mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 13:45:38 +00:00
storage: Allow inputvol to be encrypted
https://bugzilla.redhat.com/show_bug.cgi?id=1613737 When processing the inputvol for encryption, we need to handle the case where the inputvol is encrypted. This then allows for the encrypted inputvol to be used either for an output encrypted volume or an output volume of some XML provided type. Add tests to show the various conversion options when either input or output is encrypted. This includes when both are encrypted. Signed-off-by: John Ferlan <jferlan@redhat.com> ACKed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
8041471858
commit
b975afc725
@ -1084,6 +1084,7 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
|
||||
unsigned int flags,
|
||||
const char *create_tool,
|
||||
const char *secretPath,
|
||||
const char *inputSecretPath,
|
||||
virStorageVolEncryptConvertStep convertStep)
|
||||
{
|
||||
virCommandPtr cmd = NULL;
|
||||
@ -1101,6 +1102,8 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
|
||||
.secretAlias = NULL,
|
||||
};
|
||||
virStorageEncryptionPtr enc = vol->target.encryption;
|
||||
char *inputSecretAlias = NULL;
|
||||
virStorageEncryptionPtr inputenc = inputvol ? inputvol->target.encryption : NULL;
|
||||
virStorageEncryptionInfoDefPtr encinfo = NULL;
|
||||
|
||||
virCheckFlags(VIR_STORAGE_VOL_CREATE_PREALLOC_METADATA, NULL);
|
||||
@ -1114,6 +1117,12 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (inputenc && inputenc->format != VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
|
||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
_("encryption format of inputvol must be LUKS"));
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (virStorageBackendCreateQemuImgSetInfo(pool, vol, inputvol,
|
||||
convertStep, &info) < 0)
|
||||
goto error;
|
||||
@ -1153,6 +1162,20 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
|
||||
encinfo = &enc->encinfo;
|
||||
}
|
||||
|
||||
if (inputenc && convertStep == VIR_STORAGE_VOL_ENCRYPT_CONVERT) {
|
||||
if (!inputSecretPath) {
|
||||
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
||||
_("path to inputvol secret data file is required"));
|
||||
goto error;
|
||||
}
|
||||
if (virAsprintf(&inputSecretAlias, "%s_encrypt0",
|
||||
inputvol->name) < 0)
|
||||
goto error;
|
||||
if (storageBackendCreateQemuImgSecretObject(cmd, inputSecretPath,
|
||||
inputSecretAlias) < 0)
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (convertStep != VIR_STORAGE_VOL_ENCRYPT_CONVERT) {
|
||||
if (storageBackendCreateQemuImgSetOptions(cmd, encinfo, info) < 0)
|
||||
goto error;
|
||||
@ -1163,20 +1186,33 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
|
||||
virCommandAddArgFormat(cmd, "%lluK", info.size_arg);
|
||||
} else {
|
||||
/* source */
|
||||
if (inputenc)
|
||||
virCommandAddArgFormat(cmd,
|
||||
"driver=luks,file.filename=%s,key-secret=%s",
|
||||
info.inputPath, inputSecretAlias);
|
||||
else
|
||||
virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s",
|
||||
info.inputType ? info.inputType : "raw",
|
||||
info.inputPath);
|
||||
|
||||
/* dest */
|
||||
virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s,key-secret=%s",
|
||||
if (enc)
|
||||
virCommandAddArgFormat(cmd,
|
||||
"driver=%s,file.filename=%s,key-secret=%s",
|
||||
info.type, info.path, info.secretAlias);
|
||||
else
|
||||
virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s",
|
||||
info.type, info.path);
|
||||
|
||||
}
|
||||
VIR_FREE(info.secretAlias);
|
||||
VIR_FREE(inputSecretAlias);
|
||||
|
||||
return cmd;
|
||||
|
||||
error:
|
||||
VIR_FREE(info.secretAlias);
|
||||
