Bug 1411394
| Summary: | libvirtd crashes when attaching raw LUKS volumes | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Reznik <jreznik> |
| Component: | libvirt | Assignee: | John Ferlan <jferlan> |
| Status: | CLOSED ERRATA | QA Contact: | yisun |
| Severity: | urgent | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | bugzilla, dyuan, jdenemar, jferlan, jsuchane, rbalakri, rh-bugzilla, snagar, xuzhang |
| Target Milestone: | rc | Keywords: | Regression, ZStream |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-2.0.0-10.el7_3.5 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: The libvirt code assumed that for any domain disk device found to be LUKS encrypted, the device would have a libvirt secret associated with the device in order to provide the key to unlock the device.
Consequence: When attempting to access the secret libvirt would core.
Fix: Add a check to ensure that not only is there encryption, but there is a secret before trying to access the secret object in order to pass the secret along with the disk.
Result: After the patch, it is possible to attach a LUKS encrypted disk and no libvirt secret associated with the disk. This would force the application to perform the unlock.
|
Story Points: | --- |
| Clone Of: | 1405269 | Environment: | |
| Last Closed: | 2017-03-02 17:30:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1405269 | ||
| Bug Blocks: | |||
|
Description
Jaroslav Reznik
2017-01-09 15:44:19 UTC
Test with:
libvirt-2.0.0-10.el7_3.5.x86_64
qemu-kvm-rhev-2.6.0-28.el7_3.5.x86_64
Test steps:
1. create a luks img (with lv and with local file)
2. attach the img to vm with disk's xml without indicate <encryption> part
3. check the disk in vm
4. detach the virtual disk
5. create a libvirt secret with correct password
6. attach the img to vm with <encryption>
7. check the disk in vm
8. detach the virtual disk and check the img is still in luks format with "qemu-img info"
Scenario 1: use lv as virtual disk source
===== In host =====
root@localhost~ ## pvcreate /dev/sdb
Physical volume "/dev/sdb" successfully created.
root@localhost~ ## vgcreate vg1 /dev/sdb
Volume group "vg1" successfully created
root@localhost~ ## lvcreate vg1 /dev/sdb --size 10M
Rounding up size to full physical extent 12.00 MiB
Logical volume "lvol0" created.
root@localhost~ ## lvdisplay
--- Logical volume ---
LV Path /dev/vg1/lvol0
LV Name lvol0
VG Name vg1
LV UUID CfHO1T-wqVQ-8Qcy-xY5r-jxsi-gYuU-grp4qS
LV Write Access read/write
LV Creation host, time localhost.localdomain, 2017-02-13 14:47:45 +0800
LV Status available
# open 0
LV Size 12.00 MiB
Current LE 3
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 8192
Block device 253:3
root@localhost~ ## cryptsetup luksFormat /dev/vg1/lvol0
WARNING!
========
This will overwrite data on /dev/vg1/lvol0 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
root@localhost~ ## cat /tmp/disk.xml
<disk type='block' device='disk'>
<driver name='qemu' type='raw' cache='none' io='native' discard='unmap'/>
<source dev='/dev/vg1/lvol0'/>
<backingStore/>
<target dev='vdb' bus='virtio'/>
<serial>drive-scsi0-0-0-1</serial>
<alias name='virtio-disk1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
</disk>
root@localhost~ ## virsh start avocado-vt-vm1
Domain avocado-vt-vm1 started
root@localhost~ ## virsh attach-device avocado-vt-vm1 /tmp/disk.xml
Device attached successfully
root@localhost~ ## virsh console avocado-vt-vm1
===== In guest =====
[root@localhost ~]# lsblk | grep vdb
vdb 252:16 0 12M 0 disk
[root@localhost ~]# mount /dev/vdb /mnt
mount: unknown filesystem type 'crypto_LUKS'
===== In host =====
root@localhost~ ## virsh detach-device avocado-vt-vm1 /tmp/disk.xml
Device detached successfully
root@localhost~ ## virsh domblklist avocado-vt-vm1
Target Source
------------------------------------------------
vda /var/lib/libvirt/images/RHEL-7.3-latest.qcow2
root@localhost~ ## cat /tmp/secret.xml
<secret ephemeral='no' private='yes'>
<description>LUKS Secret</description>
<uuid>f981dd17-143f-45bc-88e6-ed1fe20ce9da</uuid>
<usage type='volume'>
<volume>/dev/vg1/lvol0</volume>
</usage>
</secret>
root@localhost~ ## virsh secret-define /tmp/secret.xml
Secret f981dd17-143f-45bc-88e6-ed1fe20ce9da created
root@localhost~ ## MYSECRET=`printf %s "1qaz@WSX" | base64`
root@localhost~ ## virsh secret-set-value f981dd17-143f-45bc-88e6-ed1fe20ce9da $MYSECRET
Secret value set
root@localhost/tmp ## cat /tmp/disk.xml
<disk type='block' device='disk'>
<driver name='qemu' type='raw' cache='none' io='native' discard='unmap'/>
<source dev='/dev/vg1/lvol0'/>
<backingStore/>
<target dev='sdb' bus='virtio'/>
<encryption format='luks'>
<secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-ed1fe20ce9da'/>
</encryption>
<serial>drive-scsi0-0-0-1</serial>
<alias name='virtio-disk1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
</disk>
