Add the appropriate entries into the schema to allow encryption of the backup or scratch image. Since we use blockdev internals for everything no changes to the code are actually necessary. https://bugzilla.redhat.com/show_bug.cgi?id=1811906 Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> --- docs/formatbackup.html.in | 14 +++- docs/schemas/domainbackup.rng | 65 +++++++++++++++---- .../backup-pull-encrypted.xml | 30 +++++++++ .../backup-push-encrypted.xml | 29 +++++++++ .../backup-pull-encrypted.xml | 30 +++++++++ .../backup-push-encrypted.xml | 29 +++++++++ tests/genericxml2xmltest.c | 3 + 7 files changed, 185 insertions(+), 15 deletions(-) create mode 100644 tests/domainbackupxml2xmlin/backup-pull-encrypted.xml create mode 100644 tests/domainbackupxml2xmlin/backup-push-encrypted.xml create mode 100644 tests/domainbackupxml2xmlout/backup-pull-encrypted.xml create mode 100644 tests/domainbackupxml2xmlout/backup-push-encrypted.xml diff --git a/docs/formatbackup.html.in b/docs/formatbackup.html.in index 87744bac98..9e69d8f7d3 100644 --- a/docs/formatbackup.html.in +++ b/docs/formatbackup.html.in @@ -101,7 +101,7 @@ <code>block</code>. Similar to a disk declaration for a domain, the choice of type controls what additional sub-elements are needed to describe - the destination. + the destination.</dd> <dt><code>target</code></dt> <dd>Valid only for push mode backups, this is the primary sub-element that describes the file name of @@ -110,7 +110,8 @@ disk. An optional sub-element <code>driver</code> can also be used, with an attribute <code>type</code> to specify a destination format different from - qcow2. </dd> + qcow2. See documentation for <code>scratch</code> below for + additional configuration.</dd> <dt><code>scratch</code></dt> <dd>Valid only for pull mode backups, this is the primary sub-element that describes the file name of @@ -130,7 +131,14 @@ used without modification. The file is not deleted after the backup but the contents of the file don't make sense outside of the backup. The same applies for the block device which - must be formatted appropriately.</dd> + must be formatted appropriately. + + Similarly to the domain + <a href="formatdomain.html#elementsDisks"><code>disk</code></a> + definition <code>scratch</code> and <code>target</code> can + contain <code>seclabel</code> and/or <code>encryption</code> + subelements to configure the corresponding properties. + </dd> </dl> </dd> </dl> diff --git a/docs/schemas/domainbackup.rng b/docs/schemas/domainbackup.rng index 395ea841f9..ac5b12c463 100644 --- a/docs/schemas/domainbackup.rng +++ b/docs/schemas/domainbackup.rng @@ -7,6 +7,27 @@ <include href='domaincommon.rng'/> + <define name='backupEncryption'> + <element name='encryption'> + <attribute name='format'> + <choice> + <value>luks</value> + </choice> + </attribute> + <interleave> + <ref name='secret'/> + <optional> + <element name='cipher'> + <ref name='keycipher'/> + </element> + <element name='ivgen'> + <ref name='keyivgen'/> + </element> + </optional> + </interleave> + </element> + </define> + <define name='domainbackup'> <element name='domainbackup'> <interleave> @@ -123,9 +144,14 @@ <attribute name='file'> <ref name='absFilePath'/> </attribute> - <zeroOrMore> - <ref name='devSeclabel'/> - </zeroOrMore> + <interleave> + <zeroOrMore> + <ref name='devSeclabel'/> + </zeroOrMore> + <optional> + <ref name='backupEncryption'/> + </optional> + </interleave> </element> </optional> <ref name='backupPushDriver'/> @@ -142,9 +168,14 @@ <attribute name='dev'> <ref name='absFilePath'/> </attribute> - <zeroOrMore> - <ref name='devSeclabel'/> - </zeroOrMore> + <interleave> + <zeroOrMore> + <ref name='devSeclabel'/> + </zeroOrMore> + <optional> + <ref name='backupEncryption'/> + </optional> + </interleave> </element> </optional> <ref name='backupPushDriver'/> @@ -192,9 +223,14 @@ <attribute name='file'> <ref name='absFilePath'/> </attribute> - <zeroOrMore> - <ref name='devSeclabel'/> - </zeroOrMore> + <interleave> + <zeroOrMore> + <ref name='devSeclabel'/> + </zeroOrMore> + <optional> + <ref name='backupEncryption'/> + </optional> + </interleave> </element> <ref name='backupPullDriver'/> </interleave> @@ -210,9 +246,14 @@ <attribute name='dev'> <ref name='absFilePath'/> </attribute> - <zeroOrMore> - <ref name='devSeclabel'/> - </zeroOrMore> + <interleave> + <zeroOrMore> + <ref name='devSeclabel'/> + </zeroOrMore> + <optional> + <ref name='backupEncryption'/> + </optional> + </interleave> </element> <ref name='backupPullDriver'/> </interleave> diff --git a/tests/domainbackupxml2xmlin/backup-pull-encrypted.xml b/tests/domainbackupxml2xmlin/backup-pull-encrypted.xml new file mode 100644 index 0000000000..1469189a37 --- /dev/null +++ b/tests/domainbackupxml2xmlin/backup-pull-encrypted.xml @@ -0,0 +1,30 @@ +<domainbackup mode="pull"> + <incremental>1525889631</incremental> + <server transport='tcp' name='localhost' port='10809'/> + <disks> + <disk name='vda' type='file' exportname='test-vda' exportbitmap='blah'> + <driver type='qcow2'/> + <scratch file='/path/to/file'> + <encryption format='luks'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> + </encryption> + </scratch> + </disk> + <disk name='vdb' type='file' exportname='test-vda' exportbitmap='blah'> + <driver type='qcow2'/> + <scratch file='/path/to/file'> + <encryption format='luks'> + <secret type='passphrase' usage='/storage/backup/vdb'/> + </encryption> + </scratch> + </disk> + <disk name='vdc' type='block'> + <driver type='qcow2'/> + <scratch dev='/dev/block'> + <encryption format='luks'> + <secret type='passphrase' usage='/storage/backup/vdc'/> + </encryption> + </scratch> + </disk> + </disks> +</domainbackup> diff --git a/tests/domainbackupxml2xmlin/backup-push-encrypted.xml b/tests/domainbackupxml2xmlin/backup-push-encrypted.xml new file mode 100644 index 0000000000..121cfd7fa9 --- /dev/null +++ b/tests/domainbackupxml2xmlin/backup-push-encrypted.xml @@ -0,0 +1,29 @@ +<domainbackup mode="push"> + <incremental>1525889631</incremental> + <disks> + <disk name='vda' type='file'> + <driver type='qcow2'/> + <target file='/path/to/file'> + <encryption format='luks'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> + </encryption> + </target> + </disk> + <disk name='vdb' type='file'> + <driver type='raw'/> + <target file='/path/to/file'> + <encryption format='luks'> + <secret type='passphrase' usage='/storage/backup/vdb'/> + </encryption> + </target> + </disk> + <disk name='vdc' type='block'> + <driver type='qcow2'/> + <target dev='/dev/block'> + <encryption format='luks'> + <secret type='passphrase' usage='/storage/backup/vdc'/> + </encryption> + </target> + </disk> + </disks> +</domainbackup> diff --git a/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml b/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml new file mode 100644 index 0000000000..81519bfcb5 --- /dev/null +++ b/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml @@ -0,0 +1,30 @@ +<domainbackup mode='pull'> + <incremental>1525889631</incremental> + <server transport='tcp' name='localhost' port='10809'/> + <disks> + <disk name='vda' backup='yes' type='file' exportname='test-vda' exportbitmap='blah'> + <driver type='qcow2'/> + <scratch file='/path/to/file'> + <encryption format='luks'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> + </encryption> + </scratch> + </disk> + <disk name='vdb' backup='yes' type='file' exportname='test-vda' exportbitmap='blah'> + <driver type='qcow2'/> + <scratch file='/path/to/file'> + <encryption format='luks'> + <secret type='passphrase' usage='/storage/backup/vdb'/> + </encryption> + </scratch> + </disk> + <disk name='vdc' backup='yes' type='block'> + <driver type='qcow2'/> + <scratch dev='/dev/block'> + <encryption format='luks'> + <secret type='passphrase' usage='/storage/backup/vdc'/> + </encryption> + </scratch> + </disk> + </disks> +</domainbackup> diff --git a/tests/domainbackupxml2xmlout/backup-push-encrypted.xml b/tests/domainbackupxml2xmlout/backup-push-encrypted.xml new file mode 100644 index 0000000000..a955340964 --- /dev/null +++ b/tests/domainbackupxml2xmlout/backup-push-encrypted.xml @@ -0,0 +1,29 @@ +<domainbackup mode='push'> + <incremental>1525889631</incremental> + <disks> + <disk name='vda' backup='yes' type='file'> + <driver type='qcow2'/> + <target file='/path/to/file'> + <encryption format='luks'> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> + </encryption> + </target> + </disk> + <disk name='vdb' backup='yes' type='file'> + <driver type='raw'/> + <target file='/path/to/file'> + <encryption format='luks'> + <secret type='passphrase' usage='/storage/backup/vdb'/> + </encryption> + </target> + </disk> + <disk name='vdc' backup='yes' type='block'> + <driver type='qcow2'/> + <target dev='/dev/block'> + <encryption format='luks'> + <secret type='passphrase' usage='/storage/backup/vdc'/> + </encryption> + </target> + </disk> + </disks> +</domainbackup> diff --git a/tests/genericxml2xmltest.c b/tests/genericxml2xmltest.c index 501bcdb0a1..74e520522b 100644 --- a/tests/genericxml2xmltest.c +++ b/tests/genericxml2xmltest.c @@ -192,8 +192,11 @@ mymain(void) DO_TEST_BACKUP("empty"); DO_TEST_BACKUP("backup-pull"); DO_TEST_BACKUP("backup-pull-seclabel"); + DO_TEST_BACKUP("backup-pull-encrypted"); DO_TEST_BACKUP("backup-push"); DO_TEST_BACKUP("backup-push-seclabel"); + DO_TEST_BACKUP("backup-push-encrypted"); + virObjectUnref(caps); virObjectUnref(xmlopt); -- 2.26.0
