Secrets stored by libvirt may have attributes associated with them, using
the secret
element. The secret
element has two
optional attributes, each with values 'yes
' and
'no
', and defaulting to 'no
':
ephemeral
private
The top-level secret
element may contain the following
elements:
uuid
description
usage
type
attribute specifies the usage category, currently
only volume
, ceph
, and iscsi
are defined. Specific usage categories are described below.
This secret is associated with a volume, whether the format is either
for a "qcow" or a "luks" encrypted volume. Each volume will have a
unique secret associated with it and it is safe to delete the
secret after the volume is deleted. The
<usage type='volume'>
element must contain a
single volume
element that specifies the path of the volume
this secret is associated with. For example, create a volume-secret.xml
file as follows:
<secret ephemeral='no' private='yes'> <description>Super secret name of my first puppy</description> <uuid>0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f</uuid> <usage type='volume'> <volume>/var/lib/libvirt/images/puppyname.img</volume> </usage> </secret>
Define the secret and set the passphrase as follows:
# virsh secret-define volume-secret.xml Secret 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f created # # MYSECRET=`printf %s "open sesame" | base64` # virsh secret-set-value 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f $MYSECRET Secret value set #
The volume type secret can be supplied in domain XML for a qcow storage volume encryption as follows:
<encryption format='qcow'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption>
The volume type secret can be supplied either in volume XML during creation of a storage volume in order to provide the passphrase to encrypt the volume or in domain XML disk device in order to provide the passphrase to decrypt the volume, since 2.1.0. An example follows:
# cat luks-secret.xml <secret ephemeral='no' private='yes'> <description>LUKS Sample Secret</description> <uuid>f52a81b2-424e-490c-823d-6bd4235bc57</uuid> <usage type='volume'> <volume>/var/lib/libvirt/images/luks-sample.img</volume> </usage> </secret> # virsh secret-define luks-secret.xml Secret f52a81b2-424e-490c-823d-6bd4235bc57 created # # MYSECRET=`printf %s "letmein" | base64` # virsh secret-set-value f52a81b2-424e-490c-823d-6bd4235bc57 $MYSECRET Secret value set #
This secret is associated with a Ceph RBD (rados block device).
The <usage type='ceph'>
element must contain
a single name
element that specifies a usage name
for the secret. The Ceph secret can then be used by UUID or by
this usage name via the <auth>
element of
a disk device or
a storage pool (rbd).
Since 0.9.7. The following is an example
of the steps to be taken. First create a ceph-secret.xml file:
<secret ephemeral='no' private='yes'> <description>CEPH passphrase example</description> <usage type='ceph'> <name>ceph_example</name> </usage> </secret>
Next, use virsh secret-define ceph-secret.xml
to define
the secret and virsh secret-set-value
using the generated
UUID value and a base64 generated secret value in order to define the
chosen secret pass phrase.
# virsh secret-define ceph-secret.xml Secret 1b40a534-8301-45d5-b1aa-11894ebb1735 created # # virsh secret-list UUID Usage ----------------------------------------------------------- 1b40a534-8301-45d5-b1aa-11894ebb1735 cephx ceph_example # # CEPHPHRASE=`printf %s "pass phrase" | base64` # virsh secret-set-value 1b40a534-8301-45d5-b1aa-11894ebb1735 $CEPHPHRASE Secret value set #
The ceph secret can then be used by UUID or by the
usage name via the <auth>
element in a domain's
<disk>
element as follows:
<auth username='myname'> <secret type='ceph' usage='ceph_example'/> </auth>
As well as the <auth>
element in a
storage pool (rbd)
<source>
element as follows:
<auth type='ceph' username='myname'> <secret usage='ceph_example'/> </auth>
This secret is associated with an iSCSI target for CHAP authentication.
The <usage type='iscsi'>
element must contain
a single target
element that specifies a usage name
for the secret. The iSCSI secret can then be used by UUID or by
this usage name via the <auth>
element of
a disk device or
a storage pool (iscsi).
Since 1.0.4. The following is an example
of the XML that may be used to generate a secret for iSCSI CHAP
authentication. Assume the following sample entry in an iSCSI
authentication file:
<target iqn.2013-07.com.example:iscsi-pool> backing-store /home/tgtd/iscsi-pool/disk1 backing-store /home/tgtd/iscsi-pool/disk2 incominguser myname mysecret </target>
Define an iscsi-secret.xml file to describe the secret. Use the
incominguser
username used in your iSCSI authentication
configuration file as the value for the username
attribute.
The description
attribute should contain configuration
specific data. The target
name may be any name of your
choosing to be used as the usage
when used in the pool
or disk XML description.
<secret ephemeral='no' private='yes'> <description>Passphrase for the iSCSI example.com server</description> <usage type='iscsi'> <target>libvirtiscsi</target> </usage> </secret>
Next, use virsh secret-define iscsi-secret.xml
to define
the secret and virsh secret-set-value
using the generated
UUID value and a base64 generated secret value in order to define the
chosen secret pass phrase. The pass phrase must match the password
used in the iSCSI authentication configuration file.
# virsh secret-define secret.xml Secret c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 created # virsh secret-list UUID Usage ----------------------------------------------------------- c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 iscsi libvirtiscsi # MYSECRET=`printf %s "mysecret" | base64` # virsh secret-set-value c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 $MYSECRET Secret value set #
The iSCSI secret can then be used by UUID or by the
usage name via the <auth>
element in a domain's
<disk>
element as follows:
<auth username='myname'> <secret type='iscsi' usage='libvirtiscsi'/> </auth>
As well as the <auth>
element in a
storage pool (iscsi)
<source>
element as follows:
<auth type='chap' username='myname'> <secret usage='libvirtiscsi'/> </auth>