Bug 1542858

Summary: size of luks-encrypted qcow2 image exceeds the required in qemu-img measure output.
Product: Red Hat Enterprise Linux Advanced Virtualization Reporter: Longxiang Lyu <lolyu>
Component: qemu-kvmAssignee: Eric Blake <eblake>
Status: CLOSED DUPLICATE QA Contact: Tingting Mao <timao>
Severity: medium Docs Contact:
Priority: medium    
Version: ---CC: berrange, coli, juzhang, knoel, michen, qzhang, rbalakri, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-17 08:18:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Longxiang Lyu 2018-02-07 08:03:23 UTC 
Description of problem:
size of luks-encrypted qcow2 image exceeds the required in qemu-img measure output.

Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.10.0-19.el7
kernel-3.10.0-843.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. use qemu-img measure to estimate the size of newly create qcow2 image.
# qemu-img measure -O qcow2 --size 4G
Or
# qemu-img measure -O qcow2 --size 4G -o encrypt.format=luks

2. create one qcow2 encrypted with luks and a plain one.
# qemu-img create --object secret,id=sec0,data=redhat -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 test1.qcow2 4G
# qemu-img create -f qcow2 test2.qcow2 4G

3. get the size of those two images.
# ll

Actual results:
1. 
# qemu-img measure -O qcow2 --size 4G 
required size: 917504
fully allocated size: 4295884800
# qemu-img measure -O qcow2 --size 4G -o encrypt.format=luks
required size: 917504
fully allocated size: 4295884800
3. 
# ll
...
-rw-r--r-- 1 root root   2359296 Feb  7 02:45 test1.qcow2
-rw-r--r-- 1 root root    196672 Feb  7 02:45 test2.qcow2
...

luks encrypted qcow2: test1.qcow2 is about 2.3M in size, which exceeds the required size: 917504 - 0.87M. The estimation is 1/3 of the actual size allocated. 

Expected results:
qemu-img should support size estimation of luks-encrypted image thus the actual size allocated by luks-encrypted image should be smaller than the estimated.
Or 
# qemu-img measure -O qcow2 --size 4G -o encrypt.format=luks
should prompt info that suggests this is not supported.

Additional info:
Comment 2 Daniel Berrangé 2018-02-07 12:24:49 UTC 
The LUKS header has a couple of MB approx size overhead. The size is independent of the overall file size, but can vary depending on crypto parameters via a complex formula

    luks->header.payload_offset =
        (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
         QCRYPTO_BLOCK_LUKS_SECTOR_SIZE) +
        (ROUND_UP(DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE),
                  (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
                   QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) *
         QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);

and in qcow2 that then needs to be rounded up to nearest cluster size. 

IOW, to get this info reported accurately, we would need to expose some API in the internal crypto code, upto the block layer. The user would also need to set their desired crypto options (cipher, keysize, etc).