaborate why this is needed? Specifically qemublocktest takes a few liberties from the "real" code flow since we need to fake a lot of stuff. E.g. see testQemuDiskXMLToJSONFakeSecrets.
Specifically I didn't see anything in your patches [1] which would add anything to the post parse callback.
[1] Well after my crude rebase of the series. What you've posted didn't apply neither on master nor on the last release. I had to go one version back and it had conflicts which I didn't spend much time thinking about.
Okay I messed up the rebase and lost the hunk from patch 3. As of such, please add a note into the commit message that it's needed to fill in the encryption format default since we are processing old XMLs. Additionally please repost the patches rebased to current git master, so that I don't have to second-guess.
On Wed, Oct 06, 2021 at 09:55:10 +0000, Or Ozeri wrote:
My commit which adds the encryption engine configuration is default to "default". Only in the post-parse callback in the qemu driver, I switch it from "default" to "qemu". Thus, if you don't call the post-parse on this test, then tests which use luks format fail. Specifically: network-qcow2-backing-chain-encryption_auth file-qcow2-backing-chain-encryption file-raw-luks
Yeah, that is okay. As noted in another reply please mention it in the commit message, because otherwise it seems a bit misplaced. Specifically exporting just a bit of the post-parse callbacks is questionable but okay in this case. And please post a rebased version as noted elsewhere.
rbd encryption is new in qemu 6.1.0. This commit adds capability probing for it. Signed-off-by: Or Ozeri <oro@il.ibm.com> --- src/qemu/qemu_capabilities.c | 2 ++ src/qemu/qemu_capabilities.h | 1 + tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml | 1 + 3 files changed, 4 insertions(+) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 70c3ec2f0c..85da5725cf 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -638,6 +638,7 @@ VIR_ENUM_IMPL(virQEMUCaps, "query-display-options", /* QEMU_CAPS_QUERY_DISPLAY_OPTIONS */ "s390-pv-guest", /* QEMU_CAPS_S390_PV_GUEST */ "set-action", /* QEMU_CAPS_SET_ACTION */ + "rbd-encryption", /* QEMU_CAPS_RBD_ENCRYPTION */ ); @@ -1560,6 +1561,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsQMPSchemaQueries[] = { { "blockdev-add/arg-type/+file/$dynamic-auto-read-only", QEMU_CAPS_BLOCK_FILE_AUTO_READONLY_DYNAMIC }, { "blockdev-add/arg-type/+nvme", QEMU_CAPS_DRIVE_NVME }, { "blockdev-add/arg-type/+file/aio/^io_uring", QEMU_CAPS_AIO_IO_URING }, + { "blockdev-add/arg-type/+rbd/encrypt", QEMU_CAPS_RBD_ENCRYPTION }, { "blockdev-add/arg-type/discard", QEMU_CAPS_DRIVE_DISCARD }, { "blockdev-add/arg-type/detect-zeroes", QEMU_CAPS_DRIVE_DETECT_ZEROES }, { "blockdev-backup", QEMU_CAPS_BLOCKDEV_BACKUP }, diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index bc762d1916..576ed9d1ba 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -618,6 +618,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check */ QEMU_CAPS_QUERY_DISPLAY_OPTIONS, /* 'query-display-options' qmp command present */ QEMU_CAPS_S390_PV_GUEST, /* -object s390-pv-guest,... */ QEMU_CAPS_SET_ACTION, /* 'set-action' QMP command */ + QEMU_CAPS_RBD_ENCRYPTION, /* Ceph RBD encryption support */ QEMU_CAPS_LAST /* this must always be the last item */ } virQEMUCapsFlags; diff --git a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml index eca9facf80..efd37e8ee1 100644 --- a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml @@ -257,6 +257,7 @@ <flag name='confidential-guest-support'/> <flag name='query-display-options'/> <flag name='set-action'/> + <flag name='rbd-encryption'/> <version>6001000</version> <kvmVersion>0</kvmVersion> <microcodeVersion>43100243</microcodeVersion> -- 2.25.1
On Tue, Oct 05, 2021 at 09:41:13 -0500, Or Ozeri wrote:
rbd encryption is new in qemu 6.1.0. This commit adds capability probing for it.
