yaohua.wu@zstack.io
2020-Jul-16 09:31 UTC
Cannot pass secret id for backing file after taking external snapshot on encrypted qcow2 file
Hi, I used 'virsh snapshot-create' create an encrypted external snapshot, when I try to use 'qemu-img check' top file, found no entrance to pass backing-file's secret-id 1、Version centos-release-8.2-2.2004.0.1.el8.x86_64 libvirt.x86_64 6.0.0-17.el8 qemu-kvm.x86_64 15:4.2.0-19.el82、Reproduce Steps 1)Create an encrypted qcow2 qemu-img create --object secret,id=sec0,data=123456 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 first.qcow2 1G 2)Create external snapshot with 'encrypted' xml # cat snap.xml <domainsnapshot> <disks> <disk name='hdc' snapshot='no'/> <disk name='vdb' snapshot='external'> <source file='/root/first-snapshot.qcow2'> <encryption format='luks'> <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/> </encryption> </source> </disk> </disks> </domainsnapshot> # virsh dumpxml test-vm | awk '/<disk/,/<\/disk/' <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/root/first-snapshot.qcow2' index='5'/> <backingStore type='file' index='2'> <format type='qcow2'/> <source file='/root/first.qcow2'> <encryption format='luks'> <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/> </encryption> </source> <backingStore/> </backingStore> <target dev='vdb' bus='virtio'/> <encryption format='luks'> <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/> </encryption> <alias name='virtio-disk1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/> </disk> 3)try to qemu-img check top qcow2 file Note: The secid of the backing file is not recorded, so when I use qemu-img check/etc.. how to pass the secret to qemu of backing files # qemu-img info -U first-snapshot.qcow2 image: first-snapshot.qcow2 file format: qcow2 virtual size: 1 GiB (1073741824 bytes) disk size: 544 KiB encrypted: yes cluster_size: 65536 backing file: /root/first.qcow2 ### backing file: json:{"encrypt.format": "luks", "encrypt.key-secret": "secrete-id"} backing file format: luks Format specific information: compat: 1.1 lazy refcounts: false refcount bits: 16 encrypt: ivgen alg: plain64 hash alg: sha256 cipher alg: aes-256 uuid: e4158089-26e4-433f-990e-1d1d0723feee format: luks cipher mode: xts slots: [0]: active: true iters: 1257888 key offset: 4096 stripes: 4000 [1]: active: false key offset: 262144 [2]: active: false key offset: 520192 [3]: active: false key offset: 778240 [4]: active: false key offset: 1036288 [5]: active: false key offset: 1294336 [6]: active: false key offset: 1552384 [7]: active: false key offset: 1810432 payload offset: 2068480 master key iters: 300073 corrupt: false # qemu-img check -U --object secret,id=sec_1,file=/etc/libvirt/secrets/f52a81b2-424e-490c-823d-6bd4235bc572.base64,format=base64 --image-opts encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2 --object secret,id=sec_2,file=/etc/libvirt/secrets/f981dd17-143f-45bc-88e6-222222222222.base64,format=base64 qemu-img: Could not open 'encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2': Could not open backing file: Parameter 'key-secret' is required for cipher yaohua.wu@zstack.io
YaoHua Wu
2020-Aug-03 12:53 UTC
回复: Cannot pass secret id for backing file after taking external snapshot on encrypted qcow2 file
Hi, I used 'virsh snapshot-create' create an encrypted external snapshot, when I try to use 'qemu-img check' top file, found no entrance to pass backing-file's secret-id 1、Version centos-release-8.2-2.2004.0.1.el8.x86_64 libvirt.x86_64 6.0.0-17.el8 qemu-kvm.x86_64 15:4.2.0-19.el82、Reproduce Steps 1)Create an encrypted qcow2 qemu-img create --object secret,id=sec0,data=123456 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 first.qcow2 1G 2)Create external snapshot with 'encrypted' xml # cat snap.xml <domainsnapshot> <disks> <disk name='hdc' snapshot='no'/> <disk name='vdb' snapshot='external'> <source file='/root/first-snapshot.qcow2'> <encryption format='luks'> <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/> </encryption> </source> </disk> </disks> </domainsnapshot> # virsh dumpxml test-vm | awk '/<disk/,/<\/disk/' <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/root/first-snapshot.qcow2' index='5'/> <backingStore type='file' index='2'> <format type='qcow2'/> <source file='/root/first.qcow2'> <encryption format='luks'> <secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/> </encryption> </source> <backingStore/> </backingStore> <target dev='vdb' bus='virtio'/> <encryption format='luks'> <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/> </encryption> <alias name='virtio-disk1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/> </disk> 3)try to qemu-img check top qcow2 file Note: The secid of the backing file is not recorded, so when I use qemu-img check/etc.. how to pass the secret to qemu of backing files # qemu-img info -U first-snapshot.qcow2 image: first-snapshot.qcow2 file format: qcow2 virtual size: 1 GiB (1073741824 bytes) disk size: 544 KiB encrypted: yes cluster_size: 65536 backing file: /root/first.qcow2 ### backing file: json:{"encrypt.format": "luks", "encrypt.key-secret": "secrete-id"} backing file format: luks Format specific information: compat: 1.1 lazy refcounts: false refcount bits: 16 encrypt: ivgen alg: plain64 hash alg: sha256 cipher alg: aes-256 uuid: e4158089-26e4-433f-990e-1d1d0723feee format: luks cipher mode: xts slots: [0]: active: true iters: 1257888 key offset: 4096 stripes: 4000 [1]: active: false key offset: 262144 [2]: active: false key offset: 520192 [3]: active: false key offset: 778240 [4]: active: false key offset: 1036288 [5]: active: false key offset: 1294336 [6]: active: false key offset: 1552384 [7]: active: false key offset: 1810432 payload offset: 2068480 master key iters: 300073 corrupt: false # qemu-img check -U --object secret,id=sec_1,file=/etc/libvirt/secrets/f52a81b2-424e-490c-823d-6bd4235bc572.base64,format=base64 --image-opts encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2 --object secret,id=sec_2,file=/etc/libvirt/secrets/f981dd17-143f-45bc-88e6-222222222222.base64,format=base64 qemu-img: Could not open 'encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2': Could not open backing file: Parameter 'key-secret' is required for cipher yaohua.wu@zstack.io
Reasonably Related Threads
- Can't start vm with enc backing files, No secret with id 'sec0' ?
- Re: Can't start vm with enc backing files, No secret with id 'sec0' ?
- Xen 3.2.1-2 on Debian Lenny 2.6.26 2.6.26-24
- [PATCH 09/13] x86/asm: Convert ALTERNATIVE*() assembler macros to preprocessor macros
- rsync error