From nobody Mon Feb 9 00:53:48 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1529535709852726.6492344602216; Wed, 20 Jun 2018 16:01:49 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C5627307D859; Wed, 20 Jun 2018 23:01:47 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 89A711001940; Wed, 20 Jun 2018 23:01:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 27AFE3FB1D; Wed, 20 Jun 2018 23:01:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w5KN1STt019889 for ; Wed, 20 Jun 2018 19:01:28 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4733196131; Wed, 20 Jun 2018 23:01:28 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-14.phx2.redhat.com [10.3.116.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id EF00F86EF0 for ; Wed, 20 Jun 2018 23:01:27 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Wed, 20 Jun 2018 19:01:18 -0400 Message-Id: <20180620230119.6276-10-jferlan@redhat.com> In-Reply-To: <20180620230119.6276-1-jferlan@redhat.com> References: <20180620230119.6276-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v3 09/10] storage: Add support for using inputvol for encryption X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Wed, 20 Jun 2018 23:01:48 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Starting with QEMU 2.9, encryption convert processing requires a multi-step process in order to generate an encrypted image from some non encrypted raw image. Processing requires to first create an encrypted image using the sizing parameters from the input source and second to use the --image-opts, -n, and --target-image-opts options along with inline driver options to describe the input and output files, generating two commands such as: $ qemu-img create -f luks \ --object secret,id=3Ddemo.img_encrypt0,file=3D/path/to/secretFile \ -o key-secret=3Ddemo.img_encrypt0 \ demo.img 500K Formatting 'demo.img', fmt=3Dluks size=3D512000 key-secret=3Ddemo.img_enc= rypt0 $ qemu-img convert --image-opts -n --target-image-opts \ --object secret,id=3Ddemo.img_encrypt0,file=3D/path/to/secretFile \ driver=3Draw,file.filename=3Dsparse.img \ driver=3Dluks,file.filename=3Ddemo.img,key-secret=3Ddemo.img_encrypt0 $ This patch handles the convert processing by running the processing in a do..while loop essentially reusing the existing create logic and arguments to create the target vol from the inputvol and then converting the inputvol using new arguments. This then allows the following virsh command to work properly: virsh vol-create-from default encrypt1-luks.xml data.img --inputpool defa= ult where encrypt1-luks.xml would provided the path and secret for the new image, while data.img would be the source image. Signed-off-by: John Ferlan --- src/storage/storage_util.c | 103 +++++++++++++++++----= ---- src/storage/storage_util.h | 10 ++- tests/storagevolxml2argvdata/luks-convert.argv | 9 +++ tests/storagevolxml2argvtest.c | 65 +++++++++++++--- tests/storagevolxml2xmlin/vol-luks-convert.xml | 21 +++++ 5 files changed, 161 insertions(+), 47 deletions(-) create mode 100644 tests/storagevolxml2argvdata/luks-convert.argv create mode 100644 tests/storagevolxml2xmlin/vol-luks-convert.xml diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c index e26f5e2b48..a701a75702 100644 --- a/src/storage/storage_util.c +++ b/src/storage/storage_util.c @@ -819,12 +819,15 @@ storageBackendCreateQemuImgCheckEncryption(int format, =20 static int storageBackendCreateQemuImgSetInput(virStorageVolDefPtr inputvol, + virStorageVolEncryptConvertStep conver= tStep, struct _virStorageBackendQemuImgInfo *= info) { - if (!(info->inputPath =3D inputvol->target.path)) { - virReportError(VIR_ERR_INVALID_ARG, "%s", - _("missing input volume target path")); - return -1; + if (convertStep !