Is there a solution for this scenario?
 

yaohua.wu@zstack.io
 
发件人: yaohua.wu@zstack.io
发送时间: 2020-07-16 17:31
收件人: libvirt-users
主题: Cannot pass secret id for backing file after taking external snapshot on encrypted qcow2 file
Hi,
I used 'virsh snapshot-create' create an encrypted external snapshot,  
when I try to use 'qemu-img check' top file, found no entrance to pass backing-file's secret-id 
1、Version
centos-release-8.2-2.2004.0.1.el8.x86_64
libvirt.x86_64 6.0.0-17.el8                                                                                                      
qemu-kvm.x86_64 15:4.2.0-19.el8
2、Reproduce Steps
1)Create an encrypted qcow2
qemu-img create --object secret,id=sec0,data=123456 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 first.qcow2 1G
2)Create external snapshot with 'encrypted' xml
# cat snap.xml 
<domainsnapshot>
  <disks>
    <disk name='hdc' snapshot='no'/>
    <disk name='vdb' snapshot='external'>
      <source file='/root/first-snapshot.qcow2'>
        <encryption format='luks'>
          <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
        </encryption>
      </source>
    </disk>
  </disks>
</domainsnapshot>
# virsh dumpxml test-vm | awk '/<disk/,/<\/disk/'
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/root/first-snapshot.qcow2' index='5'/>
      <backingStore type='file' index='2'>
        <format type='qcow2'/>
        <source file='/root/first.qcow2'>
          <encryption format='luks'>
            <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/>
          </encryption>
        </source>
        <backingStore/>
      </backingStore>
      <target dev='vdb' bus='virtio'/>
      <encryption format='luks'>
        <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
      </encryption>
      <alias name='virtio-disk1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/>
    </disk>
3)try to qemu-img check top qcow2 file
Note: The secid of the backing file is not recorded, so when I use qemu-img check/etc.. how to pass the secret to qemu of backing files
# qemu-img info -U  first-snapshot.qcow2    
image: first-snapshot.qcow2
file format: qcow2
virtual size: 1 GiB (1073741824 bytes)
disk size: 544 KiB
encrypted: yes
cluster_size: 65536
backing file: /root/first.qcow2  ### backing file: json:{"encrypt.format": "luks", "encrypt.key-secret": "secrete-id"}
backing file format: luks
Format specific information:
    compat: 1.1
    lazy refcounts: false
    refcount bits: 16
    encrypt:
        ivgen alg: plain64
        hash alg: sha256
        cipher alg: aes-256
        uuid: e4158089-26e4-433f-990e-1d1d0723feee
        format: luks
        cipher mode: xts
        slots:
            [0]:
                active: true
                iters: 1257888
                key offset: 4096
                stripes: 4000
            [1]:
                active: false
                key offset: 262144
            [2]:
                active: false
                key offset: 520192
            [3]:
                active: false
                key offset: 778240
            [4]:
                active: false
                key offset: 1036288
            [5]:
                active: false
                key offset: 1294336
            [6]:
                active: false
                key offset: 1552384
            [7]:
                active: false
                key offset: 1810432
        payload offset: 2068480
        master key iters: 300073
    corrupt: false
# qemu-img check -U --object secret,id=sec_1,file=/etc/libvirt/secrets/f52a81b2-424e-490c-823d-6bd4235bc572.base64,format=base64 --image-opts encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2 --object secret,id=sec_2,file=/etc/libvirt/secrets/f981dd17-143f-45bc-88e6-222222222222.base64,format=base64
qemu-img: Could not open 'encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2': Could not open backing file: Parameter 'key-secret' is required for cipher

yaohua.wu@zstack.io