VIR_FREE(inputSecretAlias);
|
||||
virCommandFree(cmd);
|
||||
return NULL;
|
||||
}
|
||||
@ -1262,6 +1298,7 @@ storageBackendDoCreateQemuImg(virStoragePoolObjPtr pool,
|
||||
unsigned int flags,
|
||||
const char *create_tool,
|
||||
const char *secretPath,
|
||||
const char *inputSecretPath,
|
||||
virStorageVolEncryptConvertStep convertStep)
|
||||
{
|
||||
int ret;
|
||||
@ -1269,7 +1306,8 @@ storageBackendDoCreateQemuImg(virStoragePoolObjPtr pool,
|
||||
|
||||
cmd = virStorageBackendCreateQemuImgCmdFromVol(pool, vol, inputvol,
|
||||
flags, create_tool,
|
||||
secretPath, convertStep);
|
||||
secretPath, inputSecretPath,
|
||||
convertStep);
|
||||
if (!cmd)
|
||||
return -1;
|
||||
|
||||
@ -1290,6 +1328,7 @@ storageBackendCreateQemuImg(virStoragePoolObjPtr pool,
|
||||
int ret = -1;
|
||||
char *create_tool;
|
||||
char *secretPath = NULL;
|
||||
char *inputSecretPath = NULL;
|
||||
virStorageVolEncryptConvertStep convertStep = VIR_STORAGE_VOL_ENCRYPT_NONE;
|
||||
|
||||
virCheckFlags(VIR_STORAGE_VOL_CREATE_PREALLOC_METADATA, -1);
|
||||
@ -1306,16 +1345,21 @@ storageBackendCreateQemuImg(virStoragePoolObjPtr pool,
|
||||
!(secretPath = storageBackendCreateQemuImgSecretPath(pool, vol)))
|
||||
goto cleanup;
|
||||
|
||||
if (inputvol && inputvol->target.encryption &&
|
||||
!(inputSecretPath = storageBackendCreateQemuImgSecretPath(pool,
|
||||
inputvol)))
|
||||
goto cleanup;
|
||||
|
||||
/* Using an input file for encryption requires a multi-step process
|
||||
* to create an image of the same size as the inputvol and then to
|
||||
* convert the inputvol afterwards. */
|
||||
if (secretPath && inputvol)
|
||||
if ((secretPath || inputSecretPath) && inputvol)
|
||||
convertStep = VIR_STORAGE_VOL_ENCRYPT_CREATE;
|
||||
|
||||
do {
|
||||
ret = storageBackendDoCreateQemuImg(pool, vol, inputvol, flags,
|
||||
create_tool, secretPath,
|
||||
convertStep);
|
||||
inputSecretPath, convertStep);
|
||||
|
||||
/* Failure to convert, attempt to delete what we created */
|
||||
if (ret < 0 && convertStep == VIR_STORAGE_VOL_ENCRYPT_CONVERT)
|
||||
@ -1337,6 +1381,10 @@ storageBackendCreateQemuImg(virStoragePoolObjPtr pool,
|
||||
unlink(secretPath);
|
||||
VIR_FREE(secretPath);
|
||||
}
|
||||
if (inputSecretPath) {
|
||||
unlink(inputSecretPath);
|
||||
VIR_FREE(inputSecretPath);
|
||||
}
|
||||
VIR_FREE(create_tool);
|
||||
return ret;
|
||||
}
|
||||
|
@ -167,6 +167,7 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
|
||||
unsigned int flags,
|
||||
const char *create_tool,
|
||||
const char *secretPath,
|
||||
const char *inputSecretPath,
|
||||
virStorageVolEncryptConvertStep convertStep);
|
||||
|
||||
int virStorageBackendSCSIFindLUs(virStoragePoolObjPtr pool,
|
||||
|
11
tests/storagevolxml2argvdata/luks-convert-encrypt.argv
Normal file
11
tests/storagevolxml2argvdata/luks-convert-encrypt.argv
Normal file
@ -0,0 +1,11 @@
|
||||
qemu-img create -f luks \
|
||||
--object secret,id=encrypt2.img_encrypt0,file=/path/to/secretFile \
|
||||
-o key-secret=encrypt2.img_encrypt0 \
|
||||
/var/lib/libvirt/images/encrypt2.img 5242880K
|
||||
qemu-img convert --image-opts -n --target-image-opts \
|
||||
--object secret,id=encrypt2.img_encrypt0,file=/path/to/secretFile \
|
||||
--object secret,id=encrypt1.img_encrypt0,file=/path/to/inputSecretFile \
|
||||
driver=luks,file.filename=/var/lib/libvirt/images/encrypt1.img,\
|
||||
key-secret=encrypt1.img_encrypt0 \
|
||||
driver=luks,file.filename=/var/lib/libvirt/images/encrypt2.img,\
|
||||
key-secret=encrypt2.img_encrypt0
|
@ -0,0 +1,7 @@
|
||||
qemu-img create -f qcow2 \
|
||||
-o compat=0.10 /var/lib/libvirt/images/sparse-qcow2.img 1073741824K
|
||||
