Description of problem: As subject Version-Release number of selected component (if applicable): libvirt-6.0.0-13.virtcov.el8.x86_64 qemu-kvm-4.2.0-15.module+el8.2.0+6029+618ef2ec.x86_64 How reproducible: 100% Steps to Reproduce: 1. Prepare a VM. Prepare a luks secret. 2. Create a luks image, full allocated # qemu-img create -f luks --object secret,data=redhat,id=sec0 -o key-secret=sec0,preallocation=full /tmp/new 1M Formatting '/tmp/new', fmt=luks size=1048576 key-secret=sec0 preallocation=full # du -b /tmp/new 3117056 So we can set offset=0, size=3117056 in slices 3. Prepare disk xml like following: /tmp/file.xml: <disk type="file" device="disk"> <driver name="qemu" type="raw"/> <source file="/tmp/new"> <slices> <slice type='storage' offset='0' size='3117056'/> </slices> <encryption format="luks"> <secret type="passphrase" uuid="90c9b4eb-ad37-479a-95ca-baac7a62fdee"/> </encryption> </source> <target dev="sdb" bus="scsi"/> </disk> 4. Attach the disk: # virsh attach-device new /tmp/file.xml error: Failed to attach device from /tmp/file.xml error: internal error: unable to execute QEMU command 'blockdev-add': Parameter 'size' is unexpected Actual results: As subject Expected results: disk attached Additional info: QMP log of attach: 2020-03-19 08:21:46.470+0000: 707088: info : qemuMonitorIOWrite:453 : QEMU_MONITOR_IO_WRITE: mon=0x7fc520036200 buf={"execute":"blockdev-add","arguments":{"driver":"file","filename":"/tmp/new","node-name":"libvirt-21-storage","auto-read-only":true,"discard":"unmap"},"id":"libvirt-486"} 2020-03-19 08:21:46.473+0000: 707088: info : qemuMonitorIOWrite:453 : QEMU_MONITOR_IO_WRITE: mon=0x7fc520036200 buf={"execute":"object-add","arguments":{"qom-type":"secret","id":"libvirt-21-format-encryption-secret0","props":{"data":"J/X6Gx6MqCeS+vSM1cnpGw==","keyid":"masterKey0","iv":"1ZCQdH5r7spM0HEOqrOl1g==","format":"base64"}},"id":"libvirt-487"} 2020-03-19 08:21:46.475+0000: 707088: info : qemuMonitorIOWrite:453 : QEMU_MONITOR_IO_WRITE: mon=0x7fc520036200 buf={"execute":"blockdev-add","arguments":{"node-name":"libvirt-21-format","read-only":false,"driver":"luks","key-secret":"libvirt-21-format-encryption-secret0","offset":0,"size":3117056,"file":"libvirt-21-storage"},"id":"libvirt-488"} 2020-03-19 08:21:46.478+0000: 707088: info : qemuMonitorIOWrite:453 : QEMU_MONITOR_IO_WRITE: mon=0x7fc520036200 buf={"execute":"blockdev-del","arguments":{"node-name":"libvirt-21-storage"},"id":"libvirt-489"} 2020-03-19 08:21:46.480+0000: 707088: info : qemuMonitorIOWrite:453 : QEMU_MONITOR_IO_WRITE: mon=0x7fc520036200 buf={"execute":"object-del","arguments":{"id":"libvirt-21-format-encryption-secret0"},"id":"libvirt-490"} From the log, the slice node used to set offset&size was not created.
Fixed upstream: commit 1a86e3b24a15d64bcbb15c1d5df2cc884b41854b Author: Peter Krempa <pkrempa> Date: Thu Mar 19 17:23:33 2020 +0100 qemu: block: Split up formatting of JSON props for 'raw' and 'luks' drivers qemuBlockStorageSourceGetFormatRawProps aggregated both formats but since we now have props specific for either of those formats it's unwanted to aggregate the code such way. Split out the 'luks' props formatter into qemuBlockStorageSourceGetFormatLUKSProps. The wrong separation demonstrates istself on formatting of the 'size' and 'offset' attributes for the 'luks' driver which does not conform to the qapi schema. https://bugzilla.redhat.com/show_bug.cgi?id=1814975 Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit 7393be3bbc780151afb71a09f043fe6cf2406c5c Author: Peter Krempa <pkrempa> Date: Thu Mar 19 16:54:52 2020 +0100 qemuBlockStorageSourceNeedsStorageSliceLayer: Deal with 'luks' files The 'luks' driver in qemu is as any other non-raw format driver and thus doesn't support the properties for 'slice'. Since libvirt considers luks files to be raw+encryption we need to special case them when dealing with the slice. https://bugzilla.redhat.com/show_bug.cgi?id=1814975 Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit a8bcbb4217240e275f27d4b439edaabe0e7eb2c6 Author: Peter Krempa <pkrempa> Date: Thu Mar 19 16:43:49 2020 +0100 qemu: block: Extract logic decision when to use a separate 'raw' layer for slice Introduce qemuBlockStorageSourceNeedsStorageSliceLayer which will hold the decision logic and fix all places that open-code it. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit 2e3d17d7a329c4207c7217ed5ba55a4856d98e52 Author: Peter Krempa <pkrempa> Date: Thu Mar 19 16:26:53 2020 +0100 qemuxml2argvdata/disk-slices: Add test case for 'luks' encryption Since libvirt handles the luks encryption in a weird special way (raw+encryption) we should really test that case with slices as well. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko>
