2023674 – [incremental_backup] Cannot encrypt backup scratch file/blockdev anymore

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2023674 - [incremental_backup] Cannot encrypt backup scratch file/blockdev anymore

Summary: [incremental_backup] Cannot encrypt backup scratch file/blockdev anymore

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	9.0
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Peter Krempa
QA Contact:	yisun
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-11-16 10:27 UTC by yisun
Modified:	2022-05-17 13:06 UTC (History)
CC List:	5 users (show)
Fixed In Version:	libvirt-7.10.0-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-17 12:45:49 UTC
Type:	Bug
Target Upstream Version:	7.10.0
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-102913	0	None	None	None	2021-11-16 10:29:02 UTC
Red Hat Product Errata	RHBA-2022:2390	0	None	None	None	2022-05-17 12:46:14 UTC

Description yisun 2021-11-16 10:27:07 UTC

Versions:
libvirt-7.9.0-1.el9.x86_64
qemu-kvm-6.1.0-6.el9.x86_64

How reproducible:
100%

Pls note, this case is PASSED with:
libvirt-7.8.0-1.el9.x86_64
qemu-kvm-6.1.0-6.el9.x86_64

So set as a libvirt REGRESSION
 

Steps:
1. Prepare a libvirt secret
(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# cat secret.xml
<secret ephemeral='no' private='yes'>
<description>LUKS Secret</description>
<usage type='volume'>
<volume>/tmp/scratch</volume>
</usage>
</secret>


(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh secret-define secret.xml
Secret 024e2f39-2634-4d5b-8447-0f6660068cde created

(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# MYSECRET=`printf %s "redhat" | base64`
(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh secret-set-value 024e2f39-2634-4d5b-8447-0f6660068cde $MYSECRET
error: Passing secret value as command-line argument is insecure!
Secret value set

2. Prepare a running vm with virtual disk 'vda'
(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh domstate avocado-vt-vm1
running

(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh domblklist avocado-vt-vm1
 Target   Source
------------------------------------------------------------------------
 vda      /var/lib/avocado/data/avocado-vt/images/jeos-27-x86_64.qcow2


3. Prepare backup xml, in which the scratch file is encrypted by luks method
(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# cat backup.xml
<domainbackup mode="pull">
  <server name="localhost" port="10809" />
  <disks>
    <disk backup="yes" name="vda" type="file">
      <scratch file="/tmp/scratch_file">
        <encryption format="luks">
          <secret type="passphrase" uuid="024e2f39-2634-4d5b-8447-0f6660068cde" />
        </encryption>
      </scratch>
    </disk>
  </disks>
</domainbackup>


4. Start backup, failure happens
(.libvirt-ci-venv-ci-runtest-Ndcevo) [root@dell-per740xd-13 ~]# virsh backup-begin avocado-vt-vm1 backup.xml
error: internal error: Unexpected enum value 0 for virStorageEncryptionEngine

Libvirtd log added as attachment.

Comment 3 Peter Krempa 2021-11-18 09:39:05 UTC

Patch:

https://listman.redhat.com/archives/libvir-list/2021-November/msg00453.html

Comment 4 Peter Krempa 2021-11-19 13:00:46 UTC

Fixed upstream:

commit 1e085019cadcafe87dd96975900c5798dfe46060
Author: Peter Krempa <pkrempa>
Date:   Tue Nov 16 14:45:53 2021 +0100

    qemuDomainPrepareStorageSourceBlockdev: Set default encryption engine also when preparing virStorageSource
    
    Originally the default encryption engine is populated in the disk
    post-parse callback code. This works for disks but for any additional
    images introduced either via the block copy API or via the backup API we
    don't populate the default.
    
    In case when the backup or block copy is requested on an encrypted image
    this would then lead to an error:
    
     error: internal error: Unexpected enum value 0 for virStorageEncryptionEngine
    
    This patch adds another point where we populate the default which is
    when setting up a virStorageSource for actual usage.
    
    We keep the original setting in the post-parse callback as that's the
    only point that is recorded in the XML file after definition.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2023674
    Fixes: ab1d46d6128
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Ján Tomko <jtomko>

v7.9.0-187-g1e085019ca

Comment 7 yisun 2021-11-23 12:20:09 UTC

pre-verified with upstream build and result is PASS


[root@yisun-upstream-test ~]# rpm -qa | grep libvirt-7
libvirt-7.10.0-1.fc34.x86_64

[root@yisun-upstream-test ~]# cat sec.xml
<secret ephemeral='no' private='yes'>
<description>LUKS Secret</description>
<usage type='volume'>
<volume>/tmp/scratch</volume>
</usage>
</secret>

[root@yisun-upstream-test ~]# virsh secret-define sec.xml
Secret d533acbb-37ac-4983-a82d-1be85148b0c1 created

[root@yisun-upstream-test ~]# MYSECRET=`printf %s "redhat" | base64`
[root@yisun-upstream-test ~]# virsh secret-set-value d533acbb-37ac-4983-a82d-1be85148b0c1 $MYSECRET
error: Passing secret value as command-line argument is insecure!
Secret value set

[root@yisun-upstream-test ~]# virsh domstate lmn
running

[root@yisun-upstream-test ~]# virsh domblklist lmn
 Target   Source
---------------------------------------------
 sda      /var/lib/libvirt/images/lmn.qcow2

[root@yisun-upstream-test ~]# cat backup.xml
<domainbackup mode="pull">
  <server name="localhost" port="10809" />
  <disks>
    <disk backup="yes" name="sda" type="file">
      <scratch file="/tmp/scratch_file">
        <encryption format="luks">
          <secret type="passphrase" uuid="d533acbb-37ac-4983-a82d-1be85148b0c1" />
        </encryption>
      </scratch>
    </disk>
  </disks>
</domainbackup>


[root@yisun-upstream-test ~]# virsh backup-begin lmn  backup.xml
Backup started


[root@yisun-upstream-test ~]# qemu-img info /tmp/scratch_file -U
image: /tmp/scratch_file
file format: qcow2
virtual size: 10 GiB (10737418240 bytes)
disk size: 2.19 MiB
encrypted: yes
cluster_size: 65536
backing file: /var/lib/libvirt/images/lmn.qcow2
backing file format: qcow2
Format specific information:
    compat: 1.1
    compression type: zlib
    lazy refcounts: false
    refcount bits: 16
    encrypt:
        ivgen alg: plain64
        hash alg: sha256
        cipher alg: aes-256
        uuid: ea6631ad-bb66-456e-adeb-2c88c1bbaced
        format: luks
        cipher mode: xts
        slots:
            [0]:
                active: true
                iters: 1253078
                key offset: 4096
                stripes: 4000
            [1]:
                active: false
                key offset: 262144
            [2]:
                active: false
                key offset: 520192
            [3]:
                active: false
                key offset: 778240
            [4]:
                active: false
                key offset: 1036288
            [5]:
                active: false
                key offset: 1294336
            [6]:
                active: false
                key offset: 1552384
            [7]:
                active: false
                key offset: 1810432
        payload offset: 2068480
        master key iters: 333062
    corrupt: false
    extended l2: false

Comment 12 errata-xmlrpc 2022-05-17 12:45:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: libvirt), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2390

Note You need to log in before you can comment on or make changes to this bug.