Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1560946

Summary: [RFE] support luks encrypted volume in disk pool
Product: Red Hat Enterprise Linux 7 Reporter: yisun
Component: libvirtAssignee: John Ferlan <jferlan>
Status: CLOSED ERRATA QA Contact: yisun
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: hhan, jiyan, junli, lmen, meili, mtessun, xuzhang
Target Milestone: rcKeywords: Automation, FutureFeature
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-4.4.0-1.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 09:53:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description yisun 2018-03-27 10:26:59 UTC 
Description of problem:
[RFE] support luks encrypted volume in disk pool

Version-Release number of selected component (if applicable):
libvirt-3.9.0-14.virtcov.el7_5.1.x86_64

pls note:
this is a extending test of "Bug 1427049 - [RFE] encrypted volumes support on logical storage pool", so if logical pool can support luks encrypted vol, maybe disk pool should also support that, since we definitely can do "qemu-img create -f luks" to a disk partition.

How reproducible:
100%

Steps to Reproduce:
1. Having a disk pool as follow:
## virsh pool-dumpxml disk-pool
<pool type='disk'>
  <name>disk-pool</name>
  <uuid>eab0f7cb-c2ef-4f7b-a6b6-1def04fb61be</uuid>
  <capacity unit='bytes'>512</capacity>
  <allocation unit='bytes'>0</allocation>
  <available unit='bytes'>0</available>
  <source>
    <device path='/dev/sdf'>
      <freeExtent start='512' end='512'/>
    </device>
    <format type='dos'/>
  </source>
  <target>
    <path>/dev</path>
  </target>
</pool>

2. having a libvirt secret
## virsh secret-list | grep luks
 726f4691-fbb6-44cf-aa99-75e3fe41080c  volume /var/libvirt/images/luks.img

3. prepare vol xml
## cat vol.xml
<volume>
<name>sdf1</name>
<allocation>10485760</allocation>
<capacity>10485760</capacity>
<target>
<encryption format="luks"><secret type="passphrase" uuid="726f4691-fbb6-44cf-aa99-75e3fe41080c" /></encryption>
</target>
</volume>

4. try to create the volume
## virsh vol-create disk-pool vol.xml
error: Failed to create vol from /root/vol.xml
error: unsupported configuration: storage pool does not support encrypted volumes


Actual results:
cannot create encrypted vol in disk pool

Expected results:
can create
Comment 3 John Ferlan 2018-05-24 23:53:14 UTC 
Posted a patch upstream :

https://www.redhat.com/archives/libvir-list/2018-May/msg01886.html

In my testing ensure that the fix for bz1400475 is also applied since the creation of the /dev/XXX device used for encryption will go through the same path.
Comment 4 John Ferlan 2018-05-29 15:29:38 UTC 
A v2 was posted after review:

https://www.redhat.com/archives/libvir-list/2018-May/msg02109.html

after a slight adjustment, it was pushed upstream:

commit 57d6df39bd7eb8166fee68f4b6da03c0cb0802bf (origin/master, origin/HEAD, master, bz1560946)
Author: John Ferlan <jferlan>
Date:   Mon May 21 06:40:58 2018 -0400

    storage: Add capability to use LUKS encryption for disk backend
    
...
    
    Similar to the the Logical backend, use qemu-img on the created
    disk partition device to set up for LUKS encryption. Secret mgmt
    for the device can be complicated by a reboot possibly changing
    the path to the device if the infrastructure changes.
    
...

$ git describe 57d6df39bd7eb8166fee68f4b6da03c0cb0802bf
v4.3.0-373-g57d6df39bd
$
Comment 6 yisun 2018-06-21 07:43:30 UTC 
Verified on: libvirt-4.4.0-2.virtcov.el7.x86_64

1. Having a disk pool
# virsh pool-dumpxml disk-pool
<pool type='disk'>
  <name>disk-pool</name>
  <uuid>07ad41c4-dfdd-4e1d-a3f6-4feded205a88</uuid>
  <capacity unit='bytes'>2089221120</capacity>
  <allocation unit='bytes'>528187904</allocation>
  <available unit='bytes'>1561000960</available>
  <source>
    <device path='/dev/sdb'>
      <freeExtent start='528220160' end='2089221120'/>
    </device>
    <format type='dos'/>
  </source>
  <target>
    <path>/dev</path>
  </target>
</pool>

2. prepare a libvirt secret with password='redhat'
# cat secret.xml 
<secret ephemeral='no' private='yes'>
    <description>luks secret for dp vol1</description>
    <usage type='volume'>
       <volume>/dev/sdb1</volume>
    </usage>
</secret>

# virsh secret-define secret.xml 
Secret 34c1f8fa-8af7-439d-ba4f-64fc13819263 created

# MYSECRET=`printf %s "redhat" | base64`

# virsh secret-set-value 34c1f8fa-8af7-439d-ba4f-64fc13819263 $MYSECRET
Secret value set

3. Create a luks encrypted vol
# cat vol.xml 
<volume>
  <name>sdb1</name>
  <capacity unit='M'>500</capacity>
  <target>
    <encryption format='luks'>
       <secret type='passphrase' uuid='34c1f8fa-8af7-439d-ba4f-64fc13819263'/>
       <cipher name='twofish' size='256' mode='cbc' hash='sha256'/>
       <ivgen name='plain64' hash='sha256'/>
    </encryption>
  </target>
</volume>

# virsh vol-create disk-pool vol.xml 
Vol sdb1 created from vol.xml

4. Use the correct secret with the vol in vm
# virsh dumpxml avocado-vt-vm1
...
    <disk type='block' device='disk'>
      <driver name='qemu' type='raw'/>
      <source dev='/dev/sdb1'/>
      <target dev='sdb' bus='scsi'/>
      <encryption format='luks'>
        <secret type='passphrase' uuid='34c1f8fa-8af7-439d-ba4f-64fc13819263'/>
      </encryption>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>

# virsh start avocado-vt-vm1
Domain avocado-vt-vm1 started

5. Set another secret(uuid=799ef9b1-f855-4317-8cce-8160fc8790fd) with password='greenhat' and use it in vm
# virsh dumpxml avocado-vt-vm1
...
    <disk type='block' device='disk'>
      <driver name='qemu' type='raw'/>
      <source dev='/dev/sdb1'/>
      <target dev='sdb' bus='scsi'/>
      <encryption format='luks'>
        <secret type='passphrase' uuid='799ef9b1-f855-4317-8cce-8160fc8790fd'/>
      </encryption>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>

# virsh start avocado-vt-vm1
error: Failed to start domain avocado-vt-vm1
error: internal error: qemu unexpectedly closed the monitor: profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-virbitmap.gcda:Cannot open
profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-virauthconfig.gcda:Cannot open
profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-virauth.gcda:Cannot open
profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-viraudit.gcda:Cannot open
profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-virarptable.gcda:Cannot open
profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-virarch.gcda:Cannot open
profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-viralloc.gcda:Cannot open
2018-06-21T07:37:45.369445Z qemu-kvm: -drive file=/dev/sdb1,key-secret=scsi0-0-0-1-luks-secret0,format=luks,if=none,id=drive-scsi0-0-0-1: Invalid password, cannot unlock any keyslot
Comment 8 errata-xmlrpc 2018-10-30 09:53:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113