qemu-img convert --image-opts -n --target-image-opts \
|
||||
--object secret,id=encrypt2.img_encrypt0,file=/path/to/inputSecretFile \
|
||||
driver=luks,file.filename=/var/lib/libvirt/images/encrypt2.img,\
|
||||
key-secret=encrypt2.img_encrypt0 \
|
||||
driver=qcow2,file.filename=/var/lib/libvirt/images/sparse-qcow2.img
|
@ -0,0 +1,7 @@
|
||||
qemu-img create -f raw \
|
||||
/var/lib/libvirt/images/sparse.img 1073741824K
|
||||
qemu-img convert --image-opts -n --target-image-opts \
|
||||
--object secret,id=encrypt2.img_encrypt0,file=/path/to/inputSecretFile \
|
||||
driver=luks,file.filename=/var/lib/libvirt/images/encrypt2.img,\
|
||||
key-secret=encrypt2.img_encrypt0 \
|
||||
driver=raw,file.filename=/var/lib/libvirt/images/sparse.img
|
@ -85,7 +85,7 @@ testCompareXMLToArgvFiles(bool shouldFail,
|
||||
* convert the inputvol afterwards. Since we only care about the
|
||||
* command line we have to copy code from storageBackendCreateQemuImg
|
||||
* and adjust it for the test needs. */
|
||||
if (inputvol && vol->target.encryption)
|
||||
if (inputvol && (vol->target.encryption || inputvol->target.encryption))
|
||||
convertStep = VIR_STORAGE_VOL_ENCRYPT_CREATE;
|
||||
|
||||
do {
|
||||
@ -93,6 +93,7 @@ testCompareXMLToArgvFiles(bool shouldFail,
|
||||
inputvol, flags,
|
||||
create_tool,
|
||||
"/path/to/secretFile",
|
||||
"/path/to/inputSecretFile",
|
||||
convertStep);
|
||||
if (!cmd) {
|
||||
if (shouldFail) {
|
||||
@ -288,6 +289,18 @@ mymain(void)
|
||||
"pool-dir", "vol-file-qcow2",
|
||||
"luks-convert-qcow2", 0);
|
||||
|
||||
DO_TEST("pool-dir", "vol-encrypt2",
|
||||
"pool-dir", "vol-encrypt1",
|
||||
"luks-convert-encrypt", 0);
|
||||
|
||||
DO_TEST("pool-dir", "vol-file",
|
||||
"pool-dir", "vol-encrypt2",
|
||||
"luks-convert-encrypt2fileraw", 0);
|
||||
|
||||
DO_TEST("pool-dir", "vol-file-qcow2",
|
||||
"pool-dir", "vol-encrypt2",
|
||||
"luks-convert-encrypt2fileqcow2", 0);
|
||||
|
||||
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
|
||||
}
|
||||
|
||||
|
21
tests/storagevolxml2xmlin/vol-encrypt1.xml
Normal file
21
tests/storagevolxml2xmlin/vol-encrypt1.xml
Normal file
@ -0,0 +1,21 @@
|
||||
<volume>
|
||||
<name>encrypt1.img</name>
|
||||
<key>/var/lib/libvirt/images/encrypt1.img</key>
|
||||
<source>
|
||||
</source>
|
||||
<capacity unit="G">5</capacity>
|
||||
<allocation>294912</allocation>
|
||||
<target>
|
||||
<path>/var/lib/libvirt/images/encrypt1.img</path>
|
||||
<format type='raw'/>
|
||||
<permissions>
|
||||
<mode>0644</mode>
|
||||
<owner>0</owner>
|
||||
<group>0</group>
|
||||
<label>unconfined_u:object_r:virt_image_t:s0</label>
|
||||
</permissions>
|
||||
<encryption format='luks'>
|
||||
<secret type='passphrase' uuid='e78d4b51-a2af-485f-b0f5-afca709a80f4'/>
|
||||
</encryption>
|
||||
</target>
|
||||
</volume>
|
21
tests/storagevolxml2xmlin/vol-encrypt2.xml
Normal file
21
tests/storagevolxml2xmlin/vol-encrypt2.xml
Normal file
@ -0,0 +1,21 @@
|
||||
<volume>
|
||||
<name>encrypt2.img</name>
|
||||
<key>/var/lib/libvirt/images/encrypt2.img</key>
|
||||
<source>
|
||||
</source>
|
||||
<capacity unit="G">5</capacity>
|
||||
<allocation>294912</allocation>
|
||||
<target>
|
||||
<path>/var/lib/libvirt/images/encrypt2.img</path>
|
||||
<format type='raw'/>
|
||||
<permissions>
|
||||
<mode>0644</mode>
|
||||
<owner>0</owner>
|
||||
<group>0</group>
|
||||
<label>unconfined_u:object_r:virt_image_t:s0</label>
|
||||
</permissions>
|
||||
<encryption format='luks'>
|
||||
<secret type='passphrase' uuid='e78d4b51-a2af-485f-b0f5-afca709af480'/>
|
||||
</encryption>
|
||||
</target>
|
||||
</volume>
|
Loading…
Reference in New Issue
Block a user