root@localhost~ ## virsh attach-device avocado-vt-vm1 /tmp/disk.xml
Device attached successfully
root@localhost~ ## virsh console avocado-vt-vm1
Connected to domain avocado-vt-vm1
Escape character is ^]
===== In guest =====
[root@localhost ~]# lsblk | grep vdb
vdb 252:16 0 10M 0 disk
[root@localhost ~]# mkfs.ext4 /dev/vdb -F
[root@localhost ~]# mount /dev/vdb /mnt
[root@localhost ~]# echo "test" > /mnt/test.txt
[root@localhost ~]# sync
[root@localhost ~]# cat /mnt/test.txt
test
===== In host =====
root@localhost~ ## virsh detach-device avocado-vt-vm1 /tmp/disk.xml
Device detached successfully
root@localhost~ ## virsh domblklist avocado-vt-vm1
Target Source
------------------------------------------------
vda /var/lib/libvirt/images/RHEL-7.3-latest.qcow2
root@localhost~ ## qemu-img info /dev/vg1/lvol0
image: /dev/vg1/lvol0
file format: luks
virtual size: 10M (10485760 bytes)
disk size: 0
encrypted: yes
Scenario 2: Use a local img as virtual disk source
===== In host =====
root@localhost~ ## qemu-img create -f luks --object secret,id=sec0,data=cmVkaGF0,format=base64 -o key-secret=sec0 /var/lib/libvirt/images/disk.luks 1G
Formatting '/var/lib/libvirt/images/disk.luks', fmt=luks size=1073741824 key-secret=sec0
root@localhost~ ## cat /tmp/file.disk
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none' io='native' discard='unmap'/>
<source file='/var/lib/libvirt/images/disk.luks'/>
<backingStore/>
<target dev='vdb' bus='virtio'/>
<serial>drive-scsi0-0-0-1</serial>
<alias name='virtio-disk1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
</disk>
root@localhost~ ## virsh start avocado-vt-vm1
Domain avocado-vt-vm1 started
root@localhost~ ## virsh attach-device avocado-vt-vm1 /tmp/file.disk
Device attached successfully
root@localhost~ ## virsh console avocado-vt-vm1
Connected to domain avocado-vt-vm1
Escape character is ^]
===== In guest =====
[root@localhost ~]# lsblk | grep vdb
vdb 252:16 0 1G 0 disk
[root@localhost ~]# mount /dev/vdb /mnt
mount: unknown filesystem type 'crypto_LUKS'
===== In host =====
root@localhost~ ## virsh detach-device avocado-vt-vm1 /tmp/file.disk
Device detached successfully
root@localhost~ ## virsh domblklist avocado-vt-vm1
Target Source
------------------------------------------------
vda /var/lib/libvirt/images/RHEL-7.3-latest.qcow2
root@localhost~ ## cat /tmp/secret.xml
<secret ephemeral='no' private='yes'>
<description>LUKS Secret</description>
<uuid>f981dd17-143f-45bc-88e6-ed1fe20ce9da</uuid>
<usage type='volume'>
<volume>/var/lib/libvirt/images/luks.disk</volume>
</usage>
</secret>
root@localhost~ ## virsh secret-define /tmp/secret.xml
Secret f981dd17-143f-45bc-88e6-ed1fe20ce9da created
root@localhost~ ## MYSECRET=`printf %s "redhat" | base64`
root@localhost~ ## virsh secret-set-value f981dd17-143f-45bc-88e6-ed1fe20ce9da $MYSECRET
Secret value set
root@localhost~ ## cat /tmp/file.disk
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none' io='native' discard='unmap'/>
<source file='/var/lib/libvirt/images/disk.luks'/>
<backingStore/>
<target dev='vdb' bus='virtio'/>
<encryption format='luks'>
<secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-ed1fe20ce9da'/>
</encryption>
<serial>drive-scsi0-0-0-1</serial>
<alias name='virtio-disk1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
</disk>
root@localhost~ ## virsh attach-device avocado-vt-vm1 /tmp/file.disk
Device attached successfully
root@localhost~ ## virsh console avocado-vt-vm1
Connected to domain avocado-vt-vm1
Escape character is ^]
===== In guest =====
[root@localhost ~]# lsblk | grep vdb
vdb 252:16 0 1G 0 disk
[root@localhost ~]# mkfs.ext4 /dev/vdb -F
[root@localhost ~]# echo "testtest" > /mnt/test.txt
[root@localhost ~]# sync
[root@localhost ~]# cat /mnt/test.txt
testtest
===== In host =====
root@localhost~ ## qemu-img info /var/lib/libvirt/images/disk.luks
image: /var/lib/libvirt/images/disk.luks
file format: luks
virtual size: 1.0G (1073741824 bytes)
disk size: 49M
encrypted: yes
root@localhost~ ## virsh detach-device avocado-vt-vm1 /tmp/file.disk
Device detached successfully
root@localhost~ ## virsh domblklist avocado-vt-vm1
Target Source
------------------------------------------------
vda /var/lib/libvirt/images/RHEL-7.3-latest.qcow2
It looks like you have this working with libvirt-2.0.0-10.el7_3.5.x86_64 . Is <backingStore/> necessary as part of the fix for future attachments when we upgrade to _3.5? -Eric (In reply to bugzilla from comment #8) > It looks like you have this working with libvirt-2.0.0-10.el7_3.5.x86_64 . > > Is <backingStore/> necessary as part of the fix for future attachments when > we upgrade to _3.5? > > -Eric Hi Erice, It's not necessary to add the <backingStore/> in the xml file which you'll attach to vm. But it'll be auto filled into vm's xml if you **virsh dumpxml** the vm after attachment. Anyway, it's not related to this bug. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0397.html |