<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<style>
    font{
        line-height: 1.6;
    }
    ul,ol{
        padding-left: 20px;
        list-style-position: inside;
    }
</style>
<div style="font-family:微软雅黑,Verdana,"Microsoft Yahei",SimSun,sans-serif;font-size:14px; line-height:1.6;">
    <div></div><div>
    <div><ul style="box-sizing: border-box; margin: 0px; padding: 0px; color: rgb(46, 48, 51); font-family: Arial, 'Microsoft YaHei', '\\5FAE软雅黑', '\\5B8B体', 'Malgun Gothic', Meiryo, sans-serif; line-height: 14px; widows: auto; background-color: rgb(247, 248, 250);"><li style="box-sizing: border-box; margin: 0px 0px 10px; padding: 0px; list-style: none;"><p data-group="1-1" class="src" style="box-sizing: border-box; margin: 0px; padding: 0px; color: rgb(102, 102, 102); line-height: 20px;">Thank you very much for your guidance!</p></li></ul></div>
    <div id="ntes-pcmac-signature" style="font-family:'微软雅黑'">
     
    <div style="font-size:14px; padding: 0;  margin:0;line-height:14px;">
        <div style="padding-bottom:6px;margin-bottom:10px;border-bottom:1px solid #e6e6e6;display:inline-block;">
                    <a href="https://maas.mail.163.com/dashi-web-extend/html/proSignature.html?ftlId=1&name=18781374080&uid=18781374080%40163.com&iconUrl=https%3A%2F%2Fmail-online.nosdn.127.net%2Fsm6e287e97618fd71a7263effdae381085.jpg&items=%5B%2218781374080%40163.com%22%5D" style="display:block;background:#fff; max-width: 400px; _width: 400px;padding:15px 0 10px 0;text-decoration: none; outline:none;-webkit-tap-highlight-color:transparent;-webkit-text-size-adjust:none !important;text-size-adjust:none !important;">
            <table cellpadding="0" style="width: 100%; max-width: 100%; table-layout: fixed; border-collapse: collapse;color: #9b9ea1;font-size: 14px;line-height:1.3;-webkit-text-size-adjust:none !important;text-size-adjust:none !important;">
                <tbody style="font-family: 'PingFang SC', 'Hiragino Sans GB','WenQuanYi Micro Hei', 'Microsoft Yahei', '微软雅黑', verdana !important; word-wrap:break-word; word-break:break-all;-webkit-text-size-adjust:none !important;text-size-adjust:none !important;">
                    <tr class="firstRow">
                            <td width="38" style="padding:0; box-sizing: border-box; width: 38px;">
                                <img width="38" height="38" style="vertical-align:middle; width: 38px; height: 38px; border-radius:50%;" src="https://mail-online.nosdn.127.net/sm6e287e97618fd71a7263effdae381085.jpg">
                            </td>
                            <td style="padding: 0 0 0 10px; color: #31353b;">
                                <div style="font-size: 16px;font-weight:bold; width:100%; white-space: nowrap; overflow:hidden;text-overflow: ellipsis;">18781374080</div>
                            </td>
                    </tr>
                        <tr width="100%" style="font-size: 14px !important; width: 100%;">
                            <td colspan="2" style="padding:10px 0 0 0; font-size:14px !important; width: 100%;">
                                    <div style="width: 100%;font-size: 14px !important;word-wrap:break-word;word-break:break-all;">18781374080@163.com</div>
                            </td>
                        </tr>
                </tbody>
            </table>
        </a>
        </div>
    </div>
    <div style="font-size:12px;color:#b5b9bd;line-height:18px;">
        <span>签名由</span>
        <a style="text-decoration: none;color:#4196ff;padding:0 5px;" href="https://mail.163.com/dashi/dlpro.html?from=mail81">网易邮箱大师</a>
        <span>定制</span>
    </div>
 </div>
</div><div class="J-reply" style="background-color:#f2f2f2;color:black;padding-top:6px;padding-bottom:6px;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;margin-top:45px;margin-bottom:20px;font-family:'微软雅黑';">
    <div style="font-size:12px;line-height:1.5;word-break:break-all;margin-left:10px;margin-right:10px">On <span class="mail-date">4/15/2020 14:24</span>，<a class="mail-to" style="text-decoration:none;color:#2a83f2;" href="mailto:pkrempa@redhat.com">Peter Krempa<pkrempa@redhat.com></a> wrote： </div>
</div>
<blockquote id="ntes-pcmail-quote" style="margin: 0; padding: 0; font-size: 14px; font-family: '微软雅黑';">