=3D VIR_STORAGE_VOL_ENCRYPT_CREATE) { + if (!(info->inputPath =3D inputvol->target.path)) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("missing input volume target path")); + return -1; + } } =20 info->inputFormat =3D inputvol->target.format; @@ -995,6 +998,7 @@ static int virStorageBackendCreateQemuImgSetInfo(virStoragePoolObjPtr pool, virStorageVolDefPtr vol, virStorageVolDefPtr inputvol, + virStorageVolEncryptConvertStep conv= ertStep, struct _virStorageBackendQemuImgInfo= *info) { /* Treat output block devices as 'raw' format */ @@ -1027,11 +1031,6 @@ virStorageBackendCreateQemuImgSetInfo(virStoragePool= ObjPtr pool, return -1; } if (info->format =3D=3D VIR_STORAGE_FILE_RAW && vol->target.encryption= ) { - if (inputvol) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("cannot use inputvol with encrypted raw volum= e")); - return -1; - } if (vol->target.encryption->format =3D=3D VIR_STORAGE_ENCRYPTION_F= ORMAT_LUKS) { info->type =3D "luks"; } else { @@ -1042,7 +1041,7 @@ virStorageBackendCreateQemuImgSetInfo(virStoragePoolO= bjPtr pool, } =20 if (inputvol && - storageBackendCreateQemuImgSetInput(inputvol, info) < 0) + storageBackendCreateQemuImgSetInput(inputvol, convertStep, info) <= 0) return -1; =20 if (virStorageSourceHasBacking(&vol->target) && @@ -1068,7 +1067,8 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePo= olObjPtr pool, virStorageVolDefPtr inputvol, unsigned int flags, const char *create_tool, - const char *secretPath) + const char *secretPath, + virStorageVolEncryptConvertStep c= onvertStep) { virCommandPtr cmd =3D NULL; struct _virStorageBackendQemuImgInfo info =3D { @@ -1098,18 +1098,25 @@ virStorageBackendCreateQemuImgCmdFromVol(virStorage= PoolObjPtr pool, goto error; } =20 - if (virStorageBackendCreateQemuImgSetInfo(pool, vol, inputvol, &info) = < 0) + if (virStorageBackendCreateQemuImgSetInfo(pool, vol, inputvol, + convertStep, &info) < 0) goto error; =20 cmd =3D virCommandNew(create_tool); =20 - /* ignore the backing volume when we're converting a volume */ - if (info.inputPath) + /* ignore the backing volume when we're converting a volume + * including when we're doing a two step convert during create */ + if (info.inputPath || convertStep =3D=3D VIR_STORAGE_VOL_ENCRYPT_CREAT= E) info.backingPath =3D NULL; =20 - if (info.inputPath) + /* Converting to use encryption is a two step process - step 1 is to + * create the image and step 2 is to convert it using special argument= s */ + if (info.inputPath && convertStep =3D=3D VIR_STORAGE_VOL_ENCRYPT_NONE) virCommandAddArgList(cmd, "convert", "-f", info.inputFormatStr, "-O", info.type, NULL); + else if (info.inputPath && convertStep =3D=3D VIR_STORAGE_VOL_ENCRYPT_= CONVERT) + virCommandAddArgList(cmd, "convert", "--image-opts", "-n", + "--target-image-opts", NULL); else virCommandAddArgList(cmd, "create", "-f", info.type, NULL); =20 @@ -1130,15 +1137,24 @@ virStorageBackendCreateQemuImgCmdFromVol(virStorage= PoolObjPtr pool, encinfo =3D &enc->encinfo; } =20 - if (storageBackendCreateQemuImgSetOptions(cmd, encinfo, info) < 0) - goto error; - VIR_FREE(info.secretAlias); + if (convertStep !=3D VIR_STORAGE_VOL_ENCRYPT_CONVERT) { + if (storageBackendCreateQemuImgSetOptions(cmd, encinfo, info) < 0) + goto error; + if (info.inputPath) + virCommandAddArg(cmd, info.inputPath); + virCommandAddArg(cmd, info.path); + if (!info.inputPath && (info.size_arg || !info.backingPath)) + virCommandAddArgFormat(cmd, "%lluK", info.size_arg); + } else { + /* source */ + virCommandAddArgFormat(cmd, "driver=3Draw,file.filename=3D%s", + info.inputPath); =20 - if (info.inputPath) - virCommandAddArg(cmd, info.inputPath); - virCommandAddArg(cmd, info.path); - if (!info.inputPath && (info.size_arg || !info.backingPath)) - virCommandAddArgFormat(cmd, "%lluK", info.size_arg); + /* dest */ + virCommandAddArgFormat(cmd, "driver=3D%s,file.filename=3D%s,key-se= cret=3D%s", + info.type, info.path, info.secretAlias); + } + VIR_FREE(info.secretAlias); =20 return cmd; =20 @@ -1228,14 +1244,15 @@ storageBackendDoCreateQemuImg(virStoragePoolObjPtr = pool, virStorageVolDefPtr inputvol, unsigned int flags, const char *create_tool, - const char *secretPath) + const char *secretPath, + virStorageVolEncryptConvertStep convertStep) { int ret; virCommandPtr cmd; =20 cmd =3D virStorageBackendCreateQemuImgCmdFromVol(pool, vol, inputvol, flags, create_tool, - secretPath); + secretPath, convertStep= ); if (!cmd) return -1; =20 @@ -1256,6 +1273,7 @@ storageBackendCreateQemuImg(virStoragePoolObjPtr pool, int ret =3D -1; char *create_tool; char *secretPath =3D NULL; + virStorageVolEncryptConvertStep convertStep =3D VIR_STORAGE_VOL_ENCRYP= T_NONE; =20 virCheckFlags(VIR_STORAGE_VOL_CREATE_PREALLOC_METADATA, -1); =20 @@ -1271,8 +1289,32 @@ storageBackendCreateQemuImg(virStoragePoolObjPtr poo= l, !(secretPath =3D storageBackendCreateQemuImgSecretPath(pool, vol))) goto cleanup; =20 - ret =3D storageBackendDoCreateQemuImg(pool, vol, inputvol, flags, - create_tool, secretPath); + /* Using an input file for encryption requires a multi-step process + * to create an image of the same size as the inputvol and then to + * convert the inputvol afterwards. */ + if (secretPath && inputvol) + convertStep =3D VIR_STORAGE_VOL_ENCRYPT_CREATE; + + do { + ret =3D storageBackendDoCreateQemuImg(pool, vol, inputvol, flags, + create_tool, secretPath, + convertStep); + + /* Failure to convert, attempt to delete what we created */ + if (ret < 0 && convertStep =3D=3D VIR_STORAGE_VOL_ENCRYPT_CONVERT) + ignore_value(virFileRemove(vol->target.path, + vol->target.perms->uid, + vol->target.perms->gid)); + + if (ret < 0 || convertStep =3D=3D VIR_STORAGE_VOL_ENCRYPT_NONE) + goto cleanup; + + if (convertStep =3D=3D VIR_STORAGE_VOL_ENCRYPT_CREATE) + convertStep =3D VIR_STORAGE_VOL_ENCRYPT_CONVERT; + else if (convertStep =3D=3D VIR_STORAGE_VOL_ENCRYPT_CONVERT) + convertStep =3D VIR_STORAGE_VOL_ENCRYPT_DONE; + } while (convertStep !=3D VIR_STORAGE_VOL_ENCRYPT_DONE); + cleanup: if (secretPath) { unlink(secretPath); @@ -2024,13 +2066,6 @@ storageBackendVolBuildLocal(virStoragePoolObjPtr poo= l, virStorageBackendBuildVolFrom create_func; =20 if (inputvol) { - if (vol->target.encryption) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, - "%s", _("storage pool does not support " - "building encrypted volumes from " - "other volumes")); - return -1; - } if (!(create_func =3D virStorageBackendGetBuildVolFromFunction(vol, inputvol))) return -1; diff --git a/src/storage/storage_util.h b/src/storage/storage_util.h index 9307702754..6fc8e8972c 100644 --- a/src/storage/storage_util.h +++ b/src/storage/storage_util.h @@ -153,13 +153,21 @@ char *virStorageBackendStablePath(virStoragePoolObjPt= r pool, const char *devpath, bool loop); =20 +typedef enum { + VIR_STORAGE_VOL_ENCRYPT_NONE =3D 0, + VIR_STORAGE_VOL_ENCRYPT_CREATE, + VIR_STORAGE_VOL_ENCRYPT_CONVERT, + VIR_STORAGE_VOL_ENCRYPT_DONE, +} virStorageVolEncryptConvertStep; + virCommandPtr virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool, virStorageVolDefPtr vol, virStorageVolDefPtr inputvol, unsigned int flags, const char *create_tool, - const char *secretPath); + const char *secretPath, + virStorageVolEncryptConvertStep c= onvertStep); =20 int virStorageBackendSCSIFindLUs(virStoragePoolObjPtr pool, uint32_t scanhost); diff --git a/tests/storagevolxml2argvdata/luks-convert.argv b/tests/storage= volxml2argvdata/luks-convert.argv new