<html><head></head><body><div class="">Is there a solution for this scenario?</div><div> </div><hr style="WIDTH: 210px; HEIGHT: 1px" color="#b5c4df" size="1" align="left"><div><span><div style="MARGIN: 10px; FONT-FAMILY: verdana; FONT-SIZE: 10pt"><div>yaohua.wu@zstack.io</div></div></span></div><blockquote style="margin-Top: 0px; margin-Bottom: 0px; margin-Left: 0.5em; margin-Right: inherit"><div> </div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div style="PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px;FONT-FAMILY:tahoma;COLOR:#000000; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><div><b>发件人:</b> <a href="mailto:yaohua.wu@zstack.io">yaohua.wu@zstack.io</a></div><div><b>发送时间:</b> 2020-07-16 17:31</div><div><b>收件人:</b> <a href="mailto:libvirt-users@redhat.com">libvirt-users</a></div><div><b>主题:</b> Cannot pass secret id for backing file after taking external snapshot on encrypted qcow2 file</div></div></div><div><div class=""><style>div.FoxDIV_20200724171111549 { font-size: 10.5pt }
div.FoxDIV_20200724171111549 { line-height: 1.5; }
div.FoxDIV_20200724171111549 { font-size: 10.5pt; font-family: 'Microsoft YaHei UI'; color: rgb(0, 0, 0); line-height: 1.5; }
</style><div style="height:initial" class="FoxDIV_20200724171111549">
<div foxmail_class="mail_content_body">
<div><font face="monospace"><span style="white-space: pre;"></span></font><pre class="bz_comment_text" id="comment_text_0" style="overflow-wrap: break-word; margin: 1em; padding-bottom: 1em; font-variant-ligatures: normal; orphans: 2; widows: 2; width: calc(100vw - 19.6em) !important;"><pre class="bz_comment_text" id="comment_text_0" style="overflow-wrap: break-word; margin: 1em; padding-bottom: 1em; font-variant-ligatures: normal; width: calc(100vw - 19.6em) !important;">Hi,
I used 'virsh snapshot-create' create an encrypted external snapshot, </pre><pre class="bz_comment_text" id="comment_text_0" style="overflow-wrap: break-word; margin: 1em; padding-bottom: 1em; font-variant-ligatures: normal; width: calc(100vw - 19.6em) !important;">when I try to use 'qemu-img check' top file, found no entrance to pass backing-file's secret-id
1、Version
centos-release-8.2-2.2004.0.1.el8.x86_64
libvirt.x86_64 6.0.0-17.el8
qemu-kvm.x86_64 15:4.2.0-19.el8</pre><pre class="bz_comment_text" id="comment_text_0" style="overflow-wrap: break-word; margin: 1em; padding-bottom: 1em; font-variant-ligatures: normal; width: calc(100vw - 19.6em) !important;">2、Reproduce Steps
1)Create an encrypted qcow2
qemu-img create --object secret,id=sec0,data=123456 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 first.qcow2 1G
2)Create external snapshot with 'encrypted' xml
# cat snap.xml
<domainsnapshot>
<disks>
<disk name='hdc' snapshot='no'/>
<disk name='vdb' snapshot='external'>
<source file='/root/first-snapshot.qcow2'>
<encryption format='luks'>
<secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
</encryption>
</source>
</disk>
</disks>
</domainsnapshot>
# virsh dumpxml test-vm | awk '/<disk/,/<\/disk/'
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/root/first-snapshot.qcow2' index='5'/>
<backingStore type='file' index='2'>
<format type='qcow2'/>
<source file='/root/first.qcow2'>
<encryption format='luks'>
<secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-222222222222'/>
</encryption>
</source>
<backingStore/>
</backingStore>
<target dev='vdb' bus='virtio'/>
<encryption format='luks'>
<secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
</encryption>
<alias name='virtio-disk1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/>
</disk>
3)try to qemu-img check top qcow2 file
Note: The secid of the backing file is not recorded, so when I use qemu-img check/etc.. how to pass the secret to qemu of backing files
# qemu-img info -U first-snapshot.qcow2
image: first-snapshot.qcow2
file format: qcow2
virtual size: 1 GiB (1073741824 bytes)
disk size: 544 KiB
encrypted: yes
cluster_size: 65536
backing file: /root/first.qcow2 ### backing file: json:{"encrypt.format": "luks", "encrypt.key-secret": "secrete-id"}
backing file format: luks
Format specific information:
compat: 1.1
lazy refcounts: false
refcount bits: 16
encrypt:
ivgen alg: plain64
hash alg: sha256
cipher alg: aes-256
uuid: e4158089-26e4-433f-990e-1d1d0723feee
format: luks
cipher mode: xts
slots:
[0]:
active: true
iters: 1257888
key offset: 4096
stripes: 4000
[1]:
active: false
key offset: 262144
[2]:
active: false
key offset: 520192
[3]:
active: false
key offset: 778240
[4]:
active: false
key offset: 1036288
[5]:
active: false
key offset: 1294336
[6]:
active: false
key offset: 1552384
[7]:
active: false
key offset: 1810432
payload offset: 2068480
master key iters: 300073
corrupt: false
# qemu-img check -U --object secret,id=sec_1,file=/etc/libvirt/secrets/f52a81b2-424e-490c-823d-6bd4235bc572.base64,format=base64 --image-opts encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2 --object secret,id=sec_2,file=/etc/libvirt/secrets/f981dd17-143f-45bc-88e6-222222222222.base64,format=base64
qemu-img: Could not open 'encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2': Could not open backing file: Parameter 'key-secret' is required for cipher</pre></pre></div><hr style="width: 210px; height: 1px;" color="#b5c4df" size="1" align="left">
<div><span><div style="MARGIN: 10px; FONT-FAMILY: verdana; FONT-SIZE: 10pt"><div>yaohua.wu@zstack.io</div></div></span></div>
</div></div></div></div></blockquote></body></html>