Signed-off-by: Or Ozeri <oro@il.ibm.com> --- src/qemu/qemu_capabilities.c | 2 ++ src/qemu/qemu_capabilities.h | 1 + tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml | 1 + 3 files changed, 4 insertions(+)
Needs rebase but: Reviewed-by: Peter Krempa <pkrempa@redhat.com>
This commit extends libvirt XML configuration to support luks2 encryption format. This means that <encryption format="luks2"> becomes valid. Actual handler (other than returning "not supported") for this new format will be added in an upcoming commit. Signed-off-by: Or Ozeri <oro@il.ibm.com> --- docs/formatstorageencryption.html.in | 2 +- docs/schemas/storagecommon.rng | 1 + src/conf/storage_encryption_conf.c | 2 +- src/conf/storage_encryption_conf.h | 1 + src/qemu/qemu_block.c | 1 + src/qemu/qemu_domain.c | 3 ++- 6 files changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in index 7215c307d7..b2631ab25d 100644 --- a/docs/formatstorageencryption.html.in +++ b/docs/formatstorageencryption.html.in @@ -18,7 +18,7 @@ is <code>encryption</code>, with a mandatory attribute <code>format</code>. Currently defined values of <code>format</code> are <code>default</code>, <code>qcow</code>, - and <code>luks</code>. + <code>luks</code>, and <code>luks2</code>. Each value of <code>format</code> implies some expectations about the content of the <code>encryption</code> tag. Other format values may be defined in the future. diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng index 9ebb27700d..7d1d066289 100644 --- a/docs/schemas/storagecommon.rng +++ b/docs/schemas/storagecommon.rng @@ -13,6 +13,7 @@ <value>default</value> <value>qcow</value> <value>luks</value> + <value>luks2</value> </choice> </attribute> <interleave> diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c index 9112b96cc7..2df4ec96af 100644 --- a/src/conf/storage_encryption_conf.c +++ b/src/conf/storage_encryption_conf.c @@ -44,7 +44,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret, VIR_ENUM_IMPL(virStorageEncryptionFormat, VIR_STORAGE_ENCRYPTION_FORMAT_LAST, - "default", "qcow", "luks", + "default", "qcow", "luks", "luks2", ); static void diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h index 34adbd5f7b..32e3a1243a 100644 --- a/src/conf/storage_encryption_conf.h +++ b/src/conf/storage_encryption_conf.h @@ -56,6 +56,7 @@ typedef enum { VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0, VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */ VIR_STORAGE_ENCRYPTION_FORMAT_LUKS, + VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2, VIR_STORAGE_ENCRYPTION_FORMAT_LAST, } virStorageEncryptionFormatType; diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index 0bc92f6a23..f7aa052822 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -1333,6 +1333,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src, break; case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT: + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2: case VIR_STORAGE_ENCRYPTION_FORMAT_LAST: default: virReportEnumRangeError(virStorageEncryptionFormatType, diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 472ff670b1..2d35106c2f 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -1354,7 +1354,8 @@ static bool qemuDomainDiskHasEncryptionSecret(virStorageSource *src) { if (!virStorageSourceIsEmpty(src) && src->encryption && - src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS && + (src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS || + src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2) && src->encryption->nsecrets > 0) return true; -- 2.25.1
This commit extends libvirt XML configuration to support a custom encryption engine. This means that <encryption format="luks" engine="qemu"> becomes valid. The only engine for now is qemu. However, a new engine (librbd) will be added in an upcoming commit. If no engine is specified, qemu will be used (assuming qemu driver is used). Signed-off-by: Or Ozeri <oro@il.ibm.com> --- docs/formatstorageencryption.html.in | 6 + docs/schemas/domainbackup.rng | 7 + docs/schemas/storagecommon.rng | 7 + src/conf/storage_encryption_conf.c | 31 +++- src/conf/storage_encryption_conf.h | 9 + src/qemu/qemu_block.c | 2 + src/qemu/qemu_domain.c | 8 + tests/qemustatusxml2xmldata/upgrade-out.xml | 6 +- tests/qemuxml2xmloutdata/disk-nvme.xml | 65 ++++++- .../disk-slices.x86_64-latest.xml | 4 +- .../encrypted-disk-usage.xml | 38 ++++- tests/qemuxml2xmloutdata/encrypted-disk.xml | 2 +- .../luks-disks-source-qcow2.x86_64-latest.xml | 14 +- .../qemuxml2xmloutdata/luks-disks-source.xml | 10 +- tests/qemuxml2xmloutdata/luks-disks.xml | 47 +++++- tests/qemuxml2xmloutdata/user-aliases.xml | 159 +++++++++++++++++- 16 files changed, 392 insertions(+), 23 deletions(-) mode change 120000 => 100644 tests/qemuxml2xmloutdata/disk-nvme.xml mode change 120000 => 100644 tests/qemuxml2xmloutdata/encrypted-disk-usage.xml mode change 120000 => 100644 tests/qemuxml2xmloutdata/luks-disks.xml mode change 120000 => 100644 tests/qemuxml2xmloutdata/user-aliases.xml diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in index b2631ab25d..5783381a4a 100644 --- a/docs/formatstorageencryption.html.in +++ b/docs/formatstorageencryption.html.in @@ -23,6 +23,12 @@ content of the <code>encryption</code> tag. Other format values may be defined in the future. </p> + <p> + The <code>encryption</code> tag supports an optional <code>engine</code> + tag, which allows selecting which component actually handles + the encryption. Currently defined values of <code>engine</code> are + <code>qemu</code>. + </p> <p> The <code>encryption</code> tag can currently contain a sequence of <code>secret</code> tags, each with mandatory attributes <code>type</code> diff --git a/docs/schemas/domainbackup.rng b/docs/schemas/domainbackup.rng index c03455a5a7..05cc28ab00 