Try to verified it as but met anther issue libvirt-6.2.0-1.module+el8.3.0+6191+420ae4fc.x86_64 Steps: 1. Prepare a VM. Prepare a luks secret. # virsh secret-list UUID Usage ----------------------------------------------------- 29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e volume luks # MYSECRET=`printf %s "redhat" | base64` # virsh secret-set-value 29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e --base64 $MYSECRET error: Passing secret value as command-line argument is insecure! Secret value set 2. Create a luks image, full allocated # qemu-img create -f luks --object secret,data=redhat,id=sec0 -o key-secret=sec0,preallocation=full /tmp/new 1M Formatting '/tmp/new', fmt=luks size=1048576 key-secret=sec0 preallocation=full # du -b /tmp/new 3117056 3. Prepare disk xml like following: /tmp/file.xml: <disk type="file" device="disk"> <driver name="qemu" type="raw"/> <source file="/tmp/new"> <slices> <slice type='storage' offset='0' size='3117056'/> </slices> <encryption format="luks"> <secret type="passphrase" uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e"/> </encryption> </source> <target dev="sdb" bus="scsi"/> </disk> 4. Attach and detach the disk: # virsh attach-device test1 disk.xm Device attached successfully # virsh detach-disk test1 sdb Disk detached successfully Check the qemu cmd line : Slice node has been added to qemu cmd line as: 2020-04-22 08:28:53.501+0000: 80335: info : qemuMonitorSend:935 : QEMU_MONITOR_SEND_MSG: mon=0x7fa8180072d0 msg={"execute":"blockdev-add","arguments":{"driver":"file","filename":"/tmp/new","node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"},"id":"libvirt-19"}^M fd=-1 2020-04-22 08:28:53.501+0000: 80409: info : virObjectRef:385 : OBJECT_REF: obj=0x7fa8180072d0 2020-04-22 08:28:53.501+0000: 80409: info : qemuMonitorIOWrite:431 : QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 buf={"execute":"blockdev-add","arguments":{"driver":"file","filename":"/tmp/new","node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"},"id":"libvirt-19"} 2020-04-22 08:28:53.503+0000: 80335: info : qemuMonitorSend:935 : QEMU_MONITOR_SEND_MSG: mon=0x7fa8180072d0 msg={"execute":"blockdev-add","arguments":{"driver":"raw","node-name":"libvirt-4-slice-sto","offset":0,"size":3117056,"file":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"},"id":"libvirt-20"}^M fd=-1 2020-04-22 08:28:53.503+0000: 80409: info : virObjectRef:385 : OBJECT_REF: obj=0x7fa8180072d0 2020-04-22 08:28:53.503+0000: 80409: info : qemuMonitorIOWrite:431 : QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 buf={"execute":"blockdev-add","arguments":{"driver":"raw","node-name":"libvirt-4-slice-sto","offset":0,"size":3117056,"file":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"},"id":"libvirt-20"} Works as expected in this scenario But in another scenario: 1.Set secret info as above 2.Create a luks volume in default pool # cat volume.xml <volume type="file"> <name>sparse.img</name> <key>/var/lib/libvirt/images/sparse.img</key> <source> </source> <capacity unit="bytes">104857600</capacity> <allocation unit="bytes">262144</allocation> <physical unit="bytes">106926080</physical> <target> <path>/var/lib/libvirt/images/sparse.img</path> <format type="raw" /> <permissions> <mode>0600</mode> <owner>0</owner> <group>0</group> <label>system_u:object_r:virt_image_t:s0</label> </permissions> <timestamps> <atime>1587524674.493540976</atime> <mtime>1587524674.462541411</mtime> <ctime>1587524674.492540990</ctime> </timestamps> <encryption format="luks"> <secret