18781374080
2020-Apr-15 02:53 UTC
Can't start vm with enc backing files, No secret with id 'sec0' ?
Hey, guys I've been working on whether libvirt supports encrypted snapshots,Here are my versions of libvirt and qemu [root@xx ~]# libvirtd -V libvirtd (libvirt) 4.5.0 [root@xx ~]# qemu-img -V qemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7_7.4) Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers 1. assign $MYSECRET to libvirt secret using the secret-define and secret-set-value commands,and $MYSECRET is in base64 format MYSECRET=`printf %s "123456" | base64` 2. created a disk encrypted in luks format qemu-img create --object secret,id=sec0,data=$MYSECRET,format=base64 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 enc.qcow220G 3. The encrypted disk is defined in the XML configuration file, as shown below.Then I successfully started the virtual machine. <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/root/enc.qcow2'/> <backingStore/> <target dev='hda' bus='ide'/> <encryption format='luks'> <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/> </encryption> <alias name='ide0-0-0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> 4. According to the qemu documentation, an encrypted snap.qcow2 disk was created with enc.qcow2 as backing qemu-img create -f qcow2 -F qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 --object secret,id=sec1,data=$MYSECRET,format=base64 -o encrypt.format=luks,encrypt.key-secret=sec1 -b 'json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root/enc/enc.qcow2"}}' snap.qcow2 I used the same $MYSECRET as the password data for the disk. Here is the disk information for snap.qcow2 image: snap.qcow2 file format: qcow2 virtual size: 20G (21474836480 bytes) disk size: 480K encrypted: yes cluster_size: 65536 backing file: json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root//enc.qcow2"}} backing file format: qcow2 Format specific information: compat: 1.1 lazy refcounts: false refcount bits: 16 encrypt: ivgen alg: plain64 hash alg: sha256 cipher alg: aes-256 uuid: ab0e3f87-35e7-40cb-9888-9fe9bb54e981 format: luks cipher mode: xts slots: [0]: active: true iters: 115582 key offset: 4096 stripes: 4000 [1]: active: false key offset: 262144 [2]: active: false key offset: 520192 [3]: active: false key offset: 778240 [4]: active: false key offset: 1036288 [5]: active: false key offset: 1294336 [6]: active: false key offset: 1552384 [7]: active: false key offset: 1810432 payload offset: 2068480 master key iters: 30085 corrupt: false 5. Then I changed the configuration of the XML, as shown below.And re-define and start the virtual machine <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/root/snap.qcow2'/> <backingStore type='file'> <format type='qcow2'/> <source file='/root/enc.qcow2'/> <backingStore/> </backingStore> <target dev='hda' bus='ide'/> <encryption format='luks'> <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/> </encryption> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> Then the startup failed and an error was thrown. As shown below. qemu-kvm: -drive file=/root/enc/vm/enc-snap.qcow2,encrypt.format=luks,encrypt.key-secret=ide0-0-0-luks-secret0,format=qcow2,if=none,id=drive-ide0-0-0: Could not open backing file: No secret with id 'sec0' The sec0 secret id could not be found in the backing file, this is my problem. Is there a problem with the way I implemented it, or does libvirt currently not support this? Any tips or help will be appreciated, Looking forward to your reply. Thank you | | 18781374080 | | 18781374080@163.com | 签名由网易邮箱大师定制
Peter Krempa
2020-Apr-15 06:24 UTC
Re: Can't start vm with enc backing files, No secret with id 'sec0' ?