100644 --- a/docs/schemas/domainbackup.rng +++ b/docs/schemas/domainbackup.rng @@ -14,6 +14,13 @@ <value>luks</value> </choice> </attribute> + <optional> + <attribute name="engine"> + <choice> + <value>qemu</value> + </choice> + </attribute> + </optional> <interleave> <ref name="secret"/> <optional> diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng index 7d1d066289..b34577c582 100644 --- a/docs/schemas/storagecommon.rng +++ b/docs/schemas/storagecommon.rng @@ -16,6 +16,13 @@ <value>luks2</value> </choice> </attribute> + <optional> + <attribute name="engine"> + <choice> + <value>qemu</value> + </choice> + </attribute> + </optional> <interleave> <ref name="secret"/> <optional> diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c index 2df4ec96af..e8da02b605 100644 --- a/src/conf/storage_encryption_conf.c +++ b/src/conf/storage_encryption_conf.c @@ -47,6 +47,11 @@ VIR_ENUM_IMPL(virStorageEncryptionFormat, "default", "qcow", "luks", "luks2", ); +VIR_ENUM_IMPL(virStorageEncryptionEngine, + VIR_STORAGE_ENCRYPTION_ENGINE_LAST, + "default", "qemu", +); + static void virStorageEncryptionInfoDefClear(virStorageEncryptionInfoDef *def) { @@ -120,6 +125,7 @@ virStorageEncryptionCopy(const virStorageEncryption *src) ret->secrets = g_new0(virStorageEncryptionSecret *, src->nsecrets); ret->nsecrets = src->nsecrets; ret->format = src->format; + ret->engine = src->engine; for (i = 0; i < src->nsecrets; i++) { if (!(ret->secrets[i] = virStorageEncryptionSecretCopy(src->secrets[i]))) @@ -217,6 +223,7 @@ virStorageEncryptionParseNode(xmlNodePtr node, xmlNodePtr *nodes = NULL; virStorageEncryption *encdef = NULL; virStorageEncryption *ret = NULL; + g_autofree char *engine_str = NULL; g_autofree char *format_str = NULL; int n; size_t i; @@ -239,6 +246,16 @@ virStorageEncryptionParseNode(xmlNodePtr node, goto cleanup; } + if ((engine_str = virXPathString("string(./@engine)", ctxt))) { + if ((encdef->engine = + virStorageEncryptionEngineTypeFromString(engine_str)) < 0) { + virReportError(VIR_ERR_XML_ERROR, + _("unknown volume encryption engine type %s"), + engine_str); + goto cleanup; + } + } + if ((n = virXPathNodeSet("./secret", ctxt, &nodes)) < 0) goto cleanup; @@ -327,6 +344,7 @@ int virStorageEncryptionFormat(virBuffer *buf, virStorageEncryption *enc) { + const char *engine; const char *format; size_t i; @@ -335,7 +353,18 @@ virStorageEncryptionFormat(virBuffer *buf, "%s", _("unexpected encryption format")); return -1; } - virBufferAsprintf(buf, "<encryption format='%s'>\n", format); + if (enc->engine == VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT) { + virBufferAsprintf(buf, "<encryption format='%s'>\n", format); + } else { + if (!(engine = virStorageEncryptionEngineTypeToString(enc->engine))) { + virReportError(VIR_ERR_INTERNAL_ERROR, + "%s", _("unexpected encryption engine")); + return -1; + } + virBufferAsprintf(buf, "<encryption format='%s' engine='%s'>\n", + format, engine); + } + virBufferAdjustIndent(buf, 2); for (i = 0; i < enc->nsecrets; i++) { diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h index 32e3a1243a..c722f832f5 100644 --- a/src/conf/storage_encryption_conf.h +++ b/src/conf/storage_encryption_conf.h @@ -51,6 +51,14 @@ struct _virStorageEncryptionInfoDef { char *ivgen_hash; }; +typedef enum { + VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT = 0, + VIR_STORAGE_ENCRYPTION_ENGINE_QEMU, + + VIR_STORAGE_ENCRYPTION_ENGINE_LAST, +} virStorageEncryptionEngineType; +VIR_ENUM_DECL(virStorageEncryptionEngine); + typedef enum { /* "default" is only valid for volume creation */ VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0, @@ -64,6 +72,7 @@ VIR_ENUM_DECL(virStorageEncryptionFormat); typedef struct _virStorageEncryption virStorageEncryption; struct _virStorageEncryption { + int engine; /* virStorageEncryptionEngineType */ int format; /* virStorageEncryptionFormatType */ int payload_offset; diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index f7aa052822..693c43dfcc 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -1318,6 +1318,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src, * VIR_DOMAIN_SECRET_INFO_TYPE_AES works here. The correct type needs to be * instantiated elsewhere. */ if (!src->encryption || + src->encryption->engine != VIR_STORAGE_ENCRYPTION_ENGINE_QEMU || !srcpriv || !srcpriv->encinfo || srcpriv->encinfo->type != VIR_DOMAIN_SECRET_INFO_TYPE_AES) @@ -1454,6 +1455,7 @@ qemuBlockStorageSourceGetBlockdevFormatProps(virStorageSource *src) * put a raw layer on top */ case VIR_STORAGE_FILE_RAW: if (src->encryption && + src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_QEMU && src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) { if (qemuBlockStorageSourceGetFormatLUKSProps(src, props) < 0) return NULL; diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 2d35106c2f..9c873c129b 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -5421,6 +5421,8 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk, virQEMUCaps *qemuCaps, unsigned int parseFlags) { + virStorageSource *n; + /* set default disk types and drivers */ if (!virDomainDiskGetDriver(disk)) virDomainDiskSetDriver(disk, "qemu"); @@ -5435,6 +5437,12 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk, disk->mirror->format == VIR_STORAGE_FILE_NONE) disk->mirror->format = VIR_STORAGE_FILE_RAW; + /* default disk encryption engine */ + for (n = disk->src; virStorageSourceIsBacking(n); n = n->backingStore) { + if (n->encryption && n->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT) + n->encryption->engine = VIR_STORAGE_ENCRYPTION_ENGINE_QEMU; + } + if (qemuDomainDeviceDiskDefPostParseRestoreSecAlias(disk, qemuCaps, parseFlags) < 0) return -1; diff --git a/tests/qemustatusxml2xmldata/upgrade-out.xml b/tests/qemustatusxml2xmldata/upgrade-out.xml