type="passphrase" uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e" /> </encryption> </target> </volume> # virsh vol-create --pool default volume.xml Vol sparse.img created from volume.xml 3.Attach the new luks volume to a guest and then use it with attach-device: # cat attach.xml <disk device="disk" type="file"><driver cache="none" name="qemu" type="raw" /><target bus="virtio" dev="vdc" /><source file="/var/lib/libvirt/images/sparse.img"><slices><slice offset="0" size="1024" type="storage" /></slices></source> <encryption format="luks"><secret type="passphrase" uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e" /></encryption></disk> # virsh attach-device test1 attach.xml error: Failed to attach device from attach.xml error: internal error: unable to execute QEMU command 'blockdev-add': Invalid password, cannot unlock any keyslot I wonder if there are the same issue? qemu cmd line : ,"arguments":{"node-name":"libvirt-7-format","read-only":false,"cache":{"direct":true,"no-flush":false},"driver":"luks","key-secret":"libvirt-7-format-encryption-secret0","file":"libvirt-7-slice-sto"},"id":"libvirt-45"}^M fd=-1 2020-04-22 09:05:30.954+0000: 80409: info : virObjectRef:385 : OBJECT_REF: obj=0x7fa8180072d0 2020-04-22 09:05:30.954+0000: 80409: info : qemuMonitorIOWrite:431 : QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 buf={"execute":"blockdev-add","arguments":{"node-name":"libvirt-7-format","read-only":false,"cache":{"direct":true,"no-flush":false},"driver":"luks","key-secret":"libvirt-7-format-encryption-secret0","file":"libvirt-7-slice-sto"},"id":"libvirt-45"}^M len=246 ret=246 errno=0 2020-04-22 09:05:30.954+0000: 80409: info : virObjectRef:385 : OBJECT_REF: obj=0x7fa8180072d0 2020-04-22 09:05:30.954+0000: 80409: info : virObjectUnref:347 : OBJECT_UNREF: obj=0x7fa8180072d0 2020-04-22 09:05:30.954+0000: 80409: info : virObjectUnref:347 : OBJECT_UNREF: obj=0x7fa8180072d0 2020-04-22 09:05:33.218+0000: 80409: info : virObjectRef:385 : OBJECT_REF: obj=0x7fa8180072d0 2020-04-22 09:05:33.218+0000: 80409: debug : qemuMonitorJSONIOProcessLine:220 : Line [{"id": "libvirt-45", "error": {"class": "GenericError", "desc": "Invalid password, cannot unlock any keyslot"}}] 2020-04-22 09:05:33.218+0000: 80409: info : qemuMonitorJSONIOProcessLine:240 : QEMU_MONITOR_RECV_REPLY: mon=0x7fa8180072d0 reply={"id": "libvirt-45", "error": {"class": "GenericError", "desc": "Invalid password, cannot unlock any keyslot"}} 2020-04-22 09:05:33.218+0000: 80409: info : virObjectRef:385 : OBJECT_REF: obj=0x7fa8180072d0 2020-04-22 09:05:33.218+0000: 80409: info : virObjectUnref:347 : OBJECT_UNREF: obj=0x7fa8180072d0 2020-04-22 09:05:33.218+0000: 80409: info : virObjectUnref:347 : OBJECT_UNREF: obj=0x7fa8180072d0 2020-04-22 09:05:33.218+0000: 80336: info : virObjectUnref:347 : OBJECT_UNREF: obj=0x7fa8180072d0 2020-04-22 09:05:33.218+0000: 80336: info : virObjectRef:385 : OBJECT_REF: obj=0x7fa8180072d0 2020-04-22 09:05:33.218+0000: 80336: debug : qemuMonitorJSONCheckErrorFull:402 : unable to execute QEMU command {"execute":"blockdev-add","arguments":{"node-name":"libvirt-7-format","read-only":false,"cache":{"direct":true,"no-flush":false},"driver":"luks","key-secret":"libvirt-7-format-encryption-secret0","file":"libvirt-7-slice-sto"},"id":"libvirt-45"}: {"id":"libvirt-45","error":{"class":"GenericError","desc":"Invalid password, cannot unlock any keyslot"}} 2020-04-22 09:05:33.218+0000: 80336: error : qemuMonitorJSONCheckErrorFull:416 : internal error: unable to execute QEMU command 'blockdev-add': Invalid password, cannot unlock any keyslot