file mode 100644 index 0000000000..6bac814300 --- /dev/null +++ b/tests/storagevolxml2argvdata/luks-convert.argv @@ -0,0 +1,9 @@ +qemu-img create -f luks \ +--object secret,id=3DOtherDemo.img_encrypt0,file=3D/path/to/secretFile \ +-o key-secret=3DOtherDemo.img_encrypt0 \ +/var/lib/libvirt/images/OtherDemo.img 5242880K +qemu-img convert --image-opts -n --target-image-opts \ +--object secret,id=3DOtherDemo.img_encrypt0,file=3D/path/to/secretFile \ +driver=3Draw,file.filename=3D/var/lib/libvirt/images/sparse.img \ +driver=3Dluks,file.filename=3D/var/lib/libvirt/images/OtherDemo.img,\ +key-secret=3DOtherDemo.img_encrypt0 diff --git a/tests/storagevolxml2argvtest.c b/tests/storagevolxml2argvtest.c index d7f5c0f51e..b795f83aee 100644 --- a/tests/storagevolxml2argvtest.c +++ b/tests/storagevolxml2argvtest.c @@ -43,6 +43,7 @@ testCompareXMLToArgvFiles(bool shouldFail, unsigned long parse_flags) { char *actualCmdline =3D NULL; + virStorageVolEncryptConvertStep convertStep =3D VIR_STORAGE_VOL_ENCRYP= T_NONE; int ret =3D -1; =20 virCommandPtr cmd =3D NULL; @@ -79,20 +80,56 @@ testCompareXMLToArgvFiles(bool shouldFail, testSetVolumeType(vol, def); testSetVolumeType(inputvol, inputpool); =20 - cmd =3D virStorageBackendCreateQemuImgCmdFromVol(obj, vol, - inputvol, flags, - create_tool, - "/path/to/secretFile"); - if (!cmd) { - if (shouldFail) { - virResetLastError(); - ret =3D 0; + /* Using an input file for encryption requires a multi-step process + * to create an image of the same size as the inputvol and then to + * convert the inputvol afterwards. Since we only care about the + * command line we have to copy code from storageBackendCreateQemuImg + * and adjust it for the test needs. */ + if (inputvol && vol->target.encryption) + convertStep =3D VIR_STORAGE_VOL_ENCRYPT_CREATE; + + do { + cmd =3D virStorageBackendCreateQemuImgCmdFromVol(obj, vol, + inputvol, flags, + create_tool, + "/path/to/secretFil= e", + convertStep); + if (!cmd) { + if (shouldFail) { + virResetLastError(); + ret =3D 0; + } + goto cleanup; } - goto cleanup; - } =20 - if (!(actualCmdline =3D virCommandToString(cmd))) - goto cleanup; + if (convertStep !=3D VIR_STORAGE_VOL_ENCRYPT_CONVERT) { + if (!(actualCmdline =3D virCommandToString(cmd))) + goto cleanup; + } else { + char *createCmdline =3D actualCmdline; + char *cvtCmdline; + int rc; + + if (!(cvtCmdline =3D virCommandToString(cmd))) + goto cleanup; + + rc =3D virAsprintf(&actualCmdline, "%s\n%s", + createCmdline, cvtCmdline); + + VIR_FREE(createCmdline); + VIR_FREE(cvtCmdline); + if (rc < 0) + goto cleanup; + } + + if (convertStep =3D=3D VIR_STORAGE_VOL_ENCRYPT_NONE) + convertStep =3D VIR_STORAGE_VOL_ENCRYPT_DONE; + else if (convertStep =3D=3D VIR_STORAGE_VOL_ENCRYPT_CREATE) + convertStep =3D VIR_STORAGE_VOL_ENCRYPT_CONVERT; + else if (convertStep =3D=3D VIR_STORAGE_VOL_ENCRYPT_CONVERT) + convertStep =3D VIR_STORAGE_VOL_ENCRYPT_DONE; + + } while (convertStep !=3D VIR_STORAGE_VOL_ENCRYPT_DONE); =20 if (virTestCompareToFile(actualCmdline, cmdline) < 0) goto cleanup; @@ -243,6 +280,10 @@ mymain(void) NULL, NULL, "luks-cipher", 0); =20 + DO_TEST("pool-dir", "vol-luks-convert", + "pool-dir", "vol-file", + "luks-convert", 0); + return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; } =20 diff --git a/tests/storagevolxml2xmlin/vol-luks-convert.xml b/tests/storage= volxml2xmlin/vol-luks-convert.xml new file mode 100644 index 0000000000..6e03de6b14 --- /dev/null +++ b/tests/storagevolxml2xmlin/vol-luks-convert.xml @@ -0,0 +1,21 @@ + + OtherDemo.img + /var/lib/libvirt/images/OtherDemo.img + + + 5 + 294912 + + /var/lib/libvirt/images/OtherDemo.img + + + 0644 + 0 + 0 + + + + + + + --=20 2.14.4 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list