storage: Add support for using inputvol for encryption

Starting with QEMU 2.9, encryption convert processing requires a multi-step process in order to generate an encrypted image from some non encrypted raw image. Processing requires to first create an encrypted image using the sizing parameters from the input source and second to use the --image-opts, -n, and --target-image-opts options along with inline driver options to describe the input and output files, generating two commands such as: $ qemu-img create -f luks \ --object secret,id=demo.img_encrypt0,file=/path/to/secretFile \ -o key-secret=demo.img_encrypt0 \ demo.img 500K Formatting 'demo.img', fmt=luks size=512000 key-secret=demo.img_encrypt0 $ qemu-img convert --image-opts -n --target-image-opts \ --object secret,id=demo.img_encrypt0,file=/path/to/secretFile \ driver=raw,file.filename=sparse.img \ driver=luks,file.filename=demo.img,key-secret=demo.img_encrypt0 $ This patch handles the convert processing by running the processing in a do..while loop essentially reusing the existing create logic and arguments to create the target vol from the inputvol and then converting the inputvol using new arguments. This then allows the following virsh command to work properly: virsh vol-create-from default encrypt1-luks.xml data.img --inputpool default where encrypt1-luks.xml would provided the path and secret for the new image, while data.img would be the source image. Signed-off-by: John Ferlan <jferlan@redhat.com> ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2024-07-11 12:25:52 +00:00 · 2018-06-20 15:51:47 -04:00 · 2018-06-20 15:51:47 -04:00 · 39cef12a95
commit 39cef12a95
parent 40f0e0348d
5 changed files with 162 additions and 48 deletions
--- a/src/storage/storage_util.c
+++ b/src/storage/storage_util.c
@ -819,12 +819,15 @@ storageBackendCreateQemuImgCheckEncryption(int format,
 static int
 storageBackendCreateQemuImgSetInput(virStorageVolDefPtr inputvol,
                                    virStorageVolEncryptConvertStep convertStep,
                                    struct _virStorageBackendQemuImgInfo *info)
 {
-    if (!(info->inputPath = inputvol->target.path)) {
+    if (convertStep != VIR_STORAGE_VOL_ENCRYPT_CREATE) {
-        virReportError(VIR_ERR_INVALID_ARG, "%s",
+        if (!(info->inputPath = inputvol->target.path)) {
-                       _("missing input volume target path"));
+            virReportError(VIR_ERR_INVALID_ARG, "%s",
-        return -1;
+                           _("missing input volume target path"));
            return -1;
        }
    }
    info->inputFormat = inputvol->target.format;
@ -995,6 +998,7 @@ static int
 virStorageBackendCreateQemuImgSetInfo(virStoragePoolObjPtr pool,
                                      virStorageVolDefPtr vol,
                                      virStorageVolDefPtr inputvol,
                                      virStorageVolEncryptConvertStep convertStep,
                                      struct _virStorageBackendQemuImgInfo *info)
 {
    /* Treat output block devices as 'raw' format */
@ -1027,11 +1031,6 @@ virStorageBackendCreateQemuImgSetInfo(virStoragePoolObjPtr pool,
        return -1;
    }
    if (info->format == VIR_STORAGE_FILE_RAW && vol->target.encryption) {
        if (inputvol) {
            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                           _("cannot use inputvol with encrypted raw volume"));
            return -1;
        }
        if (vol->target.encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
            info->type = "luks";
        } else {
@ -1042,7 +1041,7 @@ virStorageBackendCreateQemuImgSetInfo(virStoragePoolObjPtr pool,
    }
    if (inputvol &&
-        storageBackendCreateQemuImgSetInput(inputvol, info) < 0)
+        storageBackendCreateQemuImgSetInput(inputvol, convertStep, info) < 0)
        return -1;
    if (virStorageSourceHasBacking(&vol->target) &&
@ -1068,7 +1067,8 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