index f9476731f6..5218092cb9 100644 --- a/tests/qemustatusxml2xmldata/upgrade-out.xml +++ b/tests/qemustatusxml2xmldata/upgrade-out.xml @@ -316,7 +316,7 @@ <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/b.qcow2'> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> <privateData> @@ -333,7 +333,7 @@ <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/c.qcow2'> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> <privateData> @@ -354,7 +354,7 @@ <auth username='testuser-iscsi'> <secret type='iscsi' usage='testuser-iscsi-secret'/> </auth> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> <privateData> diff --git a/tests/qemuxml2xmloutdata/disk-nvme.xml b/tests/qemuxml2xmloutdata/disk-nvme.xml deleted file mode 120000 index ea9eb267ac..0000000000 --- a/tests/qemuxml2xmloutdata/disk-nvme.xml +++ /dev/null @@ -1 +0,0 @@ -../qemuxml2argvdata/disk-nvme.xml \ No newline at end of file diff --git a/tests/qemuxml2xmloutdata/disk-nvme.xml b/tests/qemuxml2xmloutdata/disk-nvme.xml new file mode 100644 index 0000000000..9a5fafce7d --- /dev/null +++ b/tests/qemuxml2xmloutdata/disk-nvme.xml @@ -0,0 +1,64 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-i386</emulator> + <disk type='nvme' device='disk'> + <driver name='qemu' type='raw'/> + <source type='pci' managed='yes' namespace='1'> + <address domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> + </source> + <target dev='vda' bus='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </disk> + <disk type='nvme' device='disk'> + <driver name='qemu' type='raw'/> + <source type='pci' managed='yes' namespace='2'> + <address domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> + </source> + <target dev='vdb' bus='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> + </disk> + <disk type='nvme' device='disk'> + <driver name='qemu' type='raw'/> + <source type='pci' managed='no' namespace='1'> + <address domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> + </source> + <target dev='vdc' bus='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> + </disk> + <disk type='nvme' device='disk'> + <driver name='qemu' type='qcow2' cache='none'/> + <source type='pci' managed='no' namespace='2'> + <address domain='0x0001' bus='0x02' slot='0x00' function='0x0'/> + <encryption format='luks' engine='qemu'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> + </encryption> + </source> + <target dev='vdd' bus='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> + </disk> + <controller type='usb' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <controller type='scsi' index='0' model='virtio-scsi'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </controller> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <audio id='1' type='none'/> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml b/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml index be5cd25084..a058cbad61 100644 --- a/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml +++ b/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml @@ -49,7 +49,7 @@ <slices> <slice type='storage' offset='1234' size='321'/> </slices> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> </source> @@ -75,7 +75,7 @@ <slices> <slice type='storage' offset='1234' size='321'/> </slices> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> </source> diff --git a/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml b/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml deleted file mode 120000 index a1a4f841e9..0000000000 --- a/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml +++ /dev/null @@ -1 +0,0 @@ -../qemuxml2argvdata/encrypted-disk-usage.xml \ No newline at end of file diff --git a/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml b/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml new file mode 100644 index 0000000000..d2b87b94b6 --- /dev/null +++ b/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml @@ -0,0 +1,37 @@ +<domain type='qemu'> + <name>encryptdisk</name> + <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid> + <memory unit='KiB'>1048576</memory> + <currentMemory unit='KiB'>524288</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-i386</emulator> + <disk type='file' device='disk'> + <driver name='qemu' type='qcow2'/> + <source file='/storage/guest_disks/encryptdisk'/> + <target dev='vda' bus='virtio'/> + <encryption format='luks' engine='qemu'> + <secret type='passphrase' usage='/storage/guest_disks/encryptdisk'/> + </encryption> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </disk> + <controller type='usb' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <audio id='1' type='none'/> + <memballoon model='virtio'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </memballoon> + </devices> +</domain> diff --git a/tests/qemuxml2xmloutdata/encrypted-disk.xml b/tests/qemuxml2xmloutdata/encrypted-disk.xml index 06f2c5b47c..e30c8a36e8 100644 --- a/tests/qemuxml2xmloutdata/encrypted-disk.xml +++ b/tests/qemuxml2xmloutdata/encrypted-disk.xml @@ -18,7 +18,7 @@ <driver name='qemu' type='qcow2'/> <source file='/storage/guest_disks/encryptdisk'/> <target dev='vda' bus='virtio'/> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> diff --git a/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml b/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml index 5f600f5ba7..7f98dd597e 100644 --- a/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml +++ b/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml @@ -20,7 +20,7 @@ <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/storage/guest_disks/encryptdisk'> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> </source> @@ -30,7 +30,7 @@ <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/storage/guest_disks/encryptdisk2'> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/> </encryption> </source> @@ -44,7 +44,7 @@ <auth username='myname'> <secret type='iscsi' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/> </auth> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/> </encryption> </source> @@ -54,7 +54,7 @@ <disk type='volume' device='disk'> <driver name='qemu' type='qcow2'/> <source pool='pool-iscsi' volume='unit:0:0:3' mode='direct'> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/> </encryption> </source> @@ -67,7 +67,7 @@ <host name='mon1.example.org' port='6321'/> <host name='mon2.example.org' port='6322'/> <host name='mon3.example.org' port='6322'/> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/> </encryption> </source> @@ -77,14 +77,14 @@ <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/storage/guest_disks/encryptdisk5'> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> </source> <backingStore type='file'> <format type='qcow2'/> <source file='/storage/guest_disks/base.qcow2'> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> </source> diff --git a/tests/qemuxml2xmloutdata/luks-disks-source.xml b/tests/qemuxml2xmloutdata/luks-disks-source.xml index 5333d4ac6e..891b5d9d17 100644 --- a/tests/qemuxml2xmloutdata/luks-disks-source.xml +++ b/tests/qemuxml2xmloutdata/luks-disks-source.xml @@ -17,7 +17,7 @@ <disk type='file' device='disk'> <driver name='qemu' type='raw'/> <source file='/storage/guest_disks/encryptdisk'> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> </source> @@ -27,7 +27,7 @@ <disk type='file' device='disk'> <driver name='qemu' type='raw'/> <source file='/storage/guest_disks/encryptdisk2'> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/> </encryption> </source> @@ -41,7 +41,7 @@ <auth username='myname'> <secret type='iscsi' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/> </auth> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/> </encryption> </source> @@ -51,7 +51,7 @@ <disk type='volume' device='disk'> <driver name='qemu' type='raw'/> <source pool='pool-iscsi' volume='unit:0:0:3' mode='direct'> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/> </encryption> </source> @@ -64,7 +64,7 @@ <host name='mon1.example.org' port='6321'/> <host name='mon2.example.org' port='6322'/> <host name='mon3.example.org' port='6322'/> - <encryption format='luks'> + <encryption format='luks' engine='qemu'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/> </encryption> </source> diff --git a/tests/qemuxml2xmloutdata/luks-disks.xml b/tests/qemuxml2xmloutdata/luks-disks.xml deleted file mode 120000 index d65e470c32..0000000000 --- a/tests/qemuxml2xmloutdata/luks-disks.xml +++ /dev/null @@ -1 +0,0 @@ -../qemuxml2argvdata/luks-disks.xml \ No newline at end of file diff --git a/tests/qemuxml2xmloutdata/luks-disks.xml b/tests/qemuxml2xmloutdata/luks-disks.xml new file mode 100644 index 0000000000..1c76f0dc26 --- /dev/null +++ b/tests/qemuxml2xmloutdata/luks-disks.xml @@ -0,0 +1,46 @@ +<domain type='qemu'> + <name>encryptdisk</name> + <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid> + <memory unit='KiB'>1048576</memory> + <currentMemory unit='KiB'>524288</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='file' device='disk'> + <driver name='qemu' type='raw'/> + <source file='/storage/guest_disks/encryptdisk'/> + <target dev='vda' bus='virtio'/> + <encryption format='luks' engine='qemu'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> + </encryption> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </disk> + <disk type='file' device='disk'> + <driver name='qemu' type='raw'/> + <source file='/storage/guest_disks/encryptdisk2'/> + <target dev='vdb' bus='virtio'/> + <encryption format='luks' engine='qemu'> + <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/> + </encryption> + <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> + </disk> + <controller type='usb' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <audio id='1' type='none'/> + <memballoon model='virtio'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </memballoon> + </devices> +</domain> diff --git a/tests/qemuxml2xmloutdata/user-aliases.xml b/tests/qemuxml2xmloutdata/user-aliases.xml deleted file mode 120000 index b5a27f08cd..0000000000 --- a/tests/qemuxml2xmloutdata/user-aliases.xml +++ /dev/null @@ -1 +0,0 @@ -../qemuxml2argvdata/user-aliases.xml \ No newline at end of file diff --git a/tests/qemuxml2xmloutdata/user-aliases.xml b/tests/qemuxml2xmloutdata/user-aliases.xml new file mode 100644 index 0000000000..10b7749521 --- /dev/null +++ b/tests/qemuxml2xmloutdata/user-aliases.xml @@ -0,0 +1,158 @@ +<domain type='kvm'> + <name>gentoo</name> + <uuid>a75aca4b-a02f-2bcb-4a91-c93cd848c34b</uuid> + <memory unit='KiB'>4194304</memory> + <currentMemory unit='KiB'>4194304</currentMemory> + <memoryBacking> + <hugepages> + <page size='1048576' unit='KiB' nodeset='0-3'/> + </hugepages> + </memoryBacking> + <vcpu placement='static'>4</vcpu> + <os> + <type arch='x86_64' machine='pc-i440fx-1.4'>hvm</type> + <boot dev='hd'/> + <boot dev='cdrom'/> + </os> + <features> + <acpi/> + <apic/> + <pae/> + </features> + <cpu> + <numa> + <cell id='0' cpus='0' memory='1048576' unit='KiB'/> + <cell id='1' cpus='1' memory='1048576' unit='KiB'/> + <cell id='2' cpus='2' memory='1048576' unit='KiB'/> + <cell id='3' cpus='3' memory='1048576' unit='KiB'/> + </numa> + </cpu> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>restart</on_crash> + <pm> + <suspend-to-mem enabled='yes'/> + <suspend-to-disk enabled='yes'/> + </pm> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='file' device='floppy'> + <driver name='qemu' type='raw' cache='none'/> + <source file='/var/lib/libvirt/images/fd.img'/> + <target dev='fda' bus='fdc'/> + <alias name='ua-myDisk1'/> + <address