Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2023674

Summary:	[incremental_backup] Cannot encrypt backup scratch file/blockdev anymore
Product:	Red Hat Enterprise Linux 9	Reporter:	yisun
Component:	libvirt	Assignee:	Peter Krempa <pkrempa>
libvirt sub component:	General	QA Contact:	yisun
Status:	CLOSED ERRATA	Docs Contact:
Severity:	medium
Priority:	low	CC:	jdenemar, jsuchane, pkrempa, virt-maint, xuzhang
Version:	9.0	Keywords:	Automation, Regression, Triaged
Target Milestone:	rc	Flags:	pm-rhel: mirror+
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	libvirt-7.10.0-1.el9	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-17 12:45:49 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:	7.10.0
Embargoed:

Description yisun 2021-11-16 10:27:07 UTC

Versions:
libvirt-7.9.0-1.el9.x86_64
qemu-kvm-6.1.0-6.el9.x86_64

How reproducible:
100%

Pls note, this case is PASSED with:
libvirt-7.8.0-1.el9.x86_64
qemu-kvm-6.1.0-6.el9.x86_64

So set as a libvirt REGRESSION
 

Steps:
1. Prepare a libvirt secret
(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# cat secret.xml
<secret ephemeral='no' private='yes'>
<description>LUKS Secret</description>
<usage type='volume'>
<volume>/tmp/scratch</volume>
</usage>
</secret>


(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh secret-define secret.xml
Secret 024e2f39-2634-4d5b-8447-0f6660068cde created

(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# MYSECRET=`printf %s "redhat" | base64`
(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh secret-set-value 024e2f39-2634-4d5b-8447-0f6660068cde $MYSECRET
error: Passing secret value as command-line argument is insecure!
Secret value set

2. Prepare a running vm with virtual disk 'vda'
(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh domstate avocado-vt-vm1
running

(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh domblklist avocado-vt-vm1
 Target   Source
------------------------------------------------------------------------
 vda      /var/lib/avocado/data/avocado-vt/images/jeos-27-x86_64.qcow2


3. Prepare backup xml, in which the scratch file is encrypted by luks method
(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# cat backup.xml
<domainbackup mode="pull">
  <server name="localhost" port="10809" />
  <disks>
    <disk backup="yes" name="vda" type="file">
      <scratch file="/tmp/scratch_file">
        <encryption format="luks">
          <secret type="passphrase" uuid="024e2f39-2634-4d5b-8447-0f6660068cde" />
        </encryption>
      </scratch>
    </disk>
  </disks>
</domainbackup>


4. Start backup, failure happens
(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh backup-begin avocado-vt-vm1 backup.xml
error: internal error: Unexpected enum value 0 for virStorageEncryptionEngine

Libvirtd log added as attachment.

Comment 3 Peter Krempa 2021-11-18 09:39:05 UTC

Patch:

https://listman.redhat.com/archives/libvir-list/2021-November/msg00453.html

Comment 4 Peter Krempa 2021-11-19 13:00:46 UTC

Fixed upstream:

commit 1e085019cadcafe87dd96975900c5798dfe46060
Author: Peter Krempa <pkrempa>
Date:   Tue Nov 16 14:45:53 2021 +0100

    qemuDomainPrepareStorageSourceBlockdev: Set default encryption engine also when preparing virStorageSource
    
    Originally the default encryption engine is populated in the disk
    post-parse callback code. This works for disks but for any additional
    images introduced either via the block copy API or via the backup API we
    don't populate the default.
    
    In case when the backup or block copy is requested on an encrypted image
    this would then lead to an error:
    
     error: internal error: Unexpected enum value 0 for virStorageEncryptionEngine
    
    This patch adds another point where we populate the default which is
    when setting up a virStorageSource for actual usage.
    
    We keep the original setting in the post-parse callback as that's the
    only point that is recorded in the XML file after definition.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2023674
    Fixes: ab1d46d6128
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Ján Tomko <jtomko>

v7.9.0-187-g1e085019ca

Comment 7 yisun 2021-11-23 12:20:09 UTC

pre-verified with upstream build and result is PASS


[root@yisun-upstream-test ~]# rpm -qa | grep libvirt-7
libvirt-7.10.0-1.fc34.x86_64

[root@yisun-upstream-test ~]# cat sec.xml
<secret ephemeral='no' private='yes'>
<description>LUKS Secret</description>
<usage type='volume'>
<volume>/tmp/scratch</volume>
</usage>
</secret>

[root@yisun-upstream-test ~]# virsh secret-define sec.xml
Secret d533acbb-37ac-4983-a82d-1be85148b0c1 created

[root@yisun-upstream-test ~]# MYSECRET=`printf %s "redhat" | base64`
[root@yisun-upstream-test ~]# virsh secret-set-value d533acbb-37ac-4983-a82d-1be85148b0c1 $MYSECRET
error: Passing secret value as command-line argument is insecure!
Secret value set

[root@yisun-upstream-test ~]# virsh domstate lmn
running

[root@yisun-upstream-test ~]# virsh domblklist lmn
 Target   Source
---------------------------------------------
 sda      /var/lib/libvirt/images/lmn.qcow2

[root@yisun-upstream-test ~]# cat backup.xml
<domainbackup mode="pull">
  <server name="localhost" port="10809" />
  <disks>
    <disk backup="yes" name="sda" type="file">
      <scratch file="/tmp/scratch_file">
        <encryption format="luks">
          <secret type="passphrase" uuid="d533acbb-37ac-4983-a82d-1be85148b0c1" />
        </encryption>
      </scratch>
    </disk>
  </disks>
</domainbackup>


[root@yisun-upstream-test ~]# virsh backup-begin lmn  backup.xml
Backup started


[root@yisun-upstream-test ~]# qemu-img info /tmp/scratch_file -U
image: /tmp/scratch_file
file format: qcow2
virtual size: 10 GiB (10737418240 bytes)
disk size: 2.19 MiB
encrypted: yes
cluster_size: 65536
backing file: /var/lib/libvirt/images/lmn.qcow2
backing file format: qcow2
Format specific information:
    compat: 1.1
    compression type: zlib
    lazy refcounts: false
    refcount bits: 16
    encrypt:
        ivgen alg: plain64
        hash alg: sha256
        cipher alg: aes-256
        uuid: ea6631ad-bb66-456e-adeb-2c88c1bbaced
        format: luks
        cipher mode: xts
        slots:
            [0]:
                active: true
                iters: 1253078
                key offset: 4096
                stripes: 4000
            [1]:
                active: false
                key offset: 262144
            [2]:
                active: false
                key offset: 520192
            [3]:
                active: false
                key offset: 778240
            [4]:
                active: false
                key offset: 1036288
            [5]:
                active: false
                key offset: 1294336
            [6]:
                active: false
                key offset: 1552384
            [7]:
                active: false
                key offset: 1810432
        payload offset: 2068480
        master key iters: 333062
    corrupt: false
    extended l2: false

Comment 12 errata-xmlrpc 2022-05-17 12:45:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: libvirt), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2390