                                         virStorageVolDefPtr inputvol,
                                         unsigned int flags,
                                         const char *create_tool,
-                                         const char *secretPath)
+                                         const char *secretPath,
                                         virStorageVolEncryptConvertStep convertStep)
 {
    virCommandPtr cmd = NULL;
    struct _virStorageBackendQemuImgInfo info = {
@ -1098,18 +1098,25 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
        goto error;
    }
-    if (virStorageBackendCreateQemuImgSetInfo(pool, vol, inputvol, &info) < 0)
+    if (virStorageBackendCreateQemuImgSetInfo(pool, vol, inputvol,
                                              convertStep, &info) < 0)
        goto error;
    cmd = virCommandNew(create_tool);
-    /* ignore the backing volume when we're converting a volume */
+    /* ignore the backing volume when we're converting a volume
-    if (info.inputPath)
+     * including when we're doing a two step convert during create */
    if (info.inputPath || convertStep == VIR_STORAGE_VOL_ENCRYPT_CREATE)
        info.backingPath = NULL;
-    if (info.inputPath)
+    /* Converting to use encryption is a two step process - step 1 is to
     * create the image and step 2 is to convert it using special arguments */
    if (info.inputPath && convertStep == VIR_STORAGE_VOL_ENCRYPT_NONE)
        virCommandAddArgList(cmd, "convert", "-f", info.inputFormatStr,
                             "-O", info.type, NULL);
    else if (info.inputPath && convertStep == VIR_STORAGE_VOL_ENCRYPT_CONVERT)
        virCommandAddArgList(cmd, "convert", "--image-opts", "-n",
                             "--target-image-opts", NULL);
    else
        virCommandAddArgList(cmd, "create", "-f", info.type, NULL);
@ -1130,15 +1137,24 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
        encinfo = &enc->encinfo;
    }
-    if (storageBackendCreateQemuImgSetOptions(cmd, encinfo, info) < 0)
+    if (convertStep != VIR_STORAGE_VOL_ENCRYPT_CONVERT) {
-        goto error;
+        if (storageBackendCreateQemuImgSetOptions(cmd, encinfo, info) < 0)
-    VIR_FREE(info.secretAlias);
+            goto error;
        if (info.inputPath)
            virCommandAddArg(cmd, info.inputPath);
        virCommandAddArg(cmd, info.path);
        if (!info.inputPath && (info.size_arg || !info.backingPath))
            virCommandAddArgFormat(cmd, "%lluK", info.size_arg);
    } else {
        /* source */
        virCommandAddArgFormat(cmd, "driver=raw,file.filename=%s",
                               info.inputPath);
-    if (info.inputPath)
+        /* dest */
-        virCommandAddArg(cmd, info.inputPath);
+        virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s,key-secret=%s",
-    virCommandAddArg(cmd, info.path);
+                               info.type, info.path, info.secretAlias);
-    if (!info.inputPath && (info.size_arg || !info.backingPath))
+    }
-        virCommandAddArgFormat(cmd, "%lluK", info.size_arg);
+    VIR_FREE(info.secretAlias);
    return cmd;
@ -1228,14 +1244,15 @@ storageBackendDoCreateQemuImg(virStoragePoolObjPtr pool,
                              virStorageVolDefPtr inputvol,
                              unsigned int flags,
                              const char *create_tool,
-                              const char *secretPath)
+                              const char *secretPath,
                              virStorageVolEncryptConvertStep convertStep)
 {
    int ret;
    virCommandPtr cmd;
    cmd = virStorageBackendCreateQemuImgCmdFromVol(pool, vol, inputvol,
                                                   flags, create_tool,
-                                                   secretPath);
+                                                   secretPath, convertStep);
    if (!cmd)
        return -1;
@ -1256,6 +1273,7 @@ storageBackendCreateQemuImg(virStoragePoolObjPtr pool,
    int ret = -1;
    char *create_tool;