type='drive' controller='0' bus='0' target='0' unit='0'/> + </disk> + <disk type='file' device='disk'> + <driver name='qemu' type='qcow2'/> + <source file='/var/lib/libvirt/images/gentoo.qcow2'/> + <target dev='vda' bus='virtio'/> + <alias name='ua-myDisk2'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> + </disk> + <disk type='file' device='disk'> + <driver name='qemu' type='qcow2'/> + <source file='/var/lib/libvirt/images/OtherDemo.img'/> + <target dev='vdb' bus='virtio'/> + <encryption format='luks' engine='qemu'> + <secret type='passphrase' uuid='e78d4b51-a2af-485f-b0f5-afca709a80f4'/> + </encryption> + <alias name='ua-myEncryptedDisk1'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> + </disk> + <disk type='file' device='cdrom'> + <driver name='qemu' type='raw' cache='none'/> + <source file='/home/zippy/tmp/install-amd64-minimal-20140619.iso'/> + <target dev='hdc' bus='ide'/> + <readonly/> + <shareable/> + <alias name='ua-WhatAnAwesomeCDROM'/> + <address type='drive' controller='0' bus='1' target='0' unit='0'/> + </disk> + <controller type='usb' index='0'> + <alias name='ua-SomeWeirdController'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'> + <alias name='ua-MyPCIRootController'/> + </controller> + <controller type='ide' index='0'> + <alias name='ua-DoesAnybodyStillUseIDE'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> + </controller> + <controller type='virtio-serial' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/> + </controller> + <controller type='fdc' index='0'/> + <controller type='ccid' index='0'> + <alias name='ua-myCCID'/> + <address type='usb' bus='0' port='1'/> + </controller> + <controller type='ccid' index='1'> + <alias name='ua-myCCID2'/> + <address type='usb' bus='0' port='2'/> + </controller> + <interface type='ethernet'> + <mac address='52:54:00:d6:c0:0b'/> + <model type='virtio'/> + <alias name='ua-CheckoutThisNIC'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </interface> + <interface type='server'> + <mac address='52:54:00:22:c9:42'/> + <source address='127.0.0.1' port='1234'/> + <bandwidth> + <inbound average='1234'/> + <outbound average='5678'/> + </bandwidth> + <model type='rtl8139'/> + <alias name='ua-WeCanAlsoDoServerMode'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/> + </interface> + <interface type='client'> + <mac address='52:54:00:8c:b1:f8'/> + <source address='127.0.0.1' port='1234'/> + <model type='rtl8139'/> + <alias name='ua-AndAlsoClientMode'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/> + </interface> + <smartcard mode='host'> + <address type='ccid' controller='0' slot='0'/> + </smartcard> + <serial type='pty'> + <target type='isa-serial' port='0'> + <model name='isa-serial'/> + </target> + </serial> + <serial type='pty'> + <target type='isa-serial' port='1'> + <model name='isa-serial'/> + </target> + </serial> + <console type='pty'> + <target type='serial' port='0'/> + </console> + <channel type='unix'> + <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/gentoo.org.qemu.guest_agent.0'/> + <target type='virtio' name='org.qemu.guest_agent.0'/> + <address type='virtio-serial' controller='0' bus='0' port='1'/> + </channel> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <graphics type='vnc' port='-1' autoport='yes'> + <listen type='address'/> + </graphics> + <sound model='ich6'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </sound> + <audio id='1' type='none'/> + <video> + <model type='cirrus' vram='16384' heads='1' primary='yes'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> + </video> + <memballoon model='virtio'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> + </memballoon> + </devices> +</domain> -- 2.25.1
rbd encryption is new in qemu 6.1.0. This commit adds a new encryption engine property which allows the user to use this new encryption engine. Signed-off-by: Or Ozeri <oro@il.ibm.com> --- docs/formatstorageencryption.html.in | 2 +- docs/schemas/storagecommon.rng | 1 + src/conf/storage_encryption_conf.c | 2 +- src/conf/storage_encryption_conf.h | 1 + src/qemu/qemu_block.c | 30 +++++++ src/qemu/qemu_domain.c | 24 ++++++ ...sk-network-rbd-encryption.x86_64-6.0.0.err | 1 + ...-network-rbd-encryption.x86_64-latest.args | 49 +++++++++++ .../disk-network-rbd-encryption.xml | 75 +++++++++++++++++ tests/qemuxml2argvtest.c | 2 + ...k-network-rbd-encryption.x86_64-latest.xml | 83 +++++++++++++++++++ tests/qemuxml2xmltest.c | 1 + 12 files changed, 269 insertions(+), 2 deletions(-) create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.xml create mode 100644 tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in index 5783381a4a..31ec2698a1 100644 --- a/docs/formatstorageencryption.html.in +++ b/docs/formatstorageencryption.html.in @@ -27,7 +27,7 @@ The <code>encryption</code> tag supports an optional <code>engine</code> tag, which allows selecting which component actually handles the encryption. Currently defined values of <code>engine</code> are - <code>qemu</code>. + <code>qemu</code> and <code>librbd</code>. </p> <p> The <code>encryption</code> tag can currently contain a sequence of diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng index b34577c582..591a158209 100644 --- a/docs/schemas/storagecommon.rng +++ b/docs/schemas/storagecommon.rng @@ -20,6 +20,7 @@ <attribute name="engine"> <choice> <value>qemu</value> + <value>librbd</value> </choice> </attribute> </optional> diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c index e8da02b605..2639b43119 100644 --- a/src/conf/storage_encryption_conf.c +++ b/src/conf/storage_encryption_conf.c @@ -49,7 +49,7 @@ VIR_ENUM_IMPL(virStorageEncryptionFormat, VIR_ENUM_IMPL(virStorageEncryptionEngine, VIR_STORAGE_ENCRYPTION_ENGINE_LAST, - "default", "qemu", + "default", "qemu", "librbd", ); static void diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h