Thank you very much for your guidance!
On Wed, Apr 15, 2020 at 10:53:05 +0800, 18781374080 wrote:
Hey, guys
I've been working on whether libvirt supports encrypted snapshots,Here are my versions of libvirt and qemu
[root@xx ~]# libvirtd -V
libvirtd (libvirt) 4.5.0
This is too-old encrypted backing files work starting from libvirt-5.10
(but I strongly suggest using at least 6.1)
[root@xx ~]# qemu-img -V
qemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7_7.4)
And qemu-4.2
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers
1. assign $MYSECRET to libvirt secret using the secret-define and secret-set-value commands,and $MYSECRET is in base64 format
MYSECRET=`printf %s "123456" | base64`
2. created a disk encrypted in luks format
qemu-img create --object secret,id=sec0,data=$MYSECRET,format=base64 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 enc.qcow220G
3. The encrypted disk is defined in the XML configuration file, as shown below.Then I successfully started the virtual machine.
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/root/enc.qcow2'/>
<backingStore/>
<target dev='hda' bus='ide'/>
<encryption format='luks'>
<secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>
</encryption>
<alias name='ide0-0-0'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
4. According to the qemu documentation, an encrypted snap.qcow2 disk was created with enc.qcow2 as backing
qemu-img create -f qcow2 -F qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 --object secret,id=sec1,data=$MYSECRET,format=base64 -o encrypt.format=luks,encrypt.key-secret=sec1 -b 'json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root/enc/enc.qcow2"}}' snap.qcow2
This won't work with libvirt. You can't pass "encrypt.key-secret":
"sec0" via the backing file string as there's no way to create the
corresponding secret object when starting the VM. You can fully omit it
here and use just '-b /root/enc/enc.qcow2'
I used the same $MYSECRET as the password data for the disk. Here is the disk information for snap.qcow2
image: snap.qcow2
file format: qcow2
virtual size: 20G (21474836480 bytes)
disk size: 480K
encrypted: yes
cluster_size: 65536
backing file: json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root//enc.qcow2"}}
backing file format: qcow2
Format specific information:
compat: 1.1
lazy refcounts: false
refcount bits: 16
encrypt:
ivgen alg: plain64
hash alg: sha256
cipher alg: aes-256
uuid: ab0e3f87-35e7-40cb-9888-9fe9bb54e981
format: luks
cipher mode: xts
[snip]
5. Then I changed the configuration of the XML, as shown below.And re-define and start the virtual machine
With new libvirt mentioned above you'll have to add the encryption also
to the backing file. That will properly configure both layers to use the
correct encryption key.
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/root/snap.qcow2'/>
<backingStore type='file'>
<format type='qcow2'/>
<source file='/root/enc.qcow2'>
<encryption format='luks'>
<secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>
</encryption>
</source>
<backingStore/>
</backingStore>
<target dev='hda' bus='ide'/>
<encryption format='luks'>
<secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>
</encryption>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
Note that also the top level source can have <encryption> as child of
<source>
Then the startup failed and an error was thrown. As shown below.
qemu-kvm: -drive file=/root/enc/vm/enc-snap.qcow2,encrypt.format=luks,encrypt.key-secret=ide0-0-0-luks-secret0,format=qcow2,if=none,id=drive-ide0-0-0: Could not open backing file: No secret with id 'sec0'
As pointed out above, there's no way to instantiate the secret object
via the backing store string as that is done by libvirt explicitly via
-object on the command line.
The sec0 secret id could not be found in the backing file, this is my problem.
Is there a problem with the way I implemented it, or does libvirt currently not support this?
Any tips or help will be appreciated, Looking forward to your reply. Thank you
| |
18781374080
|
|
18781374080@163.com
|
签名由网易邮箱大师定制