(In reply to gaojianan from comment #5) > Try to verified it as but met anther issue > libvirt-6.2.0-1.module+el8.3.0+6191+420ae4fc.x86_64 > > Steps: > 1. Prepare a VM. Prepare a luks secret. > # virsh secret-list > UUID Usage > ----------------------------------------------------- > 29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e volume luks > > # MYSECRET=`printf %s "redhat" | base64` > # virsh secret-set-value 29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e --base64 > $MYSECRET > error: Passing secret value as command-line argument is insecure! > Secret value set > > 2. Create a luks image, full allocated > # qemu-img create -f luks --object secret,data=redhat,id=sec0 -o > key-secret=sec0,preallocation=full /tmp/new 1M > Formatting '/tmp/new', fmt=luks size=1048576 key-secret=sec0 > preallocation=full > > # du -b /tmp/new > 3117056 > > 3. Prepare disk xml like following: > /tmp/file.xml: > <disk type="file" device="disk"> > <driver name="qemu" type="raw"/> > <source file="/tmp/new"> > <slices> > <slice type='storage' offset='0' size='3117056'/> > </slices> > <encryption format="luks"> > <secret type="passphrase" uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e"/> > </encryption> > </source> > <target dev="sdb" bus="scsi"/> > </disk> > > 4. Attach and detach the disk: > # virsh attach-device test1 disk.xm > Device attached successfully > > # virsh detach-disk test1 sdb > Disk detached successfully > > Check the qemu cmd line : > Slice node has been added to qemu cmd line as: > 2020-04-22 08:28:53.501+0000: 80335: info : qemuMonitorSend:935 : > QEMU_MONITOR_SEND_MSG: mon=0x7fa8180072d0 > msg={"execute":"blockdev-add","arguments":{"driver":"file","filename":"/tmp/ > new","node-name":"libvirt-4-storage","auto-read-only":true,"discard": > "unmap"},"id":"libvirt-19"}^M > fd=-1 > 2020-04-22 08:28:53.501+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > obj=0x7fa8180072d0 > 2020-04-22 08:28:53.501+0000: 80409: info : qemuMonitorIOWrite:431 : > QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 > buf={"execute":"blockdev-add","arguments":{"driver":"file","filename":"/tmp/ > new","node-name":"libvirt-4-storage","auto-read-only":true,"discard": > "unmap"},"id":"libvirt-19"} > 2020-04-22 08:28:53.503+0000: 80335: info : qemuMonitorSend:935 : > QEMU_MONITOR_SEND_MSG: mon=0x7fa8180072d0 > msg={"execute":"blockdev-add","arguments":{"driver":"raw","node-name": > "libvirt-4-slice-sto","offset":0,"size":3117056,"file":"libvirt-4-storage", > "auto-read-only":true,"discard":"unmap"},"id":"libvirt-20"}^M > fd=-1 > 2020-04-22 08:28:53.503+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > obj=0x7fa8180072d0 > 2020-04-22 08:28:53.503+0000: 80409: info : qemuMonitorIOWrite:431 : > QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 > buf={"execute":"blockdev-add","arguments":{"driver":"raw","node-name": > "libvirt-4-slice-sto","offset":0,"size":3117056,"file":"libvirt-4-storage", > "auto-read-only":true,"discard":"unmap"},"id":"libvirt-20"} > > Works as expected in this scenario > > But in another scenario: > 1.Set secret info as above > 2.Create a luks volume in default pool > # cat volume.xml > <volume type="file"> > > <name>sparse.img</name> > > <key>/var/lib/libvirt/images/sparse.img</key> > > <source> > > </source> > > <capacity unit="bytes">104857600</capacity> > > <allocation unit="bytes">262144</allocation> > > <physical unit="bytes">106926080</physical> > > <target> > > <path>/var/lib/libvirt/images/sparse.img</path> > > <format type="raw" /> > > <permissions> > > <mode>0600</mode> > > <owner>0</owner> > > <group>0</group> > > <label>system_u:object_r:virt_image_t:s0</label> > > </permissions> > > <timestamps> > > <atime>1587524674.493540976</atime> > > <mtime>1587524674.462541411</mtime> > > <ctime>1587524674.492540990</ctime> > > </timestamps> > > <encryption format="luks"> > > <secret type="passphrase" uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e" > /> > > </encryption> > > </target> > > </volume> > > # virsh vol-create --pool default volume.xml > Vol sparse.img created from volume.xml > > 3.Attach the new luks volume to a guest > and then use it with attach-device: > # cat attach.xml > <disk device="disk" type="file"><driver cache="none" name="qemu" type="raw" > /><target bus="virtio" dev="vdc" /><source > file="/var/lib/libvirt/images/sparse.img"><slices><slice offset="0" > size="1024" type="storage" /></slices></source> Your declared slice is only '1024' bytes, but the file is much bigger. Please note that using <slice> requires that you know what you are doing and there's no way for libvirt to validate that the passed values are correct. It may end up looking like the disk is corrupted or other things. Additionally while the image is sparse, the slice must be set for the full size of the file. > <encryption format="luks"><secret type="passphrase" > uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e" /></encryption></disk> > > # virsh attach-device test1 attach.xml > error: Failed to attach device from attach.xml > error: internal error: unable to execute QEMU command 'blockdev-add': > Invalid password, cannot unlock any keyslot >
