backup: Allow 'encryption' of backups and scratch images

Add the appropriate entries into the schema to allow encryption of the backup or scratch image. Since we use blockdev internals for everything no changes to the code are actually necessary. https://bugzilla.redhat.com/show_bug.cgi?id=1811906 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2024-12-22 05:35:25 +00:00 · 2020-04-09 15:50:40 +02:00 · 2020-04-09 15:50:40 +02:00 · a7db0b757d
commit a7db0b757d
parent 30d2491d8b
7 changed files with 184 additions and 14 deletions
--- a/docs/formatbackup.html.in
+++ b/docs/formatbackup.html.in
@ -110,7 +110,8 @@
                disk. An optional sub-element <code>driver</code> can
                also be used, with an attribute <code>type</code> to
                specify a destination format different from
-                qcow2. </dd>
+                qcow2. See documentation for <code>scratch</code> below for
+                additional configuration.</dd>
              <dt><code>scratch</code></dt>
              <dd>Valid only for pull mode backups, this is the
                primary sub-element that describes the file name of
@ -130,7 +131,14 @@
                used without modification. The file is not deleted after the
                backup but the contents of the file don't make sense outside
                of the backup. The same applies for the block device which
-                must be formatted appropriately.</dd>
+                must be formatted appropriately.
+
+                Similarly to the domain
+                <a href="formatdomain.html#elementsDisks"><code>disk</code></a>
+                definition <code>scratch</code> and <code>target</code> can
+                contain <code>seclabel</code> and/or <code>encryption</code>
+                subelements to configure the corresponding properties.
+              </dd>
            </dl>
          </dd>
        </dl>
--- a/docs/schemas/domainbackup.rng
+++ b/docs/schemas/domainbackup.rng
@ -7,6 +7,27 @@