index c722f832f5..2e6f9193bd 100644 --- a/src/conf/storage_encryption_conf.h +++ b/src/conf/storage_encryption_conf.h @@ -54,6 +54,7 @@ struct _virStorageEncryptionInfoDef { typedef enum { VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT = 0, VIR_STORAGE_ENCRYPTION_ENGINE_QEMU, + VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD, VIR_STORAGE_ENCRYPTION_ENGINE_LAST, } virStorageEncryptionEngineType; diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index 693c43dfcc..164365b820 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -875,6 +875,8 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src, qemuDomainStorageSourcePrivate *srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src); g_autoptr(virJSONValue) servers = NULL; virJSONValue *ret = NULL; + g_autoptr(virJSONValue) encrypt = NULL; + const char *encformat; const char *username = NULL; g_autoptr(virJSONValue) authmodes = NULL; g_autoptr(virJSONValue) mode = NULL; @@ -899,12 +901,40 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src, return NULL; } + if (src->encryption && + src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD) { + switch ((virStorageEncryptionFormatType) src->encryption->format) { + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS: + encformat = "luks"; + break; + + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2: + encformat = "luks2"; + break; + + case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT: + case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW: + case VIR_STORAGE_ENCRYPTION_FORMAT_LAST: + default: + virReportEnumRangeError(virStorageEncryptionFormatType, + src->encryption->format); + return NULL; + } + + if (virJSONValueObjectCreate(&encrypt, + "s:format", encformat, + "s:key-secret", srcPriv->encinfo->s.aes.alias, + NULL) < 0) + return NULL; + } + if (virJSONValueObjectCreate(&ret, "s:pool", src->volume, "s:image", src->path, "S:snapshot", src->snapshot, "S:conf", src->configFile, "A:server", &servers, + "A:encrypt", &encrypt, "S:user", username, "A:auth-client-required", &authmodes, "S:key-secret", keysecret, diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 9c873c129b..f4942953b1 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -4965,6 +4965,30 @@ qemuDomainValidateStorageSource(virStorageSource *src, } } + if (src->encryption && + src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD) { + if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_RBD_ENCRYPTION)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("librbd encryption is not supported by this QEMU binary")); + return -1; + } + + switch ((virStorageEncryptionFormatType) src->encryption->format) { + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS: + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2: + break; + + case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT: + case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW: + case VIR_STORAGE_ENCRYPTION_FORMAT_LAST: + default: + virReportEnumRangeError(virStorageEncryptionFormatType, + src->encryption->format); + return -1; + } + } + + return 0; } diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err new file mode 100644 index 0000000000..edd8481a20 --- /dev/null +++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err @@ -0,0 +1 @@ +unsupported configuration: librbd encryption is not supported by this QEMU binary diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args new file mode 100644 index 0000000000..9b3e8d31b8 --- /dev/null +++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args @@ -0,0 +1,49 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/tmp/lib/domain--1-encryptdisk \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/tmp/lib/domain--1-encryptdisk/.local/share \ +XDG_CACHE_HOME=/tmp/lib/domain--1-encryptdisk/.cache \ +XDG_CONFIG_HOME=/tmp/lib/domain--1-encryptdisk/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=encryptdisk,debug-threads=on \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-encryptdisk/master-key.aes"}' \ +-machine pc-i440fx-2.1,accel=tcg,usb=off,dump-guest-core=off,memory-backend=pc.ram \ +-cpu qemu64 \ +-m 1024 \ +-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid 496898a6-e6ff-f7c8-5dc2-3cf410945ee9 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-no-acpi \ +-boot strict=on \ +-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \ +-object '{"qom-type":"secret","id":"libvirt-4-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-4-format","read-only":false,"driver":"luks","key-secret":"libvirt-4-format-encryption-secret0","file":"libvirt-4-storage"}' \ +-device virtio-blk-pci,bus=pci.0,addr=0x2,drive=libvirt-4-format,id=virtio-disk0,bootindex=1 \ +-object '{"qom-type":"secret","id":"libvirt-3-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-3-format","read-only":false,"driver":"luks","key-secret":"libvirt-3-format-encryption-secret0","file":"libvirt-3-storage"}' \ +-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=libvirt-3-format,id=virtio-disk1 \ +-object '{"qom-type":"secret","id":"libvirt-2-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-2-format-encryption-secret0"},"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"raw","file":"libvirt-2-storage"}' \ +-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=libvirt-2-format,id=virtio-disk2 \ +-object '{"qom-type":"secret","id":"libvirt-1-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +-blockdev '{"driver":"rbd","pool":"pool","image":"image2","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks2","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \ +-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=libvirt-1-format,id=virtio-disk3 \ +-audiodev id=audio1,driver=none \ +-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml b/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml new file mode 100644 index 0000000000..eeadbfeeba --- /dev/null +++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml @@ -0,0 +1,75 @@ +<domain type='qemu'> + <name>encryptdisk</name> + <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid> + <memory unit='KiB'>1048576</memory> + <currentMemory unit='KiB'>524288</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='rbd' name='pool/image'> + <host name='mon1.example.org' port='6321'/> + <host name='mon2.example.org' port='6322'/> + <host name='mon3.example.org' port='6322'/> + <encryption format='luks'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/> + </encryption> + </source> + <target dev='vda' bus='virtio'/> + </disk> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='rbd' name='pool/image'> + <host name='mon1.example.org' port='6321'/> + <host name='mon2.example.org' port='6322'/> + <host name='mon3.example.org' port='6322'/> + <encryption format='luks' engine='qemu'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/> + </encryption> + </source> + <target dev='vdb' bus='virtio'/> + </disk> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='rbd' name='pool/image'> + <host name='mon1.example.org' port='6321'/> + <host name='mon2.example.org' port='6322'/> + <host name='mon3.example.org' port='6322'/> + <encryption format='luks' engine='librbd'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/> + </encryption> + </source> + <target dev='vdc' bus='virtio'/> + </disk> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='rbd' name='pool/image2'> + <host name='mon1.example.org' port='6321'/> + <host name='mon2.example.org' port='6322'/> + <host name='mon3.example.org' port='6322'/> + <encryption format='luks2' engine='librbd'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/> + </encryption> + </source> + <target dev='vdd' bus='virtio'/> + </disk> + <controller type='usb' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <memballoon model='virtio'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </memballoon> + </devices> +</domain> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 3b331d5fd4..097909c912 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1385,6 +1385,8 @@ mymain(void) DO_TEST_CAPS_LATEST("disk-network-gluster"); DO_TEST_CAPS_VER("disk-network-rbd", "2.12.0"); DO_TEST_CAPS_LATEST("disk-network-rbd"); + DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-rbd-encryption", "6.0.0"); + DO_TEST_CAPS_LATEST("disk-network-rbd-encryption"); DO_TEST_FAILURE_NOCAPS("disk-network-rbd-no-colon"); DO_TEST_NOCAPS("disk-network-sheepdog"); DO_TEST_CAPS_VER("disk-network-sheepdog", "2.12.0"); diff --git a/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml new file mode 100644 index 0000000000..a91504202a --- /dev/null +++ b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml @@ -0,0 +1,83 @@ +<domain type='qemu'> + <name>encryptdisk</name> + <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid> + <memory unit='KiB'>1048576</memory> + <currentMemory unit='KiB'>524288</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type> + <boot dev='hd'/> + </os> + <cpu mode='custom' match='exact' check='none'> + <model fallback='forbid'>qemu64</model> + </cpu> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='rbd' name='pool/image'> + <host name='mon1.example.org' port='6321'/> + <host name='mon2.example.org' port='6322'/> + <host name='mon3.example.org' port='6322'/> + <encryption format='luks' engine='qemu'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/> + </encryption> + </source> + <target dev='vda' bus='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> + </disk> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='rbd' name='pool/image'> + <host name='mon1.example.org' port='6321'/> + <host name='mon2.example.org' port='6322'/> + <host name='mon3.example.org' port='6322'/> + <encryption format='luks' engine='qemu'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/> + </encryption> + </source> + <target dev='vdb' bus='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </disk> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='rbd' name='pool/image'> + <host name='mon1.example.org' port='6321'/> + <host name='mon2.example.org' port='6322'/> + <host name='mon3.example.org' port='6322'/> + <encryption format='luks' engine='librbd'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/> + </encryption> + </source> + <target dev='vdc' bus='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> + </disk> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='rbd' name='pool/image2'> + <host name='mon1.example.org' port='6321'/> + <host name='mon2.example.org' port='6322'/> + <host name='mon3.example.org' port='6322'/> + <encryption format='luks2' engine='librbd'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/> + </encryption> + </source> + <target dev='vdd' bus='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> + </disk> + <controller type='usb' index='0' model='piix3-uhci'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <audio id='1' type='none'/> + <memballoon model='virtio'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </memballoon> + </devices> +</domain> diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c index 6d3526f91f..bfbeee6a7e 100644 --- a/tests/qemuxml2xmltest.c +++ b/tests/qemuxml2xmltest.c @@ -315,6 +315,7 @@ mymain(void) QEMU_CAPS_SCSI_BLOCK); DO_TEST_NOCAPS("disk-network-gluster"); DO_TEST_NOCAPS("disk-network-rbd"); + DO_TEST_CAPS_LATEST("disk-network-rbd-encryption"); DO_TEST_NOCAPS("disk-network-source-auth"); DO_TEST_NOCAPS("disk-network-sheepdog"); DO_TEST_NOCAPS("disk-network-vxhs"); -- 2.25.1
participants (3)
-
Or Ozeri -
Or Ozeri
-
Peter Krempa