[libvirt] [PATCH v2 04/15] util: Add 'usage' for encryption
John Ferlan
jferlan at redhat.com
Fri Jun 24 14:45:57 UTC 2016
On 06/24/2016 09:25 AM, Peter Krempa wrote:
> On Thu, Jun 23, 2016 at 13:29:00 -0400, John Ferlan wrote:
>> In order to use more common code and set up for a future type, modify the
>> encryption secret to allow the "usage" attribute or the "uuid" attribute
>> to define the secret. The "usage" in the case of a volume secret would be
>> the path to the volume.
>>
>> This code will make use of the virSecretLookup{Parse|Format}Secret common code.
>>
>> Signed-off-by: John Ferlan <jferlan at redhat.com>
>> ---
>> docs/formatstorageencryption.html.in | 15 ++++++---
>> docs/schemas/storagecommon.rng | 11 +++++--
>> src/qemu/qemu_process.c | 13 +++-----
>> src/storage/storage_backend.c | 3 +-
>> src/storage/storage_backend_fs.c | 3 +-
>> src/util/virstorageencryption.c | 26 ++++++----------
>> src/util/virstorageencryption.h | 3 +-
>> .../qemuxml2argv-encrypted-disk-usage.args | 24 +++++++++++++++
>> .../qemuxml2argv-encrypted-disk-usage.xml | 32 +++++++++++++++++++
>> tests/qemuxml2argvtest.c | 1 +
>> .../qemuxml2xmlout-encrypted-disk-usage.xml | 36 ++++++++++++++++++++++
>> tests/qemuxml2xmltest.c | 1 +
>> 12 files changed, 132 insertions(+), 36 deletions(-)
>> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-encrypted-disk-usage.args
>> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-encrypted-disk-usage.xml
>> create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-encrypted-disk-usage.xml
>>
>> diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
>> index 04c3346..fae86eb 100644
>> --- a/docs/formatstorageencryption.html.in
>> +++ b/docs/formatstorageencryption.html.in
>> @@ -25,10 +25,17 @@
>> <p>
>> The <code>encryption</code> tag can currently contain a sequence of
>> <code>secret</code> tags, each with mandatory attributes <code>type</code>
>> - and <code>uuid</code>. The only currently defined value of
>> - <code>type</code> is <code>passphrase</code>. <code>uuid</code>
>> - refers to a secret known to libvirt. libvirt can use a secret value
>> - previously set using <code>virSecretSetValue()</code>, or, if supported
>> + and either <code>uuid</code> or
>> + <code>usage</code> (<span class="since">since 2.0.0</span>).
>> + The only currently defined value of
>> + <code>type</code> is <code>passphrase</code>. The <code>uuid</code>
>> + refers to a secret known to libvirt by it's "uuid" value (from the
>> + output of a <code>virsh secret-list</code>. The <code>usage</code>
>
> I don't think it's necessary to describe how to use virsh here.
>
Ok - removed.
>> + is the path to the volume as it appears in the volume
>
> This looks wrong. Passprhase type secrets list 'name' or 'id' as usage
> not the path. This contradicts changes in previous patch.
>
Looks weird, but that's how the matching is done... The contents of the
"usage" field are matched against the secret's <usage>'s subelement field.
>> + <code>source</code> element. A secret value can be set in libvirt by
>> + using either <code>virsh secret-set-value</code> or the
>
> Again. Mentioning the API is good enoguh.
>
>> + <a href="html/libvirt-libvirt-secret.html#virSecretSetValue">
>> + <code>virSecretSetValue</code></a> API. Alternatively, if supported
>> by the particular volume format and driver, automatically generate a
>> secret value at the time of volume creation, and store it using the
>> specified <code>uuid</code>.
>
Does the following work?
The <code>encryption</code> tag can currently contain a sequence of
<code>secret</code> tags, each with mandatory attributes <code>type</code>
and either <code>uuid</code> or <code>usage</code>
(<span class="since">since 2.0.0</span>). The only currently defined
value of <code>type</code> is <code>passphrase</code>. The
<code>uuid</code> is "uuid" of the <code>secret</code> while
<code>usage</code> is the value "usage" subelement field.
A secret value can be set in libvirt by the
<a href="html/libvirt-libvirt-secret.html#virSecretSetValue">
<code>virSecretSetValue</code></a> API. Alternatively, if supported
>
>> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
>> index 63da600..7d56ec8 100644
>> --- a/src/qemu/qemu_process.c
>> +++ b/src/qemu/qemu_process.c
>
> [...]
>
>> @@ -416,14 +416,9 @@ qemuProcessGetVolumeQcowPassphrase(virConnectPtr conn,
>> goto cleanup;
>> }
>>
>> - secret = conn->secretDriver->secretLookupByUUID(conn,
>> - enc->secrets[0]->uuid);
>> - if (secret == NULL)
>> - goto cleanup;
>> - data = conn->secretDriver->secretGetValue(secret, &size, 0,
>> - VIR_SECRET_GET_VALUE_INTERNAL_CALL);
>> - virObjectUnref(secret);
>> - if (data == NULL)
>> + if (virSecretGetSecretString(conn, &enc->secrets[0]->seclookupdef,
>> + VIR_SECRET_USAGE_TYPE_VOLUME,
>
> Wrong type.
>
Huh? This is the "old" VOLUME method not the new PASSPHRASE method. So
VOLUME here is correct.
John
>> + &data, &size) < 0)
>> goto cleanup;
>>
>> if (memchr(data, '\0', size) != NULL) {
>
>
More information about the libvir-list
mailing list