On Wed, Apr 15, 2020 at 10:53:05 +0800, 18781374080 wrote:<br> <blockquote class="mmbqc1"><br> <br> <br> Hey, guys<br> <br> I've been working on whether libvirt supports encrypted snapshots,Here are my versions of libvirt and qemu<br> <br> [root@xx ~]# libvirtd -V<br> <br> libvirtd (libvirt) 4.5.0<br></blockquote><br>This is too-old encrypted backing files work starting from libvirt-5.10<br>(but I strongly suggest using at least 6.1)<br><br> <blockquote class="mmbqc1"><br> [root@xx ~]# qemu-img -V<br> <br> qemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7_7.4)<br></blockquote><br>And qemu-4.2<br><br> <blockquote class="mmbqc1"><br> Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers<br> <br> 1. assign $MYSECRET to libvirt secret using the secret-define and secret-set-value commands,and $MYSECRET is in base64 format<br> <br> MYSECRET=`printf %s "123456" | base64`<br> <br> 2. created a disk encrypted in luks format<br> <br> qemu-img create --object secret,id=sec0,data=$MYSECRET,format=base64 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 enc.qcow220G<br> <br> 3. The encrypted disk is defined in the XML configuration file, as shown below.Then I successfully started the virtual machine.<br> <br> <disk type='file' device='disk'><br> <br>       <driver name='qemu' type='qcow2'/><br> <br>       <source file='/root/enc.qcow2'/><br> <br>        <backingStore/> <br> <br>       <target dev='hda' bus='ide'/><br> <br>       <encryption format='luks'><br> <br>         <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/><br> <br>       </encryption><br> <br>       <alias name='ide0-0-0'/><br> <br>       <address type='drive' controller='0' bus='0' target='0' unit='0'/><br> <br>   </disk><br> <br> 4. According to the qemu documentation, an encrypted snap.qcow2 disk was created with enc.qcow2 as backing<br> <br> qemu-img create -f qcow2 -F qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 --object secret,id=sec1,data=$MYSECRET,format=base64 -o encrypt.format=luks,encrypt.key-secret=sec1 -b 'json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root/enc/enc.qcow2"}}' snap.qcow2<br></blockquote><br>This won't work with libvirt. You can't pass "encrypt.key-secret":<br>"sec0" via the backing file string as there's no way to create the<br>corresponding secret object when starting the VM. You can fully omit it<br>here and use just '-b /root/enc/enc.qcow2'<br><br> <blockquote class="mmbqc1"><br> I used the same $MYSECRET as the password data for the disk. Here is the disk information for snap.qcow2<br> <br> image: snap.qcow2<br> <br> file format: qcow2<br> <br> virtual size: 20G (21474836480 bytes)<br> <br> disk size: 480K<br> <br> encrypted: yes<br> <br> cluster_size: 65536<br> <br> backing file: json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root//enc.qcow2"}}<br> <br> backing file format: qcow2<br> <br> Format specific information:<br> <br>     compat: 1.1<br> <br>     lazy refcounts: false<br> <br>     refcount bits: 16<br> <br>     encrypt:<br> <br>         ivgen alg: plain64<br> <br>         hash alg: sha256<br> <br>         cipher alg: aes-256<br> <br>         uuid: ab0e3f87-35e7-40cb-9888-9fe9bb54e981<br> <br>         format: luks<br> <br>         cipher mode: xts<br></blockquote><br>[snip]<br><br> <blockquote class="mmbqc1"><br> 5. Then I changed the configuration of the XML, as shown below.And re-define and start the virtual machine<br></blockquote><br>With new libvirt mentioned above you'll have to add the encryption also<br>to the backing file. That will properly configure both layers to use the<br>correct encryption key.<br><br> <disk type='file' device='disk'><br>       <driver name='qemu' type='qcow2'/><br>       <source file='/root/snap.qcow2'/><br>       <backingStore type='file'><br>         <format type='qcow2'/><br>         <source file='/root/enc.qcow2'><br>           <encryption format='luks'><br>             <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/><br>           </encryption><br>         </source><br>         <backingStore/><br>       </backingStore><br>       <target dev='hda' bus='ide'/><br>      <encryption format='luks'><br>         <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/><br>       </encryption><br>       <address type='drive' controller='0' bus='0' target='0' unit='0'/><br>   </disk><br><br>Note that also the top level source can have <encryption> as child of<br><source><br> <br> <blockquote class="mmbqc1">Then the startup failed and an error was thrown. As shown below.<br> <br> qemu-kvm: -drive file=/root/enc/vm/enc-snap.qcow2,encrypt.format=luks,encrypt.key-secret=ide0-0-0-luks-secret0,format=qcow2,if=none,id=drive-ide0-0-0: Could not open backing file: No secret with id 'sec0'<br></blockquote><br>As pointed out above, there's no way to instantiate the secret object<br>via the backing store string as that is done by libvirt explicitly via<br>-object on the command line.<br><br><br> <blockquote class="mmbqc1"><br> The sec0 secret id could not be found in the backing file, this is my problem.<br> <br> Is there a problem with the way I implemented it, or does libvirt currently not support this?<br> <br> Any tips or help will be appreciated,  Looking forward to your reply. Thank you<br> <br> <br> <br> <br> | |<br> 18781374080<br> |<br> |<br> 18781374080@163.com<br> |<br> 签名由网易邮箱大师定制<br></blockquote></blockquote><!--😀-->
</div>
</body>
</html>