From nobody Wed May  8 17:06:44 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1527598400337240.77662070880194;
 Tue, 29 May 2018 05:53:20 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 01D32308A94D;
	Tue, 29 May 2018 12:53:17 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 6D5B8600C2;
	Tue, 29 May 2018 12:53:15 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 7C3D94CA81;
	Tue, 29 May 2018 12:53:13 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com
	[10.5.11.25])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id w4TCrAEq013512 for <libvir-list@listman.util.phx.redhat.com>;
	Tue, 29 May 2018 08:53:10 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id C4ED82010D98; Tue, 29 May 2018 12:53:10 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-133.phx2.redhat.com
	[10.3.116.133])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 785532010D97
	for <libvir-list@redhat.com>; Tue, 29 May 2018 12:53:08 +0000 (UTC)
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Tue, 29 May 2018 08:53:06 -0400
Message-Id: <20180529125306.15067-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.25
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v2] storage: Add capability to use LUKS encryption
	for disk backend
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]);
 Tue, 29 May 2018 12:53:17 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

https://bugzilla.redhat.com/show_bug.cgi?id=3D1560946

Similar to the the Logical backend, use qemu-img on the created
disk partition device to set up for LUKS encryption. Secret mgmt
for the device can be complicated by a reboot possibly changing
the path to the device if the infrastructure changes.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 Changes in v2: Don't alter the result 'endOffset' of the
 DiskPartBoundaries, rather modify the input capacity value.
 Alteration of the value for the error path won't matter
 since the volume would be deleted anyway. The call to
 virStorageBackendDiskPartBoundaries was also slightly
 modified to check the return value vs -1 rather than !=3D 0
 so that the call is similar to other calls. Separating
 that into it's own patch could have been done, but just
 felt like too much "busy work" to be worth the trouble.

 src/storage/storage_backend_disk.c | 49 ++++++++++++++++++++++------------=
----
 1 file changed, 29 insertions(+), 20 deletions(-)

diff --git a/src/storage/storage_backend_disk.c b/src/storage/storage_backe=
nd_disk.c
index 2e3d1e04a4..e9578d01d6 100644
--- a/src/storage/storage_backend_disk.c
+++ b/src/storage/storage_backend_disk.c
@@ -879,28 +879,26 @@ virStorageBackendDiskCreateVol(virStoragePoolObjPtr p=
ool,
     char *partFormat =3D NULL;
     unsigned long long startOffset =3D 0, endOffset =3D 0;
     virStoragePoolDefPtr def =3D virStoragePoolObjGetDef(pool);
+    virErrorPtr save_err;
     virCommandPtr cmd =3D virCommandNewArgList(PARTED,
                                              def->source.devices[0].path,
                                              "mkpart",
                                              "--script",
                                              NULL);
=20
-    if (vol->target.encryption !=3D NULL) {
-        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
-                       "%s", _("storage pool does not support encrypted "
-                               "volumes"));
-        goto cleanup;
-    }
-
     if (virStorageBackendDiskPartFormat(pool, vol, &partFormat) !=3D 0)
         goto cleanup;
     virCommandAddArg(cmd, partFormat);
=20
-    if (virStorageBackendDiskPartBoundaries(pool, &startOffset,
-                                            &endOffset,
-                                            vol->target.capacity) !=3D 0) {
+    /* If we're going to encrypt using LUKS, then we could need up to
+     * an extra 2MB for the LUKS header - so account for that now */
+    if (vol->target.encryption &&
+        vol->target.encryption->format =3D=3D VIR_STORAGE_ENCRYPTION_FORMA=
T_LUKS)
+        vol->target.capacity +=3D 2 * 1024 * 1024;
+
+    if (virStorageBackendDiskPartBoundaries(pool, &startOffset, &endOffset,
+                                            vol->target.capacity) < 0)
         goto cleanup;
-    }
=20
     virCommandAddArgFormat(cmd, "%lluB", startOffset);
     virCommandAddArgFormat(cmd, "%lluB", endOffset);
@@ -919,15 +917,15 @@ virStorageBackendDiskCreateVol(virStoragePoolObjPtr p=
ool,
     VIR_FREE(vol->target.path);
=20
     /* Fetch actual extent info, generate key */
-    if (virStorageBackendDiskReadPartitions(pool, vol) < 0) {
-        /* Best effort to remove the partition. Ignore any errors
-         * since we could be calling this with vol->target.path =3D=3D NULL
-         */
-        virErrorPtr save_err =3D virSaveLastError();
-        ignore_value(virStorageBackendDiskDeleteVol(pool, vol, 0));
-        virSetError(save_err);
-        virFreeError(save_err);
-        goto cleanup;
+    if (virStorageBackendDiskReadPartitions(pool, vol) < 0)
+        goto error;
+
+    if (vol->target.encryption) {
+        /* Adjust the sizes to account for the LUKS header */
+        vol->target.capacity -=3D 2 * 1024 * 1024;
+        vol->target.allocation -=3D 2 * 1024 * 1024;
+        if (virStorageBackendCreateVolUsingQemuImg(pool, vol, NULL, 0) < 0)
+            goto error;
     }
=20
     res =3D 0;
@@ -936,8 +934,19 @@ virStorageBackendDiskCreateVol(virStoragePoolObjPtr po=
ol,
     VIR_FREE(partFormat);
     virCommandFree(cmd);
     return res;
+
+ error:
+    /* Best effort to remove the partition. Ignore any errors
+     * since we could be calling this with vol->target.path =3D=3D NULL
+     */
+    save_err =3D virSaveLastError();
+    ignore_value(virStorageBackendDiskDeleteVol(pool, vol, 0));
+    virSetError(save_err);
+    virFreeError(save_err);
+    goto cleanup;
 }
=20
+
 static int
 virStorageBackendDiskBuildVolFrom(virStoragePoolObjPtr pool,
                                   virStorageVolDefPtr vol,
--=20
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list