Bug 2023674
| Summary: | [incremental_backup] Cannot encrypt backup scratch file/blockdev anymore | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | yisun |
| Component: | libvirt | Assignee: | Peter Krempa <pkrempa> |
| libvirt sub component: | General | QA Contact: | yisun |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | low | CC: | jdenemar, jsuchane, pkrempa, virt-maint, xuzhang |
| Version: | 9.0 | Keywords: | Automation, Regression, Triaged |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-7.10.0-1.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 12:45:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | 7.10.0 |
| Embargoed: | |||
Fixed upstream:
commit 1e085019cadcafe87dd96975900c5798dfe46060
Author: Peter Krempa <pkrempa>
Date: Tue Nov 16 14:45:53 2021 +0100
qemuDomainPrepareStorageSourceBlockdev: Set default encryption engine also when preparing virStorageSource
Originally the default encryption engine is populated in the disk
post-parse callback code. This works for disks but for any additional
images introduced either via the block copy API or via the backup API we
don't populate the default.
In case when the backup or block copy is requested on an encrypted image
this would then lead to an error:
error: internal error: Unexpected enum value 0 for virStorageEncryptionEngine
This patch adds another point where we populate the default which is
when setting up a virStorageSource for actual usage.
We keep the original setting in the post-parse callback as that's the
only point that is recorded in the XML file after definition.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2023674
Fixes: ab1d46d6128
Signed-off-by: Peter Krempa <pkrempa>
Reviewed-by: Ján Tomko <jtomko>
v7.9.0-187-g1e085019ca
pre-verified with upstream build and result is PASS
[root@yisun-upstream-test ~]# rpm -qa | grep libvirt-7
libvirt-7.10.0-1.fc34.x86_64
[root@yisun-upstream-test ~]# cat sec.xml
<secret ephemeral='no' private='yes'>
<description>LUKS Secret</description>
<usage type='volume'>
<volume>/tmp/scratch</volume>
</usage>
</secret>
[root@yisun-upstream-test ~]# virsh secret-define sec.xml
Secret d533acbb-37ac-4983-a82d-1be85148b0c1 created
[root@yisun-upstream-test ~]# MYSECRET=`printf %s "redhat" | base64`
[root@yisun-upstream-test ~]# virsh secret-set-value d533acbb-37ac-4983-a82d-1be85148b0c1 $MYSECRET
error: Passing secret value as command-line argument is insecure!
Secret value set
[root@yisun-upstream-test ~]# virsh domstate lmn
running
[root@yisun-upstream-test ~]# virsh domblklist lmn
Target Source
---------------------------------------------
sda /var/lib/libvirt/images/lmn.qcow2
[root@yisun-upstream-test ~]# cat backup.xml
<domainbackup mode="pull">
<server name="localhost" port="10809" />
<disks>
<disk backup="yes" name="sda" type="file">
<scratch file="/tmp/scratch_file">
<encryption format="luks">
<secret type="passphrase" uuid="d533acbb-37ac-4983-a82d-1be85148b0c1" />
</encryption>
</scratch>
</disk>
</disks>
</domainbackup>
[root@yisun-upstream-test ~]# virsh backup-begin lmn backup.xml
Backup started
[root@yisun-upstream-test ~]# qemu-img info /tmp/scratch_file -U
image: /tmp/scratch_file
file format: qcow2
virtual size: 10 GiB (10737418240 bytes)
disk size: 2.19 MiB
encrypted: yes
cluster_size: 65536
backing file: /var/lib/libvirt/images/lmn.qcow2
backing file format: qcow2
Format specific information:
compat: 1.1
compression type: zlib
lazy refcounts: false
refcount bits: 16
encrypt:
ivgen alg: plain64
hash alg: sha256
cipher alg: aes-256
uuid: ea6631ad-bb66-456e-adeb-2c88c1bbaced
format: luks
cipher mode: xts
slots:
[0]:
active: true
iters: 1253078
key offset: 4096
stripes: 4000
[1]:
active: false
key offset: 262144
[2]:
active: false
key offset: 520192
[3]:
active: false
key offset: 778240
[4]:
active: false
key offset: 1036288
[5]:
active: false
key offset: 1294336
[6]:
active: false
key offset: 1552384
[7]:
active: false
key offset: 1810432
payload offset: 2068480
master key iters: 333062
corrupt: false
extended l2: false
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: libvirt), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:2390 |
Versions: libvirt-7.9.0-1.el9.x86_64 qemu-kvm-6.1.0-6.el9.x86_64 How reproducible: 100% Pls note, this case is PASSED with: libvirt-7.8.0-1.el9.x86_64 qemu-kvm-6.1.0-6.el9.x86_64 So set as a libvirt REGRESSION Steps: 1. Prepare a libvirt secret (.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# cat secret.xml <secret ephemeral='no' private='yes'> <description>LUKS Secret</description> <usage type='volume'> <volume>/tmp/scratch</volume> </usage> </secret> (.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh secret-define secret.xml Secret 024e2f39-2634-4d5b-8447-0f6660068cde created (.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# MYSECRET=`printf %s "redhat" | base64` (.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh secret-set-value 024e2f39-2634-4d5b-8447-0f6660068cde $MYSECRET error: Passing secret value as command-line argument is insecure! Secret value set 2. Prepare a running vm with virtual disk 'vda' (.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh domstate avocado-vt-vm1 running (.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh domblklist avocado-vt-vm1 Target Source ------------------------------------------------------------------------ vda /var/lib/avocado/data/avocado-vt/images/jeos-27-x86_64.qcow2 3. Prepare backup xml, in which the scratch file is encrypted by luks method (.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# cat backup.xml <domainbackup mode="pull"> <server name="localhost" port="10809" /> <disks> <disk backup="yes" name="vda" type="file"> <scratch file="/tmp/scratch_file"> <encryption format="luks"> <secret type="passphrase" uuid="024e2f39-2634-4d5b-8447-0f6660068cde" /> </encryption> </scratch> </disk> </disks> </domainbackup> 4. Start backup, failure happens (.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh backup-begin avocado-vt-vm1 backup.xml error: internal error: Unexpected enum value 0 for virStorageEncryptionEngine Libvirtd log added as attachment.