    char *secretPath = NULL;
    virStorageVolEncryptConvertStep convertStep = VIR_STORAGE_VOL_ENCRYPT_NONE;
    virCheckFlags(VIR_STORAGE_VOL_CREATE_PREALLOC_METADATA, -1);
@ -1271,8 +1289,32 @@ storageBackendCreateQemuImg(virStoragePoolObjPtr pool,
        !(secretPath = storageBackendCreateQemuImgSecretPath(pool, vol)))
        goto cleanup;
-    ret = storageBackendDoCreateQemuImg(pool, vol, inputvol, flags,
+    /* Using an input file for encryption requires a multi-step process
-                                        create_tool, secretPath);
+     * to create an image of the same size as the inputvol and then to
     * convert the inputvol afterwards. */
    if (secretPath && inputvol)
        convertStep = VIR_STORAGE_VOL_ENCRYPT_CREATE;
    do {
        ret = storageBackendDoCreateQemuImg(pool, vol, inputvol, flags,
                                            create_tool, secretPath,
                                            convertStep);
        /* Failure to convert, attempt to delete what we created */
        if (ret < 0 && convertStep == VIR_STORAGE_VOL_ENCRYPT_CONVERT)
            ignore_value(virFileRemove(vol->target.path,
                                       vol->target.perms->uid,
                                       vol->target.perms->gid));
        if (ret < 0 || convertStep == VIR_STORAGE_VOL_ENCRYPT_NONE)
            goto cleanup;
        if (convertStep == VIR_STORAGE_VOL_ENCRYPT_CREATE)
            convertStep = VIR_STORAGE_VOL_ENCRYPT_CONVERT;
        else if (convertStep == VIR_STORAGE_VOL_ENCRYPT_CONVERT)
            convertStep = VIR_STORAGE_VOL_ENCRYPT_DONE;
    } while (convertStep != VIR_STORAGE_VOL_ENCRYPT_DONE);
 cleanup:
    if (secretPath) {
        unlink(secretPath);
@ -2024,13 +2066,6 @@ storageBackendVolBuildLocal(virStoragePoolObjPtr pool,
    virStorageBackendBuildVolFrom create_func;
    if (inputvol) {
        if (vol->target.encryption) {
            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
                           "%s", _("storage pool does not support "
                                   "building encrypted volumes from "
                                   "other volumes"));
            return -1;
        }
        if (!(create_func =
              virStorageBackendGetBuildVolFromFunction(vol, inputvol)))
            return -1;
--- a/src/storage/storage_util.h
+++ b/src/storage/storage_util.h
@ -153,13 +153,21 @@ char *virStorageBackendStablePath(virStoragePoolObjPtr pool,
                                  const char *devpath,
                                  bool loop);
 typedef enum {
    VIR_STORAGE_VOL_ENCRYPT_NONE = 0,
    VIR_STORAGE_VOL_ENCRYPT_CREATE,
    VIR_STORAGE_VOL_ENCRYPT_CONVERT,
    VIR_STORAGE_VOL_ENCRYPT_DONE,
 } virStorageVolEncryptConvertStep;
 virCommandPtr
 virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
                                         virStorageVolDefPtr vol,
                                         virStorageVolDefPtr inputvol,
                                         unsigned int flags,
                                         const char *create_tool,
-                                         const char *secretPath);
+                                         const char *secretPath,
                                         virStorageVolEncryptConvertStep convertStep);
 int virStorageBackendSCSIFindLUs(virStoragePoolObjPtr pool,
                                 uint32_t scanhost);
--- a/tests/storagevolxml2argvdata/luks-convert.argv
+++ b/tests/storagevolxml2argvdata/luks-convert.argv
@ -0,0 +1,9 @@
 qemu-img create -f luks \
 --object secret,id=OtherDemo.img_encrypt0,file=/path/to/secretFile \
 -o key-secret=OtherDemo.img_encrypt0 \
 /var/lib/libvirt/images/OtherDemo.img 5242880K
 qemu-img convert --image-opts -n --target-image-opts \
 --object secret,id=OtherDemo.img_encrypt0,file=/path/to/secretFile \
 driver=raw,file.filename=/var/lib/libvirt/images/sparse.img \
 driver=luks,file.filename=/var/lib/libvirt/images/OtherDemo.img,\
 key-secret=OtherDemo.img_encrypt0
--- a/tests/storagevolxml2argvtest.c
+++ b/tests/storagevolxml2argvtest.c
@ -43,6 +43,7 @@ testCompareXMLToArgvFiles(bool shouldFail,
                          unsigned long parse_flags)
 {
    char *actualCmdline = NULL;
    virStorageVolEncryptConvertStep convertStep = VIR_STORAGE_VOL_ENCRYPT_NONE;
    int ret = -1;
    virCommandPtr cmd = NULL;
@ -79,20 +80,56 @@ testCompareXMLToArgvFiles(bool shouldFail,
    testSetVolumeType(vol, def);
    testSetVolumeType(inputvol, inputpool);
-    cmd = virStorageBackendCreateQemuImgCmdFromVol(obj, vol,
+    /* Using an input file for encryption requires a multi-step process
-                                                   inputvol, flags,
+     * to create an image of the same size as the inputvol and then to
-                                                   create_tool,
+     * convert the inputvol afterwards. Since we only care about the
-                                                   "/path/to/secretFile");
+     * command line we have to copy code from storageBackendCreateQemuImg
-    if (!cmd) {
+     * and adjust it for the test needs. */
-        if (shouldFail) {
+    if (inputvol && vol->target.encryption)
-            virResetLastError();
+        convertStep = VIR_STORAGE_VOL_ENCRYPT_CREATE;
            ret = 0;
        }
        goto cleanup;
    }
-    if (!(actualCmdline = virCommandToString(cmd)))
+    do {
-        goto cleanup;
+        cmd = virStorageBackendCreateQemuImgCmdFromVol(obj, vol,
                                                       inputvol, flags,
                                                       create_tool,
                                                       "/path/to/secretFile",
                                                       convertStep);
        if (!cmd) {
            if (shouldFail) {
                virResetLastError();
                ret = 0;
            }
            goto cleanup;
        }
        if (convertStep != VIR_STORAGE_VOL_ENCRYPT_CONVERT) {
            if (!(actualCmdline = virCommandToString(cmd)))
                goto cleanup;
        } else {
            char *createCmdline = actualCmdline;
            char *cvtCmdline;
            int rc;
            if (!(cvtCmdline = virCommandToString(cmd)))
                goto cleanup;
            rc = virAsprintf(&actualCmdline, "%s\n%s",
                             createCmdline, cvtCmdline);
            VIR_FREE(createCmdline);
            VIR_FREE(cvtCmdline);
            if (rc < 0)
                goto cleanup;
        }
        if (convertStep == VIR_STORAGE_VOL_ENCRYPT_NONE)
            convertStep = VIR_STORAGE_VOL_ENCRYPT_DONE;
        else if (convertStep == VIR_STORAGE_VOL_ENCRYPT_CREATE)
            convertStep = VIR_STORAGE_VOL_ENCRYPT_CONVERT;
        else if (convertStep == VIR_STORAGE_VOL_ENCRYPT_CONVERT)
            convertStep = VIR_STORAGE_VOL_ENCRYPT_DONE;
    } while (convertStep != VIR_STORAGE_VOL_ENCRYPT_DONE);
    if (virTestCompareToFile(actualCmdline, cmdline) < 0)
        goto cleanup;
@ -243,6 +280,10 @@ mymain(void)
            NULL, NULL,
            "luks-cipher", 0);
    DO_TEST("pool-dir", "vol-luks-convert",
            "pool-dir", "vol-file",
            "luks-convert", 0);
    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 }
--- a/tests/storagevolxml2xmlin/vol-luks-convert.xml
+++ b/tests/storagevolxml2xmlin/vol-luks-convert.xml
@ -0,0 +1,21 @@
 <volume>
  <name>OtherDemo.img</name>
  <key>/var/lib/libvirt/images/OtherDemo.img</key>
  <source>
  </source>
  <capacity unit="G">5</capacity>
  <allocation>294912</allocation>
  <target>
    <path>/var/lib/libvirt/images/OtherDemo.img</path>
    <format type='raw'/>
    <permissions>
      <mode>0644</mode>
      <owner>0</owner>
      <group>0</group>
      <label>unconfined_u:object_r:virt_image_t:s0</label>
    </permissions>
    <encryption format='luks'>
      <secret type='passphrase' uuid='e78d4b51-a2af-485f-b0f5-afca709a80f4'/>
    </encryption>
  </target>
 </volume>