  <include href='domaincommon.rng'/>

+  <define name='backupEncryption'>
+    <element name='encryption'>
+      <attribute name='format'>
+        <choice>
+          <value>luks</value>
+        </choice>
+      </attribute>
+      <interleave>
+        <ref name='secret'/>
+        <optional>
+          <element name='cipher'>
+            <ref name='keycipher'/>
+          </element>
+          <element name='ivgen'>
+            <ref name='keyivgen'/>
+          </element>
+        </optional>
+      </interleave>
+    </element>
+  </define>
+
  <define name='domainbackup'>
    <element name='domainbackup'>
      <interleave>
@ -123,9 +144,14 @@
                      <attribute name='file'>
                        <ref name='absFilePath'/>
                      </attribute>
-                      <zeroOrMore>
-                        <ref name='devSeclabel'/>
-                      </zeroOrMore>
+                      <interleave>
+                        <zeroOrMore>
+                          <ref name='devSeclabel'/>
+                        </zeroOrMore>
+                        <optional>
+                          <ref name='backupEncryption'/>
+                        </optional>
+                      </interleave>
                    </element>
                  </optional>
                  <ref name='backupPushDriver'/>
@ -142,9 +168,14 @@
                      <attribute name='dev'>
                        <ref name='absFilePath'/>
                      </attribute>
-                      <zeroOrMore>
-                        <ref name='devSeclabel'/>
-                      </zeroOrMore>
+                      <interleave>
+                        <zeroOrMore>
+                          <ref name='devSeclabel'/>
+                        </zeroOrMore>
+                        <optional>
+                          <ref name='backupEncryption'/>
+                        </optional>
+                      </interleave>
                    </element>
                  </optional>
                  <ref name='backupPushDriver'/>
@ -192,9 +223,14 @@
                      <attribute name='file'>
                        <ref name='absFilePath'/>
                      </attribute>
-                      <zeroOrMore>
-                        <ref name='devSeclabel'/>
-                      </zeroOrMore>
+                      <interleave>
+                        <zeroOrMore>
+                          <ref name='devSeclabel'/>
+                        </zeroOrMore>
+                        <optional>
+                          <ref name='backupEncryption'/>
+                        </optional>
+                      </interleave>
                    </element>
                    <ref name='backupPullDriver'/>
                  </interleave>
@ -210,9 +246,14 @@
                    <attribute name='dev'>
                      <ref name='absFilePath'/>
                    </attribute>
-                    <zeroOrMore>
-                      <ref name='devSeclabel'/>
-                    </zeroOrMore>
+                    <interleave>
+                      <zeroOrMore>
+                        <ref name='devSeclabel'/>
+                      </zeroOrMore>
+                      <optional>
+                        <ref name='backupEncryption'/>
+                      </optional>
+                    </interleave>
                  </element>
                  <ref name='backupPullDriver'/>
                </interleave>
--- a/tests/domainbackupxml2xmlin/backup-pull-encrypted.xml
+++ b/tests/domainbackupxml2xmlin/backup-pull-encrypted.xml
@ -0,0 +1,30 @@
+<domainbackup mode="pull">
+  <incremental>1525889631</incremental>
+  <server transport='tcp' name='localhost' port='10809'/>
+  <disks>
+    <disk name='vda' type='file' exportname='test-vda' exportbitmap='blah'>
+      <driver type='qcow2'/>
+      <scratch file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+        </encryption>
+      </scratch>
+    </disk>
+    <disk name='vdb' type='file' exportname='test-vda' exportbitmap='blah'>
+      <driver type='qcow2'/>
+      <scratch file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdb'/>
+        </encryption>
+      </scratch>
+    </disk>
+    <disk name='vdc' type='block'>
+      <driver type='qcow2'/>
+      <scratch dev='/dev/block'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdc'/>
+        </encryption>
+      </scratch>
+    </disk>
+  </disks>
+</domainbackup>
--- a/tests/domainbackupxml2xmlin/backup-push-encrypted.xml
+++ b/tests/domainbackupxml2xmlin/backup-push-encrypted.xml
@ -0,0 +1,29 @@
+<domainbackup mode="push">
+  <incremental>1525889631</incremental>
+  <disks>
+    <disk name='vda' type='file'>
+      <driver type='qcow2'/>
+      <target file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+        </encryption>
+      </target>
+    </disk>
+    <disk name='vdb' type='file'>
+      <driver type='raw'/>
+      <target file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdb'/>
+        </encryption>
+      </target>
+    </disk>
+    <disk name='vdc' type='block'>
+      <driver type='qcow2'/>
+      <target dev='/dev/block'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdc'/>
+        </encryption>
+      </target>
+    </disk>
+  </disks>
+</domainbackup>
--- a/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml
+++ b/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml
@ -0,0 +1,30 @@
+<domainbackup mode='pull'>
+  <incremental>1525889631</incremental>
+  <server transport='tcp' name='localhost' port='10809'/>
+  <disks>
+    <disk name='vda' backup='yes' type='file' exportname='test-vda' exportbitmap='blah'>
+      <driver type='qcow2'/>
+      <scratch file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+        </encryption>
+      </scratch>
+    </disk>
+    <disk name='vdb' backup='yes' type='file' exportname='test-vda' exportbitmap='blah'>
+      <driver type='qcow2'/>
+      <scratch file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdb'/>
+        </encryption>
+      </scratch>
+    </disk>
+    <disk name='vdc' backup='yes' type='block'>
+      <driver type='qcow2'/>
+      <scratch dev='/dev/block'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdc'/>
+        </encryption>
+      </scratch>
+    </disk>
+  </disks>
+</domainbackup>
--- a/tests/domainbackupxml2xmlout/backup-push-encrypted.xml
+++ b/tests/domainbackupxml2xmlout/backup-push-encrypted.xml
@ -0,0 +1,29 @@
+<domainbackup mode='push'>
+  <incremental>1525889631</incremental>
+  <disks>
+    <disk name='vda' backup='yes' type='file'>
+      <driver type='qcow2'/>
+      <target file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+        </encryption>
+      </target>
+    </disk>
+    <disk name='vdb' backup='yes' type='file'>
+      <driver type='raw'/>
+      <target file='/path/to/file'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdb'/>
+        </encryption>
+      </target>
+    </disk>
+    <disk name='vdc' backup='yes' type='block'>
+      <driver type='qcow2'/>
+      <target dev='/dev/block'>
+        <encryption format='luks'>
+          <secret type='passphrase' usage='/storage/backup/vdc'/>
+        </encryption>
+      </target>
+    </disk>
+  </disks>
+</domainbackup>
--- a/tests/genericxml2xmltest.c
+++ b/tests/genericxml2xmltest.c
@ -192,8 +192,11 @@ mymain(void)
    DO_TEST_BACKUP("empty");
    DO_TEST_BACKUP("backup-pull");
    DO_TEST_BACKUP("backup-pull-seclabel");
+    DO_TEST_BACKUP("backup-pull-encrypted");
    DO_TEST_BACKUP("backup-push");
    DO_TEST_BACKUP("backup-push-seclabel");
+    DO_TEST_BACKUP("backup-push-encrypted");
+

    virObjectUnref(caps);
    virObjectUnref(xmlopt);