On Wed, Apr 15, 2020 at 10:53:05 +0800, 18781374080 wrote:> > > > Hey, guys > > I've been working on whether libvirt supports encrypted snapshots,Here are my versions of libvirt and qemu > > [root@xx ~]# libvirtd -V > > libvirtd (libvirt) 4.5.0This is too-old encrypted backing files work starting from libvirt-5.10 (but I strongly suggest using at least 6.1)> > [root@xx ~]# qemu-img -V > > qemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7_7.4)And qemu-4.2> > Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers > > 1. assign $MYSECRET to libvirt secret using the secret-define and secret-set-value commands,and $MYSECRET is in base64 format > > MYSECRET=`printf %s "123456" | base64` > > 2. created a disk encrypted in luks format > > qemu-img create --object secret,id=sec0,data=$MYSECRET,format=base64 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 enc.qcow220G > > 3. The encrypted disk is defined in the XML configuration file, as shown below.Then I successfully started the virtual machine. > > <disk type='file' device='disk'> > > <driver name='qemu' type='qcow2'/> > > <source file='/root/enc.qcow2'/> > > <backingStore/> > > <target dev='hda' bus='ide'/> > > <encryption format='luks'> > > <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/> > > </encryption> > > <alias name='ide0-0-0'/> > > <address type='drive' controller='0' bus='0' target='0' unit='0'/> > > </disk> > > 4. According to the qemu documentation, an encrypted snap.qcow2 disk was created with enc.qcow2 as backing > > qemu-img create -f qcow2 -F qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 --object secret,id=sec1,data=$MYSECRET,format=base64 -o encrypt.format=luks,encrypt.key-secret=sec1 -b 'json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root/enc/enc.qcow2"}}' snap.qcow2This won't work with libvirt. You can't pass "encrypt.key-secret": "sec0" via the backing file string as there's no way to create the corresponding secret object when starting the VM. You can fully omit it here and use just '-b /root/enc/enc.qcow2'> > I used the same $MYSECRET as the password data for the disk. Here is the disk information for snap.qcow2 > > image: snap.qcow2 > > file format: qcow2 > > virtual size: 20G (21474836480 bytes) > > disk size: 480K > > encrypted: yes > > cluster_size: 65536 > > backing file: json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root//enc.qcow2"}} > > backing file format: qcow2 > > Format specific information: > > compat: 1.1 > > lazy refcounts: false > > refcount bits: 16 > > encrypt: > > ivgen alg: plain64 > > hash alg: sha256 > > cipher alg: aes-256 > > uuid: ab0e3f87-35e7-40cb-9888-9fe9bb54e981 > > format: luks > > cipher mode: xts[snip]> > 5. Then I changed the configuration of the XML, as shown below.And re-define and start the virtual machineWith new libvirt mentioned above you'll have to add the encryption also to the backing file. That will properly configure both layers to use the correct encryption key. <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/root/snap.qcow2'/> <backingStore type='file'> <format type='qcow2'/> <source file='/root/enc.qcow2'> <encryption format='luks'> <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/> </encryption> </source> <backingStore/> </backingStore> <target dev='hda' bus='ide'/> <encryption format='luks'> <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/> </encryption> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> Note that also the top level source can have <encryption> as child of <source>> Then the startup failed and an error was thrown. As shown below. > > qemu-kvm: -drive file=/root/enc/vm/enc-snap.qcow2,encrypt.format=luks,encrypt.key-secret=ide0-0-0-luks-secret0,format=qcow2,if=none,id=drive-ide0-0-0: Could not open backing file: No secret with id 'sec0'As pointed out above, there's no way to instantiate the secret object via the backing store string as that is done by libvirt explicitly via -object on the command line.> > The sec0 secret id could not be found in the backing file, this is my problem. > > Is there a problem with the way I implemented it, or does libvirt currently not support this? > > Any tips or help will be appreciated, Looking forward to your reply. Thank you > > > > > | | > 18781374080 > | > | > 18781374080@163.com > | > 签名由网易邮箱大师定制
18781374080
2020-Apr-15 06:43 UTC
Re: Can't start vm with enc backing files, No secret with id 'sec0' ?
