Starting from Ceph 0f93f745 (unreleased 18.0.0) and qemu 0f385a24 (unreleased 8.0.0),
qemu and librbd users can use encrypted RBD cloned images, where the
parent image is encrypted using a different scheme (e.g. different passphrase).
Opening such image require supplying of multiple secrets.
This patch series allows libvirt users to supply multiple secrets necessary
for using such RBD images.
For example:
<encryption format='luks' engine='librbd'>
<secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
<secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
Note that unlike the qemu and libvirt API, we don't allow the user
to specify the format of the parent image, but just the passphrase.
We do so to minimize the changes made in libvirt.
To still be able to support RBD images where the parent is encrypted
using a different format (e.g. LUKS2 cloned image of a LUKS parent),
an additional patch series allowing for LUKS* (luks-any) format
will be submitted.
In high-level, this patch series does the following:
- change the qemuBlockStorageSourceAttachData struct to support multiple secrets
- change the qemuDomainStorageSourcePrivate struct to support multiple secrets
- translate multiple secrets from virStorageEncryption to qemu private data
I manually patched the qemu 8.0.0 replies file to reflect relevant qemu support,
to allow my tests to run.
Note that any build qemu will not support this feature, unless compiled
while having a librbd that has this feature bundled.
Or Ozeri (7):
tests: qemucapabilitiesdata: Add rbd encryption layering
qemu: capabilities: Introduce QEMU_CAPS_RBD_ENCRYPTION_LAYERING
capability
qemu: add support for multiple secret aliases
qemu: add multi-secret support in qemuBlockStorageSourceAttachData
qemu: add multi-secret support in _qemuDomainStorageSourcePrivate
qemu: support pass-on of multiple secrets to
_qemuDomainStorageSourcePrivate
qemu: add support for librbd layered encryption
docs/formatstorageencryption.rst | 11 +-
src/conf/schemas/storagecommon.rng | 4 +-
src/qemu/qemu_alias.c | 8 +-
src/qemu/qemu_alias.h | 3 +-
src/qemu/qemu_block.c | 70 ++++++++----
src/qemu/qemu_block.h | 5 +-
src/qemu/qemu_blockjob.c | 6 +
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 31 +++--
src/qemu/qemu_domain.c | 106 ++++++++++++++----
src/qemu/qemu_domain.h | 3 +-
src/qemu/qemu_hotplug.c | 2 +-
src/qemu/qemu_migration_params.c | 2 +-
tests/qemublocktest.c | 7 +-
.../caps_8.0.0.x86_64.replies | 5 +
.../caps_8.0.0.x86_64.xml | 1 +
...k-rbd-encryption-layering.x86_64-7.2.0.err | 1 +
...rbd-encryption-layering.x86_64-latest.args | 39 +++++++
.../disk-network-rbd-encryption-layering.xml | 40 +++++++
tests/qemuxml2argvtest.c | 2 +
...-rbd-encryption-layering.x86_64-latest.xml | 45 ++++++++
tests/qemuxml2xmltest.c | 1 +
23 files changed, 332 insertions(+), 63 deletions(-)
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-layering.x86_64-7.2.0.err
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-layering.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-layering.xml
create mode 100644 tests/qemuxml2xmloutdata/disk-network-rbd-encryption-layering.x86_64-latest.xml
--
2.25.1