(In reply to gaojianan from comment #5) > Try to verified it as but met anther issue > libvirt-6.2.0-1.module+el8.3.0+6191+420ae4fc.x86_64 > > Steps: > 1. Prepare a VM. Prepare a luks secret. > # virsh secret-list > UUID Usage > ----------------------------------------------------- > 29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e volume luks > > # MYSECRET=`printf %s "redhat" | base64` > # virsh secret-set-value 29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e --base64 > $MYSECRET > error: Passing secret value as command-line argument is insecure! > Secret value set > > 2. Create a luks image, full allocated > # qemu-img create -f luks --object secret,data=redhat,id=sec0 -o > key-secret=sec0,preallocation=full /tmp/new 1M > Formatting '/tmp/new', fmt=luks size=1048576 key-secret=sec0 > preallocation=full > > # du -b /tmp/new > 3117056 > > 3. Prepare disk xml like following: > /tmp/file.xml: > <disk type="file" device="disk"> > <driver name="qemu" type="raw"/> > <source file="/tmp/new"> > <slices> > <slice type='storage' offset='0' size='3117056'/> > </slices> > <encryption format="luks"> > <secret type="passphrase" uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e"/> > </encryption> > </source> > <target dev="sdb" bus="scsi"/> > </disk> > > 4. Attach and detach the disk: > # virsh attach-device test1 disk.xm > Device attached successfully > > # virsh detach-disk test1 sdb > Disk detached successfully > > Check the qemu cmd line : > Slice node has been added to qemu cmd line as: > 2020-04-22 08:28:53.501+0000: 80335: info : qemuMonitorSend:935 : > QEMU_MONITOR_SEND_MSG: mon=0x7fa8180072d0 > msg={"execute":"blockdev-add","arguments":{"driver":"file","filename":"/tmp/ > new","node-name":"libvirt-4-storage","auto-read-only":true,"discard": > "unmap"},"id":"libvirt-19"}^M > fd=-1 > 2020-04-22 08:28:53.501+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > obj=0x7fa8180072d0 > 2020-04-22 08:28:53.501+0000: 80409: info : qemuMonitorIOWrite:431 : > QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 > buf={"execute":"blockdev-add","arguments":{"driver":"file","filename":"/tmp/ > new","node-name":"libvirt-4-storage","auto-read-only":true,"discard": > "unmap"},"id":"libvirt-19"} > 2020-04-22 08:28:53.503+0000: 80335: info : qemuMonitorSend:935 : > QEMU_MONITOR_SEND_MSG: mon=0x7fa8180072d0 > msg={"execute":"blockdev-add","arguments":{"driver":"raw","node-name": > "libvirt-4-slice-sto","offset":0,"size":3117056,"file":"libvirt-4-storage", > "auto-read-only":true,"discard":"unmap"},"id":"libvirt-20"}^M > fd=-1 > 2020-04-22 08:28:53.503+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > obj=0x7fa8180072d0 > 2020-04-22 08:28:53.503+0000: 80409: info : qemuMonitorIOWrite:431 : > QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 > buf={"execute":"blockdev-add","arguments":{"driver":"raw","node-name": > "libvirt-4-slice-sto","offset":0,"size":3117056,"file":"libvirt-4-storage", > "auto-read-only":true,"discard":"unmap"},"id":"libvirt-20"} > > Works as expected in this scenario > > But in another scenario: > 1.Set secret info as above > 2.Create a luks volume in default pool > # cat volume.xml > <volume type="file"> > > <name>sparse.img</name> > > <key>/var/lib/libvirt/images/sparse.img</key> > > <source> > > </source> > > <capacity unit="bytes">104857600</capacity> > > <allocation unit="bytes">262144</allocation> > > <physical unit="bytes">106926080</physical> > > <target> > > <path>/var/lib/libvirt/images/sparse.img</path> > > <format