[PATCH 2/2] backup: Allow 'encryption' of backups and scratch images

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Add the appropriate entries into the schema to allow encryption of the
backup or scratch image. Since we use blockdev internals for everything
no changes to the code are actually necessary.

https://bugzilla.redhat.com/show_bug.cgi?id=1811906

Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
---
 docs/formatbackup.html.in                     | 14 +++-
 docs/schemas/domainbackup.rng                 | 65 +++++++++++++++----
 .../backup-pull-encrypted.xml                 | 30 +++++++++
 .../backup-push-encrypted.xml                 | 29 +++++++++
 .../backup-pull-encrypted.xml                 | 30 +++++++++
 .../backup-push-encrypted.xml                 | 29 +++++++++
 tests/genericxml2xmltest.c                    |  3 +
 7 files changed, 185 insertions(+), 15 deletions(-)
 create mode 100644 tests/domainbackupxml2xmlin/backup-pull-encrypted.xml
 create mode 100644 tests/domainbackupxml2xmlin/backup-push-encrypted.xml
 create mode 100644 tests/domainbackupxml2xmlout/backup-pull-encrypted.xml
 create mode 100644 tests/domainbackupxml2xmlout/backup-push-encrypted.xml

diff --git a/docs/formatbackup.html.in b/docs/formatbackup.html.in
index 87744bac98..9e69d8f7d3 100644
--- a/docs/formatbackup.html.in
+++ b/docs/formatbackup.html.in
@@ -101,7 +101,7 @@
                 <code>block</code>.
                 Similar to a disk declaration for a domain, the choice of type
                 controls what additional sub-elements are needed to describe
-                the destination.
+                the destination.</dd>
               <dt><code>target</code></dt>
               <dd>Valid only for push mode backups, this is the
                 primary sub-element that describes the file name of
@@ -110,7 +110,8 @@
                 disk. An optional sub-element <code>driver</code> can
                 also be used, with an attribute <code>type</code> to
                 specify a destination format different from
-                qcow2. </dd>
+                qcow2. See documentation for <code>scratch</code> below for
+                additional configuration.</dd>
               <dt><code>scratch</code></dt>
               <dd>Valid only for pull mode backups, this is the
                 primary sub-element that describes the file name of
@@ -130,7 +131,14 @@
                 used without modification. The file is not deleted after the
                 backup but the contents of the file don't make sense outside
                 of the backup. The same applies for the block device which
-                must be formatted appropriately.</dd>
+                must be formatted appropriately.
+
+                Similarly to the domain
+                <a href="formatdomain.html#elementsDisks"><code>disk</code></a>
+                definition <code>scratch</code> and <code>target</code> can
+                contain <code>seclabel</code> and/or <code>encryption</code>
+                subelements to configure the corresponding properties.
+              </dd>
             </dl>
           </dd>
         </dl>
diff --git a/docs/schemas/domainbackup.rng b/docs/schemas/domainbackup.rng
index 395ea841f9..ac5b12c463 100644
--- a/docs/schemas/domainbackup.rng
+++ b/docs/schemas/domainbackup.rng
@@ -7,6 +7,27 @@

   <include href='domaincommon.rng'/>

+  <define name='backupEncryption'>
+    <element name='encryption'>
+      <attribute name='format'>
+        <choice>
+          <value>luks</value>
+        </choice>
+      </attribute>
+      <interleave>
+        <ref name='secret'/>
+        <optional>
+          <element name='cipher'>
+            <ref name='keycipher'/>
+          </element>
+          <element name='ivgen'>
+            <ref name='keyivgen'/>
+          </element>
+        </optional>
+      </interleave>
+    </element>
+  </define>
+
   <define name='domainbackup'>
     <element name='domainbackup'>
       <interleave>
@@ -123,9 +144,14 @@
                       <attribute name='file'>
                         <ref name='absFilePath'/>
                       </attribute>
-                      <zeroOrMore>
-                        <ref name='devSeclabel'/>
-                      </zeroOrMore>
+                      <interleave>
+                        <zeroOrMore>
+                          <ref name='devSeclabel'/>
+                        </zeroOrMore>
+                        <optional>
+                          <ref name='backupEncryption'/>
+                        </optional>
+                      </interleave>
                     </element>
                   </optional>
                   <ref name='backupPushDriver'/>
@@ -142,9 +168,14 @@
                       <attribute name='dev'>
                         <ref name='absFilePath'/>
                       </attribute>
-                      <zeroOrMore>
-                        <ref name='devSeclabel'/>
-                      </zeroOrMore>
+                      <interleave>
+                        <zeroOrMore>
+                          <ref name='devSeclabel'/>
+                        </zeroOrMore>
+                        <optional>
+                          <ref name='backupEncryption'/>
+                        </optional>
+                      </interleave>
                     </element>
                   </optional>
                   <ref name='backupPushDriver'/>
@@ -192,9 +223,14 @@
                       <attribute name='file'>
                         <ref name='absFilePath'/>
                       </attribute>
-                      <zeroOrMore>
-                        <ref name='devSeclabel'/>
-                      </zeroOrMore>
+                      <interleave>
+                        <zeroOrMore>
+                          <ref name='devSeclabel'/>
+                        </zeroOrMore>
+                        <optional>
+                          <ref name='backupEncryption'/>
+                        </optional>
+                      </interleave>
                     </element>
                     <ref name='backupPullDriver'/>
                   </interleave>
@@ -210,9 +246,14 @@
                     <attribute name='dev'>
                       <ref name='absFilePath'/>
                     </attribute>
-                    <zeroOrMore>
-                      <ref name='devSeclabel'/>
-                    </zeroOrMore>
+                    <interleave>
+                      <zeroOrMore>
+                        <ref name='devSeclabel'/>
+                      </zeroOrMore>
+                      <optional>
+                        <ref name='backupEncryption'/>
+                      </optional>
+                    </interleave>
                   </element>
                   <ref name='backupPullDriver'/>
                 </interleave>
diff --git a/tests/domainbackupxml2xmlin/backup-pull-encrypted.xml b/tests/domainbackupxml2xmlin/backup-pull-encrypted.xml
new file mode 100644
index 0000000000..1469189a37
--- /dev/null
+++ b/tests/domainbackupxml2xmlin/backup-pull-encrypted.xml
@@ -0,0 +1,30 @@
+<domainbackup mode="pull">
+  <incremental>1525889631</incremental>
+  <server transport='tcp' name='localhost' port='10809'/>
+  <disks>
+    <disk name='vda' type='file' exportname='test-vda' exportbitmap='blah'>
+      <driver type='qcow2'/>
+      <scratch file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+        </encryption>
+      </scratch>
+    </disk>
+    <disk name='vdb' type='file' exportname='test-vda' exportbitmap='blah'>
+      <driver type='qcow2'/>
+      <scratch file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdb'/>
+        </encryption>
+      </scratch>
+    </disk>
+    <disk name='vdc' type='block'>
+      <driver type='qcow2'/>
+      <scratch dev='/dev/block'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdc'/>
+        </encryption>
+      </scratch>
+    </disk>
+  </disks>
+</domainbackup>
diff --git a/tests/domainbackupxml2xmlin/backup-push-encrypted.xml b/tests/domainbackupxml2xmlin/backup-push-encrypted.xml
new file mode 100644
index 0000000000..121cfd7fa9
--- /dev/null
+++ b/tests/domainbackupxml2xmlin/backup-push-encrypted.xml
@@ -0,0 +1,29 @@
+<domainbackup mode="push">
+  <incremental>1525889631</incremental>
+  <disks>
+    <disk name='vda' type='file'>
+      <driver type='qcow2'/>
+      <target file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+        </encryption>
+      </target>
+    </disk>
+    <disk name='vdb' type='file'>
+      <driver type='raw'/>
+      <target file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdb'/>
+        </encryption>
+      </target>
+    </disk>
+    <disk name='vdc' type='block'>
+      <driver type='qcow2'/>
+      <target dev='/dev/block'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdc'/>
+        </encryption>
+      </target>
+    </disk>
+  </disks>
+</domainbackup>
diff --git a/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml b/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml
new file mode 100644
index 0000000000..81519bfcb5
--- /dev/null
+++ b/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml
@@ -0,0 +1,30 @@
+<domainbackup mode='pull'>
+  <incremental>1525889631</incremental>
+  <server transport='tcp' name='localhost' port='10809'/>
+  <disks>
+    <disk name='vda' backup='yes' type='file' exportname='test-vda' exportbitmap='blah'>
+      <driver type='qcow2'/>
+      <scratch file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+        </encryption>
+      </scratch>
+    </disk>
+    <disk name='vdb' backup='yes' type='file' exportname='test-vda' exportbitmap='blah'>
+      <driver type='qcow2'/>
+      <scratch file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdb'/>
+        </encryption>
+      </scratch>
+    </disk>
+    <disk name='vdc' backup='yes' type='block'>
+      <driver type='qcow2'/>
+      <scratch dev='/dev/block'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdc'/>
+        </encryption>
+      </scratch>
+    </disk>
+  </disks>
+</domainbackup>
diff --git a/tests/domainbackupxml2xmlout/backup-push-encrypted.xml b/tests/domainbackupxml2xmlout/backup-push-encrypted.xml
new file mode 100644
index 0000000000..a955340964
--- /dev/null
+++ b/tests/domainbackupxml2xmlout/backup-push-encrypted.xml
@@ -0,0 +1,29 @@
+<domainbackup mode='push'>
+  <incremental>1525889631</incremental>
+  <disks>
+    <disk name='vda' backup='yes' type='file'>
+      <driver type='qcow2'/>
+      <target file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+        </encryption>
+      </target>
+    </disk>
+    <disk name='vdb' backup='yes' type='file'>
+      <driver type='raw'/>
+      <target file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdb'/>
+        </encryption>
+      </target>
+    </disk>
+    <disk name='vdc' backup='yes' type='block'>
+      <driver type='qcow2'/>
+      <target dev='/dev/block'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdc'/>
+        </encryption>
+      </target>
+    </disk>
+  </disks>
+</domainbackup>
diff --git a/tests/genericxml2xmltest.c b/tests/genericxml2xmltest.c
index 501bcdb0a1..74e520522b 100644
--- a/tests/genericxml2xmltest.c
+++ b/tests/genericxml2xmltest.c
@@ -192,8 +192,11 @@ mymain(void)
     DO_TEST_BACKUP("empty");
     DO_TEST_BACKUP("backup-pull");
     DO_TEST_BACKUP("backup-pull-seclabel");
+    DO_TEST_BACKUP("backup-pull-encrypted");
     DO_TEST_BACKUP("backup-push");
     DO_TEST_BACKUP("backup-push-seclabel");
+    DO_TEST_BACKUP("backup-push-encrypted");
+

     virObjectUnref(caps);
     virObjectUnref(xmlopt);
-- 
2.26.0





[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux