Bug 1811906 - [incremental_backup] RFE: support luks encryption when do backup
Summary: [incremental_backup] RFE: support luks encryption when do backup
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: libvirt
Version: 8.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: Peter Krempa
QA Contact: yisun
URL:
Whiteboard:
Depends On:
Blocks: 1799015
TreeView+ depends on / blocked
 
Reported: 2020-03-10 07:03 UTC by yisun
Modified: 2020-11-17 17:47 UTC (History)
7 users (show)

Fixed In Version: libvirt-6.3.0-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-17 17:46:49 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description yisun 2020-03-10 07:03:03 UTC 
Description of problem:
[incremental_backup] RFE: support luks encryption when do backup

Version-Release number of selected component (if applicable):
libvirt-6.0.0-9.module+el8.2.0+5957+7ae8988e.x86_64

How reproducible:
100%

Steps to Reproduce:
1. a vm has vdb (here is a luks image, but vdb doesn't require to be luks)
[root@hp-dl320eg8-05 push]# virsh dumpxml vm1 | awk '/<disk/,/<\/disk/'
...
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/vdb_luks.qcow2' index='1'/>
      <backingStore/>
      <target dev='vdb' bus='virtio'/>
      <encryption format='luks'>
        <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/>
      </encryption>
      <alias name='virtio-disk1'/>
      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
    </disk>

2. prepare backup and checkpoint xml
[root@hp-dl320eg8-05 push]# cat backup_push_full_luks.xml
<domainbackup mode='push'>
  <disks>
    <disk name='vdb' type='file'>
      <target file='/home/images/vdb.full.backup'/>
      <driver type='qcow2'/>
      <encryption format='luks'>
          <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/>
      </encryption>
    </disk>
  </disks>
</domainbackup>

 [root@hp-dl320eg8-05 push]# cat checkpoint_push_full.xml
<domaincheckpoint>
  <name>check_full</name>
</domaincheckpoint>

3. do the full backup
[root@hp-dl320eg8-05 push]# virsh backup-begin vm1 backup_push_full.xml checkpoint_push_full.xml
Backup started

4. the backup file is exported as a qcow2 file, encryption not supported
[root@hp-dl320eg8-05 push]# qemu-img info /home/images/vdb.full.backup
image: /home/images/vdb.full.backup
file format: qcow2
virtual size: 1 GiB (1073741824 bytes)
disk size: 2 GiB
cluster_size: 65536
Format specific information:
    compat: 1.1
    lazy refcounts: false
    refcount bits: 16
    corrupt: false

Actual results:
cannot export a luks encrypted backup file

Expected results:
can export a luks encrypted backup file

Additional info:
If this is not supported, sometimes a luks encrypted disk will be backuped as a plaintext disk. 
blockcopy can support luks as follow:
[root@hp-dl320eg8-05 inc_bkup]# virsh dumpxml vm1 | awk '/<disk/,/<\/disk/'
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/base_os.active' index='1'/>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </disk>


[root@hp-dl320eg8-05 inc_bkup]# cat ~/test.xml
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/tmp/blockcopy'>
        <encryption format='luks'>
          <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/>
        </encryption>
      </source>
    </disk>


[root@hp-dl320eg8-05 inc_bkup]# virsh blockcopy vm1 vda --xml ~/test.xml --transient-job --pivot --verbose
Block Copy: [100 %]
Successfully pivoted


[root@hp-dl320eg8-05 inc_bkup]# virsh dumpxml vm1 | awk '/<disk/,/<\/disk/'
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/tmp/blockcopy' index='2'>
        <encryption format='luks'>
          <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/>
        </encryption>
      </source>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </disk>

[root@hp-dl320eg8-05 inc_bkup]# qemu-img info /tmp/blockcopy  -U
image: /tmp/blockcopy
file format: qcow2
virtual size: 10 GiB (10737418240 bytes)
disk size: 75.5 MiB
encrypted: yes
Comment 1 Peter Krempa 2020-04-14 17:15:48 UTC 
Fixed upstream:
    
commit a7db0b757d210071d39e6d116e6a4bc761e2ed66 
Author: Peter Krempa <pkrempa>
Date:   Thu Apr 9 15:50:40 2020 +0200

    backup: Allow 'encryption' of backups and scratch images
    
    Add the appropriate entries into the schema to allow encryption of the
    backup or scratch image. Since we use blockdev internals for everything
    no changes to the code are actually necessary.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1811906
    
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Erik Skultety <eskultet>
    Reviewed-by: Ján Tomko <jtomko>
Comment 5 yisun 2020-08-26 09:05:46 UTC 
Verified with: libvirt-6.6.0-2.module+el8.3.0+7567+dc41c0a9.x86_64

Result: PASS

Test steps:
https://docs.google.com/document/d/1A5NZBwGpYE2zjqG_SFICdNZvKGqRaKnQNBZiR6-saf4

A separated bz filed during test:
Bug 1872567 - [incremental_backup][luks] Cannot do push backup to a block device with type=raw and luks encryption enabled
Comment 8 errata-xmlrpc 2020-11-17 17:46:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5137
Note You need to log in before you can comment on or make changes to this bug.