Bug 1560946
Summary: | [RFE] support luks encrypted volume in disk pool | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | yisun |
Component: | libvirt | Assignee: | John Ferlan <jferlan> |
Status: | CLOSED ERRATA | QA Contact: | yisun |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.6 | CC: | hhan, jiyan, junli, lmen, meili, mtessun, xuzhang |
Target Milestone: | rc | Keywords: | Automation, FutureFeature |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libvirt-4.4.0-1.el7 | Doc Type: | No Doc Update |
Doc Text: |
undefined
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 09:53:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
yisun
2018-03-27 10:26:59 UTC
Posted a patch upstream : https://www.redhat.com/archives/libvir-list/2018-May/msg01886.html In my testing ensure that the fix for bz1400475 is also applied since the creation of the /dev/XXX device used for encryption will go through the same path. A v2 was posted after review: https://www.redhat.com/archives/libvir-list/2018-May/msg02109.html after a slight adjustment, it was pushed upstream: commit 57d6df39bd7eb8166fee68f4b6da03c0cb0802bf (origin/master, origin/HEAD, master, bz1560946) Author: John Ferlan <jferlan> Date: Mon May 21 06:40:58 2018 -0400 storage: Add capability to use LUKS encryption for disk backend ... Similar to the the Logical backend, use qemu-img on the created disk partition device to set up for LUKS encryption. Secret mgmt for the device can be complicated by a reboot possibly changing the path to the device if the infrastructure changes. ... $ git describe 57d6df39bd7eb8166fee68f4b6da03c0cb0802bf v4.3.0-373-g57d6df39bd $ Verified on: libvirt-4.4.0-2.virtcov.el7.x86_64 1. Having a disk pool # virsh pool-dumpxml disk-pool <pool type='disk'> <name>disk-pool</name> <uuid>07ad41c4-dfdd-4e1d-a3f6-4feded205a88</uuid> <capacity unit='bytes'>2089221120</capacity> <allocation unit='bytes'>528187904</allocation> <available unit='bytes'>1561000960</available> <source> <device path='/dev/sdb'> <freeExtent start='528220160' end='2089221120'/> </device> <format type='dos'/> </source> <target> <path>/dev</path> </target> </pool> 2. prepare a libvirt secret with password='redhat' # cat secret.xml <secret ephemeral='no' private='yes'> <description>luks secret for dp vol1</description> <usage type='volume'> <volume>/dev/sdb1</volume> </usage> </secret> # virsh secret-define secret.xml Secret 34c1f8fa-8af7-439d-ba4f-64fc13819263 created # MYSECRET=`printf %s "redhat" | base64` # virsh secret-set-value 34c1f8fa-8af7-439d-ba4f-64fc13819263 $MYSECRET Secret value set 3. Create a luks encrypted vol # cat vol.xml <volume> <name>sdb1</name> <capacity unit='M'>500</capacity> <target> <encryption format='luks'> <secret type='passphrase' uuid='34c1f8fa-8af7-439d-ba4f-64fc13819263'/> <cipher name='twofish' size='256' mode='cbc' hash='sha256'/> <ivgen name='plain64' hash='sha256'/> </encryption> </target> </volume> # virsh vol-create disk-pool vol.xml Vol sdb1 created from vol.xml 4. Use the correct secret with the vol in vm # virsh dumpxml avocado-vt-vm1 ... <disk type='block' device='disk'> <driver name='qemu' type='raw'/> <source dev='/dev/sdb1'/> <target dev='sdb' bus='scsi'/> <encryption format='luks'> <secret type='passphrase' uuid='34c1f8fa-8af7-439d-ba4f-64fc13819263'/> </encryption> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> # virsh start avocado-vt-vm1 Domain avocado-vt-vm1 started 5. Set another secret(uuid=799ef9b1-f855-4317-8cce-8160fc8790fd) with password='greenhat' and use it in vm # virsh dumpxml avocado-vt-vm1 ... <disk type='block' device='disk'> <driver name='qemu' type='raw'/> <source dev='/dev/sdb1'/> <target dev='sdb' bus='scsi'/> <encryption format='luks'> <secret type='passphrase' uuid='799ef9b1-f855-4317-8cce-8160fc8790fd'/> </encryption> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> # virsh start avocado-vt-vm1 error: Failed to start domain avocado-vt-vm1 error: internal error: qemu unexpectedly closed the monitor: profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-virbitmap.gcda:Cannot open profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-virauthconfig.gcda:Cannot open profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-virauth.gcda:Cannot open profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-viraudit.gcda:Cannot open profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-virarptable.gcda:Cannot open profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-virarch.gcda:Cannot open profiling:/builddir/build/BUILD/libvirt-4.4.0/src/util/.libs/libvirt_util_la-viralloc.gcda:Cannot open 2018-06-21T07:37:45.369445Z qemu-kvm: -drive file=/dev/sdb1,key-secret=scsi0-0-0-1-luks-secret0,format=luks,if=none,id=drive-scsi0-0-0-1: Invalid password, cannot unlock any keyslot Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3113 |