Thank you very much for your guidance! | | 18781374080 | | 18781374080@163.com | 签名由网易邮箱大师定制 On 4/15/2020 14:24,Peter Krempa<pkrempa@redhat.com> wrote: On Wed, Apr 15, 2020 at 10:53:05 +0800, 18781374080 wrote: Hey, guys I've been working on whether libvirt supports encrypted snapshots,Here are my versions of libvirt and qemu [root@xx ~]# libvirtd -V libvirtd (libvirt) 4.5.0 This is too-old encrypted backing files work starting from libvirt-5.10 (but I strongly suggest using at least 6.1) [root@xx ~]# qemu-img -V qemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7_7.4) And qemu-4.2 Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers 1. assign $MYSECRET to libvirt secret using the secret-define and secret-set-value commands,and $MYSECRET is in base64 format MYSECRET=`printf %s "123456" | base64` 2. created a disk encrypted in luks format qemu-img create --object secret,id=sec0,data=$MYSECRET,format=base64 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 enc.qcow220G 3. The encrypted disk is defined in the XML configuration file, as shown below.Then I successfully started the virtual machine. <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/root/enc.qcow2'/> <backingStore/> <target dev='hda' bus='ide'/> <encryption format='luks'> <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/> </encryption> <alias name='ide0-0-0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> 4. According to the qemu documentation, an encrypted snap.qcow2 disk was created with enc.qcow2 as backing qemu-img create -f qcow2 -F qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 --object secret,id=sec1,data=$MYSECRET,format=base64 -o encrypt.format=luks,encrypt.key-secret=sec1 -b 'json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root/enc/enc.qcow2"}}' snap.qcow2 This won't work with libvirt. You can't pass "encrypt.key-secret": "sec0" via the backing file string as there's no way to create the corresponding secret object when starting the VM. You can fully omit it here and use just '-b /root/enc/enc.qcow2' I used the same $MYSECRET as the password data for the disk. Here is the disk information for snap.qcow2 image: snap.qcow2 file format: qcow2 virtual size: 20G (21474836480 bytes) disk size: 480K encrypted: yes cluster_size: 65536 backing file: json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root//enc.qcow2"}} backing file format: qcow2 Format specific information: compat: 1.1 lazy refcounts: false refcount bits: 16 encrypt: ivgen alg: plain64 hash alg: sha256 cipher alg: aes-256 uuid: ab0e3f87-35e7-40cb-9888-9fe9bb54e981 format: luks cipher mode: xts [snip] 5. Then I changed the configuration of the XML, as shown below.And re-define and start the virtual machine With new libvirt mentioned above you'll have to add the encryption also to the backing file. That will properly configure both layers to use the correct encryption key. <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/root/snap.qcow2'/> <backingStore type='file'> <format type='qcow2'/> <source file='/root/enc.qcow2'> <encryption format='luks'> <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/> </encryption> </source> <backingStore/> </backingStore> <target dev='hda' bus='ide'/> <encryption format='luks'> <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/> </encryption> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> Note that also the top level source can have <encryption> as child of <source> Then the startup failed and an error was thrown. As shown below. qemu-kvm: -drive file=/root/enc/vm/enc-snap.qcow2,encrypt.format=luks,encrypt.key-secret=ide0-0-0-luks-secret0,format=qcow2,if=none,id=drive-ide0-0-0: Could not open backing file: No secret with id 'sec0' As pointed out above, there's no way to instantiate the secret object via the backing store string as that is done by libvirt explicitly via -object on the command line. The sec0 secret id could not be found in the backing file, this is my problem. Is there a problem with the way I implemented it, or does libvirt currently not support this? Any tips or help will be appreciated, Looking forward to your reply. Thank you | | 18781374080 | | 18781374080@163.com | 签名由网易邮箱大师定制
Possibly Parallel Threads
- Re: Can't start vm with enc backing files, No secret with id 'sec0' ?
- Cannot pass secret id for backing file after taking external snapshot on encrypted qcow2 file
- could not create snapshotxml on encryption image
- Whether libvirt can support all backing chain layer are iscsi network disk type
- Signaling incoming call