• Thank you very much for your guidance!

On 4/15/2020 14:24Peter Krempa<pkrempa@redhat.com> wrote:
On Wed, Apr 15, 2020 at 10:53:05 +0800, 18781374080 wrote:



Hey, guys

I've been working on whether libvirt supports encrypted snapshots,Here are my versions of libvirt and qemu

[root@xx ~]# libvirtd -V

libvirtd (libvirt) 4.5.0

This is too-old encrypted backing files work starting from libvirt-5.10
(but I strongly suggest using at least 6.1)


[root@xx ~]# qemu-img -V

qemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7_7.4)

And qemu-4.2


Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers

1. assign $MYSECRET to libvirt secret using the secret-define and secret-set-value commands,and $MYSECRET is in base64 format

MYSECRET=`printf %s "123456" | base64`

2. created a disk encrypted in luks format

qemu-img create --object secret,id=sec0,data=$MYSECRET,format=base64 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 enc.qcow220G

3. The encrypted disk is defined in the XML configuration file, as shown below.Then I successfully started the virtual machine.

<disk type='file' device='disk'>

<driver name='qemu' type='qcow2'/>

<source file='/root/enc.qcow2'/>

<backingStore/>

<target dev='hda' bus='ide'/>

<encryption format='luks'>

<secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>

</encryption>

<alias name='ide0-0-0'/>

<address type='drive' controller='0' bus='0' target='0' unit='0'/>

</disk>

4. According to the qemu documentation, an encrypted snap.qcow2 disk was created with enc.qcow2 as backing

qemu-img create -f qcow2 -F qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 --object secret,id=sec1,data=$MYSECRET,format=base64 -o encrypt.format=luks,encrypt.key-secret=sec1 -b 'json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root/enc/enc.qcow2"}}' snap.qcow2

This won't work with libvirt. You can't pass "encrypt.key-secret":
"sec0" via the backing file string as there's no way to create the
corresponding secret object when starting the VM. You can fully omit it
here and use just '-b /root/enc/enc.qcow2'


I used the same $MYSECRET as the password data for the disk. Here is the disk information for snap.qcow2

image: snap.qcow2

file format: qcow2

virtual size: 20G (21474836480 bytes)

disk size: 480K

encrypted: yes

cluster_size: 65536

backing file: json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root//enc.qcow2"}}

backing file format: qcow2

Format specific information:

compat: 1.1

lazy refcounts: false

refcount bits: 16

encrypt:

ivgen alg: plain64

hash alg: sha256

cipher alg: aes-256

uuid: ab0e3f87-35e7-40cb-9888-9fe9bb54e981

format: luks

cipher mode: xts

[snip]


5. Then I changed the configuration of the XML, as shown below.And re-define and start the virtual machine

With new libvirt mentioned above you'll have to add the encryption also
to the backing file. That will properly configure both layers to use the
correct encryption key.

<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/root/snap.qcow2'/>
<backingStore type='file'>
<format type='qcow2'/>
<source file='/root/enc.qcow2'>
<encryption format='luks'>
<secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>
</encryption>
</source>
<backingStore/>
</backingStore>
<target dev='hda' bus='ide'/>
<encryption format='luks'>
<secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>
</encryption>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>

Note that also the top level source can have <encryption> as child of
<source>

Then the startup failed and an error was thrown. As shown below.

qemu-kvm: -drive file=/root/enc/vm/enc-snap.qcow2,encrypt.format=luks,encrypt.key-secret=ide0-0-0-luks-secret0,format=qcow2,if=none,id=drive-ide0-0-0: Could not open backing file: No secret with id 'sec0'

As pointed out above, there's no way to instantiate the secret object
via the backing store string as that is done by libvirt explicitly via
-object on the command line.



The sec0 secret id could not be found in the backing file, this is my problem.

Is there a problem with the way I implemented it, or does libvirt currently not support this?

Any tips or help will be appreciated,  Looking forward to your reply. Thank you




| |
18781374080
|
|
18781374080@163.com
|
签名由网易邮箱大师定制