type="raw" /> > > <permissions> > > <mode>0600</mode> > > <owner>0</owner> > > <group>0</group> > > <label>system_u:object_r:virt_image_t:s0</label> > > </permissions> > > <timestamps> > > <atime>1587524674.493540976</atime> > > <mtime>1587524674.462541411</mtime> > > <ctime>1587524674.492540990</ctime> > > </timestamps> > > <encryption format="luks"> > > <secret type="passphrase" uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e" > /> > > </encryption> > > </target> > > </volume> > > # virsh vol-create --pool default volume.xml > Vol sparse.img created from volume.xml > Why create the image by vol-create? I don't find any storage code changes in this bug fix. > 3.Attach the new luks volume to a guest > and then use it with attach-device: > # cat attach.xml > <disk device="disk" type="file"><driver cache="none" name="qemu" type="raw" > /><target bus="virtio" dev="vdc" /><source > file="/var/lib/libvirt/images/sparse.img"><slices><slice offset="0" > size="1024" type="storage" /></slices></source> > <encryption format="luks"><secret type="passphrase" > uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e" /></encryption></disk> > > # virsh attach-device test1 attach.xml > error: Failed to attach device from attach.xml > error: internal error: unable to execute QEMU command 'blockdev-add': > Invalid password, cannot unlock any keyslot > > I wonder if there are the same issue? > qemu cmd line : > ,"arguments":{"node-name":"libvirt-7-format","read-only":false,"cache": > {"direct":true,"no-flush":false},"driver":"luks","key-secret":"libvirt-7- > format-encryption-secret0","file":"libvirt-7-slice-sto"},"id":"libvirt-45"}^M > fd=-1 > 2020-04-22 09:05:30.954+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > obj=0x7fa8180072d0 > 2020-04-22 09:05:30.954+0000: 80409: info : qemuMonitorIOWrite:431 : > QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 > buf={"execute":"blockdev-add","arguments":{"node-name":"libvirt-7-format", > "read-only":false,"cache":{"direct":true,"no-flush":false},"driver":"luks", > "key-secret":"libvirt-7-format-encryption-secret0","file":"libvirt-7-slice- > sto"},"id":"libvirt-45"}^M > len=246 ret=246 errno=0 > 2020-04-22 09:05:30.954+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > obj=0x7fa8180072d0 > 2020-04-22 09:05:30.954+0000: 80409: info : virObjectUnref:347 : > OBJECT_UNREF: obj=0x7fa8180072d0 > 2020-04-22 09:05:30.954+0000: 80409: info : virObjectUnref:347 : > OBJECT_UNREF: obj=0x7fa8180072d0 > 2020-04-22 09:05:33.218+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > obj=0x7fa8180072d0 > 2020-04-22 09:05:33.218+0000: 80409: debug : > qemuMonitorJSONIOProcessLine:220 : Line [{"id": "libvirt-45", "error": > {"class": "GenericError", "desc": "Invalid password, cannot unlock any > keyslot"}}] > 2020-04-22 09:05:33.218+0000: 80409: info : qemuMonitorJSONIOProcessLine:240 > : QEMU_MONITOR_RECV_REPLY: mon=0x7fa8180072d0 reply={"id": "libvirt-45", > "error": {"class": "GenericError", "desc": "Invalid password, cannot unlock > any keyslot"}} > 2020-04-22 09:05:33.218+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > obj=0x7fa8180072d0 > 2020-04-22 09:05:33.218+0000: 80409: info : virObjectUnref:347 : > OBJECT_UNREF: obj=0x7fa8180072d0 > 2020-04-22 09:05:33.218+0000: 80409: info : virObjectUnref:347 : > OBJECT_UNREF: obj=0x7fa8180072d0 > 2020-04-22 09:05:33.218+0000: 80336: info : virObjectUnref:347 : > OBJECT_UNREF: obj=0x7fa8180072d0 > 2020-04-22 09:05:33.218+0000: 80336: info : virObjectRef:385 : OBJECT_REF: > obj=0x7fa8180072d0 > 2020-04-22 09:05:33.218+0000: 80336: debug : > qemuMonitorJSONCheckErrorFull:402 : unable to execute QEMU command > {"execute":"blockdev-add","arguments":{"node-name":"libvirt-7-format","read- > only":false,"cache":{"direct":true,"no-flush":false},"driver":"luks","key- > secret":"libvirt-7-format-encryption-secret0","file":"libvirt-7-slice-sto"}, > "id":"libvirt-45"}: > {"id":"libvirt-45","error":{"class":"GenericError","desc":"Invalid password, > cannot unlock any keyslot"}} > 2020-04-22 09:05:33.218+0000: 80336: error : > qemuMonitorJSONCheckErrorFull:416 : internal error: unable to execute QEMU > command 'blockdev-add': Invalid password, cannot unlock any keyslot
