Re: Can't start vm with enc backing files, No secret with id 'sec0' ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Apr 15, 2020 at 10:53:05 +0800, 18781374080 wrote:
> 
> 
> 
> Hey, guys
> 
> I've been working on whether libvirt supports encrypted snapshots,Here are my versions of libvirt and qemu
> 
> [root@xx ~]# libvirtd -V
> 
> libvirtd (libvirt) 4.5.0

This is too-old encrypted backing files work starting from libvirt-5.10
(but I strongly suggest using at least 6.1)

> 
> [root@xx ~]# qemu-img -V
> 
> qemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7_7.4)

And qemu-4.2

> 
> Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers
> 
> 1. assign $MYSECRET to libvirt secret using the secret-define and secret-set-value commands,and $MYSECRET is in base64 format
> 
> MYSECRET=`printf %s "123456" | base64`
> 
> 2. created a disk encrypted in luks format
> 
> qemu-img create --object secret,id=sec0,data=$MYSECRET,format=base64 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 enc.qcow220G
> 
> 3. The encrypted disk is defined in the XML configuration file, as shown below.Then I successfully started the virtual machine.
> 
> <disk type='file' device='disk'>
> 
>       <driver name='qemu' type='qcow2'/>
> 
>       <source file='/root/enc.qcow2'/>
> 
>        <backingStore/> 
> 
>       <target dev='hda' bus='ide'/>
> 
>       <encryption format='luks'>
> 
>         <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>
> 
>       </encryption>
> 
>       <alias name='ide0-0-0'/>
> 
>       <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> 
>   </disk>
> 
> 4. According to the qemu documentation, an encrypted snap.qcow2 disk was created with enc.qcow2 as backing
> 
> qemu-img create -f qcow2 -F qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 --object secret,id=sec1,data=$MYSECRET,format=base64 -o encrypt.format=luks,encrypt.key-secret=sec1 -b 'json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root/enc/enc.qcow2"}}' snap.qcow2

This won't work with libvirt. You can't pass "encrypt.key-secret":
"sec0" via the backing file string as there's no way to create the
corresponding secret object when starting the VM. You can fully omit it
here and use just '-b /root/enc/enc.qcow2'

> 
> I used the same $MYSECRET as the password data for the disk. Here is the disk information for snap.qcow2
> 
> image: snap.qcow2
> 
> file format: qcow2
> 
> virtual size: 20G (21474836480 bytes)
> 
> disk size: 480K
> 
> encrypted: yes
> 
> cluster_size: 65536
> 
> backing file: json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root//enc.qcow2"}}
> 
> backing file format: qcow2
> 
> Format specific information:
> 
>     compat: 1.1
> 
>     lazy refcounts: false
> 
>     refcount bits: 16
> 
>     encrypt:
> 
>         ivgen alg: plain64
> 
>         hash alg: sha256
> 
>         cipher alg: aes-256
> 
>         uuid: ab0e3f87-35e7-40cb-9888-9fe9bb54e981
> 
>         format: luks
> 
>         cipher mode: xts

[snip]

> 
> 5. Then I changed the configuration of the XML, as shown below.And re-define and start the virtual machine

With new libvirt mentioned above you'll have to add the encryption also
to the backing file. That will properly configure both layers to use the
correct encryption key.

 <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='/root/snap.qcow2'/>
       <backingStore type='file'>
         <format type='qcow2'/>
         <source file='/root/enc.qcow2'>
           <encryption format='luks'>
             <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>
           </encryption>
         </source>
         <backingStore/>
       </backingStore>
       <target dev='hda' bus='ide'/>
      <encryption format='luks'>
         <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>
       </encryption>
       <address type='drive' controller='0' bus='0' target='0' unit='0'/>
   </disk>

Note that also the top level source can have <encryption> as child of
<source>
 
> Then the startup failed and an error was thrown. As shown below.
> 
> qemu-kvm: -drive file=/root/enc/vm/enc-snap.qcow2,encrypt.format=luks,encrypt.key-secret=ide0-0-0-luks-secret0,format=qcow2,if=none,id=drive-ide0-0-0: Could not open backing file: No secret with id 'sec0'

As pointed out above, there's no way to instantiate the secret object
via the backing store string as that is done by libvirt explicitly via
-object on the command line.


> 
> The sec0 secret id could not be found in the backing file, this is my problem.
> 
> Is there a problem with the way I implemented it, or does libvirt currently not support this?
> 
> Any tips or help will be appreciated,  Looking forward to your reply. Thank you
> 
> 
> 
> 
> | |
> 18781374080
> |
> |
> 18781374080@xxxxxxx
> |
> 签名由网易邮箱大师定制





[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux