Re: librbd encryption and guest XML

On 6/17/24 02:02, Daniel P. Berrangé wrote: > On Thu, Jun 13, 2024 at 08:06:17PM -0700, melanie witt wrote: > > Hi, > > > > I have been trying to use the librbd engine to run a guest from an encrypted > > RBD image and am running into some problems. > > > > What I would like to do is: > > > > 1. Start from an unencrypted raw image with an OS > > 2. Make an encrypted clone of that image > > 3. Boot a guest from the encrypted clone image > > > > What I have tried so far (simplified): > > > > 1. Make a clone of the unencrypted image > > > > rbd clone images/unencrypted@snap images/encryptedclone > > > > 2. Format the clone image with encryption > > > > rbd encryption format images/encryptedclone luks1 passphrase.bin > > > > 3. Create guest XML with the encrypted clone > > > > [...] > > <disk type="network" device="disk"> > > <driver type="raw" cache="writeback"/> > > <source protocol="rbd" name="images/encryptedclone"> > > <host name="127.0.0.1" port="6789"/> > > <encryption format="luks" engine="librbd"> > > <secret type="passphrase" uuid="secretuuid"/> > > </encryption> > > </source> > > <auth username="cinder"> > > <secret type="ceph" uuid="othersecretuuid"/> > > </auth> > > <target dev="vda" bus="virtio"/> > > </disk> > > [...] > > > > and virDomainCreateWithFlags() with the XML. > > > > I don't get any errors from libvirt (no errors about loading encryption) but > > this configuration does not seem to work, the guest won't boot. > > > > If anyone can give me a hint what I'm doing wrong, I would appreciate it. > > Can you share the corresponding QEMU command line that gets generated. Hi, thank you for replying! I did some more debugging over the weekend and finally found the problem was that I had needed to resize the unencrypted raw image first before cloning it to account for the LUKS header, otherwise the image content ends up truncated after formatting and the guest unbootable. This concept is actually shown in an example in the docs https://docs.ceph.com/en/reef/rbd/rbd-encryption/#examples but I still had not made the connection between the guest not booting and the image size.