(In reply to Han Han from comment #7) > (In reply to gaojianan from comment #5) > > Try to verified it as but met anther issue > > libvirt-6.2.0-1.module+el8.3.0+6191+420ae4fc.x86_64 > > > > Steps: > > 1. Prepare a VM. Prepare a luks secret. > > # virsh secret-list > > UUID Usage > > ----------------------------------------------------- > > 29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e volume luks > > > > # MYSECRET=`printf %s "redhat" | base64` > > # virsh secret-set-value 29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e --base64 > > $MYSECRET > > error: Passing secret value as command-line argument is insecure! > > Secret value set > > > > 2. Create a luks image, full allocated > > # qemu-img create -f luks --object secret,data=redhat,id=sec0 -o > > key-secret=sec0,preallocation=full /tmp/new 1M > > Formatting '/tmp/new', fmt=luks size=1048576 key-secret=sec0 > > preallocation=full > > > > # du -b /tmp/new > > 3117056 > > > > 3. Prepare disk xml like following: > > /tmp/file.xml: > > <disk type="file" device="disk"> > > <driver name="qemu" type="raw"/> > > <source file="/tmp/new"> > > <slices> > > <slice type='storage' offset='0' size='3117056'/> > > </slices> > > <encryption format="luks"> > > <secret type="passphrase" uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e"/> > > </encryption> > > </source> > > <target dev="sdb" bus="scsi"/> > > </disk> > > > > 4. Attach and detach the disk: > > # virsh attach-device test1 disk.xm > > Device attached successfully > > > > # virsh detach-disk test1 sdb > > Disk detached successfully > > > > Check the qemu cmd line : > > Slice node has been added to qemu cmd line as: > > 2020-04-22 08:28:53.501+0000: 80335: info : qemuMonitorSend:935 : > > QEMU_MONITOR_SEND_MSG: mon=0x7fa8180072d0 > > msg={"execute":"blockdev-add","arguments":{"driver":"file","filename":"/tmp/ > > new","node-name":"libvirt-4-storage","auto-read-only":true,"discard": > > "unmap"},"id":"libvirt-19"}^M > > fd=-1 > > 2020-04-22 08:28:53.501+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > > obj=0x7fa8180072d0 > > 2020-04-22 08:28:53.501+0000: 80409: info : qemuMonitorIOWrite:431 : > > QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 > > buf={"execute":"blockdev-add","arguments":{"driver":"file","filename":"/tmp/ > > new","node-name":"libvirt-4-storage","auto-read-only":true,"discard": > > "unmap"},"id":"libvirt-19"} > > 2020-04-22 08:28:53.503+0000: 80335: info : qemuMonitorSend:935 : > > QEMU_MONITOR_SEND_MSG: mon=0x7fa8180072d0 > > msg={"execute":"blockdev-add","arguments":{"driver":"raw","node-name": > > "libvirt-4-slice-sto","offset":0,"size":3117056,"file":"libvirt-4-storage", > > "auto-read-only":true,"discard":"unmap"},"id":"libvirt-20"}^M > > fd=-1 > > 2020-04-22 08:28:53.503+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > > obj=0x7fa8180072d0 > > 2020-04-22 08:28:53.503+0000: 80409: info : qemuMonitorIOWrite:431 : > > QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 > > buf={"execute":"blockdev-add","arguments":{"driver":"raw","node-name": > > "libvirt-4-slice-sto","offset":0,"size":3117056,"file":"libvirt-4-storage", > > "auto-read-only":true,"discard":"unmap"},"id":"libvirt-20"} > > > > Works as expected in this scenario > > > > But in another scenario: > > 1.Set secret info as above > > 2.Create a luks volume in default pool > > # cat volume.xml > > <volume type="file"> > > > > <name>sparse.img</name> > > > > <key>/var/lib/libvirt/images/sparse.img</key> > > > > <source> > > > > </source> > > > > <capacity unit="bytes">104857600</capacity> > > > > <allocation unit="bytes">262144</allocation> > > > > <physical unit="bytes">106926080</physical> > > > > <target> > > > > <path>/var/lib/libvirt/images/sparse.img</path> > > > > <format type="raw" /> > > > > <permissions> > > > > <mode>0600</mode> > > > > <owner>0</owner> > > > > <group>0</group> > > > > <label>system_u:object_r:virt_image_t:s0</label> > > > > </permissions> > > > > <timestamps> > > > > <atime>1587524674.493540976</atime> > > > > <mtime>1587524674.462541411</mtime> > > > > <ctime>1587524674.492540990</ctime> > > > > </timestamps> > > > > <encryption format="luks"> > > > > <secret type="passphrase" uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e" > > /> > > > > </encryption> > > > > </target> > > > > </volume> > > > > # virsh vol-create --pool default volume.xml > > Vol sparse.img created from volume.xml > > > Why create the image by vol-create? > I don't find any storage code changes in this bug fix. > > 3.Attach the new luks volume to a guest > > and then use it with attach-device: > > # cat attach.xml > > <disk device="disk" type="file"><driver cache="none" name="qemu" type="raw" > > /><target bus="virtio" dev="vdc" /><source > > file="/var/lib/libvirt/images/sparse.img"><slices><slice offset="0" > > size="1024" type="storage" /></slices></source> > > <encryption format="luks"><secret type="passphrase" > > uuid="29eebac2-ccc2-4f3e-8c6a-9b8ba61c8a8e" /></encryption></disk> > > > > # virsh attach-device test1 attach.xml > > error: Failed to attach device from attach.xml > > error: internal error: unable to execute QEMU command 'blockdev-add': > > Invalid password, cannot unlock any keyslot > > > > I wonder if there are the same issue? > > qemu cmd line : > > ,"arguments":{"node-name":"libvirt-7-format","read-only":false,"cache": > > {"direct":true,"no-flush":false},"driver":"luks","key-secret":"libvirt-7- > > format-encryption-secret0","file":"libvirt-7-slice-sto"},"id":"libvirt-45"}^M > > fd=-1 > > 2020-04-22 09:05:30.954+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > > obj=0x7fa8180072d0 > > 2020-04-22 09:05:30.954+0000: 80409: info : qemuMonitorIOWrite:431 : > > QEMU_MONITOR_IO_WRITE: mon=0x7fa8180072d0 > > buf={"execute":"blockdev-add","arguments":{"node-name":"libvirt-7-format", > > "read-only":false,"cache":{"direct":true,"no-flush":false},"driver":"luks", > > "key-secret":"libvirt-7-format-encryption-secret0","file":"libvirt-7-slice- > > sto"},"id":"libvirt-45"}^M > > len=246 ret=246 errno=0 > > 2020-04-22 09:05:30.954+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > > obj=0x7fa8180072d0 > > 2020-04-22 09:05:30.954+0000: 80409: info : virObjectUnref:347 : > > OBJECT_UNREF: obj=0x7fa8180072d0 > > 2020-04-22 09:05:30.954+0000: 80409: info : virObjectUnref:347 : > > OBJECT_UNREF: obj=0x7fa8180072d0 > > 2020-04-22 09:05:33.218+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > > obj=0x7fa8180072d0 > > 2020-04-22 09:05:33.218+0000: 80409: debug : > > qemuMonitorJSONIOProcessLine:220 : Line [{"id": "libvirt-45", "error": > > {"class": "GenericError", "desc": "Invalid password, cannot unlock any > > keyslot"}}] > > 2020-04-22 09:05:33.218+0000: 80409: info : qemuMonitorJSONIOProcessLine:240 > > : QEMU_MONITOR_RECV_REPLY: mon=0x7fa8180072d0 reply={"id": "libvirt-45", > > "error": {"class": "GenericError", "desc": "Invalid password, cannot unlock > > any keyslot"}} > > 2020-04-22 09:05:33.218+0000: 80409: info : virObjectRef:385 : OBJECT_REF: > > obj=0x7fa8180072d0 > > 2020-04-22 09:05:33.218+0000: 80409: info : virObjectUnref:347 : > > OBJECT_UNREF: obj=0x7fa8180072d0 > > 2020-04-22 09:05:33.218+0000: 80409: info : virObjectUnref:347 : > > OBJECT_UNREF: obj=0x7fa8180072d0 > > 2020-04-22 09:05:33.218+0000: 80336: info : virObjectUnref:347 : > > OBJECT_UNREF: obj=0x7fa8180072d0 > > 2020-04-22 09:05:33.218+0000: 80336: info : virObjectRef:385 : OBJECT_REF: > > obj=0x7fa8180072d0 > > 2020-04-22 09:05:33.218+0000: 80336: debug : > > qemuMonitorJSONCheckErrorFull:402 : unable to execute QEMU command > > {"execute":"blockdev-add","arguments":{"node-name":"libvirt-7-format","read- > > only":false,"cache":{"direct":true,"no-flush":false},"driver":"luks","key- > > secret":"libvirt-7-format-encryption-secret0","file":"libvirt-7-slice-sto"}, > > "id":"libvirt-45"}: > > {"id":"libvirt-45","error":{"class":"GenericError","desc":"Invalid password, > > cannot unlock any keyslot"}} > > 2020-04-22 09:05:33.218+0000: 80336: error : > > qemuMonitorJSONCheckErrorFull:416 : internal error: unable to execute QEMU > > command 'blockdev-add': Invalid password, cannot unlock any keyslot I think what Peter said is right,so verified this bug as https://bugzilla.redhat.com/show_bug.cgi?id=1814975#c5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5137