Bug 1811906
| Summary: | [incremental_backup] RFE: support luks encryption when do backup | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Advanced Virtualization | Reporter: | yisun |
| Component: | libvirt | Assignee: | Peter Krempa <pkrempa> |
| Status: | CLOSED ERRATA | QA Contact: | yisun |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.2 | CC: | jdenemar, lcheng, lmen, pkrempa, virt-maint, xuzhang, yisun |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-6.3.0-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-17 17:46:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1799015 | ||
Fixed upstream:
commit a7db0b757d210071d39e6d116e6a4bc761e2ed66
Author: Peter Krempa <pkrempa>
Date: Thu Apr 9 15:50:40 2020 +0200
backup: Allow 'encryption' of backups and scratch images
Add the appropriate entries into the schema to allow encryption of the
backup or scratch image. Since we use blockdev internals for everything
no changes to the code are actually necessary.
https://bugzilla.redhat.com/show_bug.cgi?id=1811906
Signed-off-by: Peter Krempa <pkrempa>
Reviewed-by: Erik Skultety <eskultet>
Reviewed-by: Ján Tomko <jtomko>
Verified with: libvirt-6.6.0-2.module+el8.3.0+7567+dc41c0a9.x86_64 Result: PASS Test steps: https://docs.google.com/document/d/1A5NZBwGpYE2zjqG_SFICdNZvKGqRaKnQNBZiR6-saf4 A separated bz filed during test: Bug 1872567 - [incremental_backup][luks] Cannot do push backup to a block device with type=raw and luks encryption enabled Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5137 |
Description of problem: [incremental_backup] RFE: support luks encryption when do backup Version-Release number of selected component (if applicable): libvirt-6.0.0-9.module+el8.2.0+5957+7ae8988e.x86_64 How reproducible: 100% Steps to Reproduce: 1. a vm has vdb (here is a luks image, but vdb doesn't require to be luks) [root@hp-dl320eg8-05 push]# virsh dumpxml vm1 | awk '/<disk/,/<\/disk/' ... <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/vdb_luks.qcow2' index='1'/> <backingStore/> <target dev='vdb' bus='virtio'/> <encryption format='luks'> <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/> </encryption> <alias name='virtio-disk1'/> <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/> </disk> 2. prepare backup and checkpoint xml [root@hp-dl320eg8-05 push]# cat backup_push_full_luks.xml <domainbackup mode='push'> <disks> <disk name='vdb' type='file'> <target file='/home/images/vdb.full.backup'/> <driver type='qcow2'/> <encryption format='luks'> <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/> </encryption> </disk> </disks> </domainbackup> [root@hp-dl320eg8-05 push]# cat checkpoint_push_full.xml <domaincheckpoint> <name>check_full</name> </domaincheckpoint> 3. do the full backup [root@hp-dl320eg8-05 push]# virsh backup-begin vm1 backup_push_full.xml checkpoint_push_full.xml Backup started 4. the backup file is exported as a qcow2 file, encryption not supported [root@hp-dl320eg8-05 push]# qemu-img info /home/images/vdb.full.backup image: /home/images/vdb.full.backup file format: qcow2 virtual size: 1 GiB (1073741824 bytes) disk size: 2 GiB cluster_size: 65536 Format specific information: compat: 1.1 lazy refcounts: false refcount bits: 16 corrupt: false Actual results: cannot export a luks encrypted backup file Expected results: can export a luks encrypted backup file Additional info: If this is not supported, sometimes a luks encrypted disk will be backuped as a plaintext disk. blockcopy can support luks as follow: [root@hp-dl320eg8-05 inc_bkup]# virsh dumpxml vm1 | awk '/<disk/,/<\/disk/' <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/base_os.active' index='1'/> <backingStore/> <target dev='vda' bus='virtio'/> <alias name='virtio-disk0'/> <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/> </disk> [root@hp-dl320eg8-05 inc_bkup]# cat ~/test.xml <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/tmp/blockcopy'> <encryption format='luks'> <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/> </encryption> </source> </disk> [root@hp-dl320eg8-05 inc_bkup]# virsh blockcopy vm1 vda --xml ~/test.xml --transient-job --pivot --verbose Block Copy: [100 %] Successfully pivoted [root@hp-dl320eg8-05 inc_bkup]# virsh dumpxml vm1 | awk '/<disk/,/<\/disk/' <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/tmp/blockcopy' index='2'> <encryption format='luks'> <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/> </encryption> </source> <backingStore/> <target dev='vda' bus='virtio'/> <alias name='virtio-disk0'/> <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/> </disk> [root@hp-dl320eg8-05 inc_bkup]# qemu-img info /tmp/blockcopy -U image: /tmp/blockcopy file format: qcow2 virtual size: 10 GiB (10737418240 bytes) disk size: 75.5 MiB encrypted: yes