<p>
This secret is associated with a volume, whether the format is either
- for a "qcow" or a "luks" encrypted volume. Each volume will have a
+ for a "luks" encrypted volume. Each volume will have a
unique secret associated with it and it is safe to delete the
secret after the volume is deleted. The
<code><usage type='volume'></code> element must contain a
#
</pre>
- <p>
- The volume type secret can be supplied in domain XML for a qcow storage
- volume <a href="formatstorageencryption.html">encryption</a> as follows:
- </p>
- <pre>
-<encryption format='qcow'>
- <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
-</encryption>
- </pre>
-
<p>
The volume type secret can be supplied either in volume XML during
creation of a <a href="formatstorage.html#StorageVol">storage volume</a>
#
</pre>
+ <p>
+ The volume type secret can be supplied in domain XML for a luks storage
+ volume <a href="formatstorageencryption.html">encryption</a> as follows:
+ </p>
+ <pre>
+<encryption format='luks'>
+ <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc57'/>
+</encryption>
+ </pre>
+
<h3><a id="CephUsageType">Usage type "ceph"</a></h3>
<p>
This secret is associated with a Ceph RBD (rados block device).
specified <code>uuid</code>.
</p>
<h3><a id="StorageEncryptionDefault">"default" format</a></h3>
- <p>
- <code><encryption format="default"/></code> can be specified only
- when creating a qcow volume. If the volume is successfully created, the
- encryption formats, parameters and secrets will be auto-generated by
- libvirt and the attached <code>encryption</code> tag will be updated.
- The unmodified contents of the <code>encryption</code> tag can be used
- in later operations with the volume, or when setting up a domain that
- uses the volume.
- </p>
<h3><a id="StorageEncryptionQcow">"qcow" format</a></h3>
<p>
- The <code>qcow</code> format specifies that the built-in encryption
- support in <code>qcow</code>- or <code>qcow2</code>-formatted volume
- images should be used. A single
- <code><secret type='passphrase'></code> element is expected. Note
- that this encryption is inherently broken and should not be used any more.
+ <span class="since">Since 4.5.0,</span> encryption formats
+ <code>default</code> and <code>qcow</code> may no longer be used
+ to create an encrypted volume. Usage of qcow encrypted volumes
+ in QEMU began phasing out in QEMU 2.3 and by QEMU 2.9 creation
+ of a qcow encrypted volume via qemu-img required usage of secret
+ objects, but that support was not added to libvirt.
</p>
<h3><a id="StorageEncryptionLuks">"luks" format</a></h3>
<p>
<h2><a id="example">Examples</a></h2>
- <p>
- Here is a simple example, specifying use of the <code>qcow</code> format:
- </p>
-
- <pre>
-<encryption format='qcow'>
- <secret type='passphrase' uuid='c1f11a6d-8c5d-4a3e-ac7a-4e171c5e0d4a' />
-</encryption></pre>
-
<p>
Assuming a <a href="formatsecret.html#VolumeUsageType">
<code>luks volume type secret</code></a> is already defined,
virCheckFlags(VIR_STORAGE_VOL_CREATE_PREALLOC_METADATA, NULL);
+ if (enc && (enc->format == VIR_STORAGE_ENCRYPTION_FORMAT_QCOW ||
+ enc->format == VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT) &&
+ (vol->target.format == VIR_STORAGE_FILE_QCOW ||
+ vol->target.format == VIR_STORAGE_FILE_QCOW2)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("creation of qcow2 encrypted image is not supported"));
+ goto error;
+ }
+
if (virStorageBackendCreateQemuImgSetInfo(pool, vol, inputvol, &info) < 0)
goto error;
if (info.backingPath)
virCommandAddArgList(cmd, "-b", info.backingPath, NULL);
- if (info.format == VIR_STORAGE_FILE_RAW && enc &&
- enc->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
+ if (enc) {
if (!info.secretPath) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("path to secret data file is required"));
const char *type;
char *secretPath = NULL;
char *secretAlias = NULL;
+ virStorageEncryptionPtr enc = vol->target.encryption;
+
+ if (enc && (enc->format == VIR_STORAGE_ENCRYPTION_FORMAT_QCOW ||
+ enc->format == VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT) &&
+ (vol->target.format == VIR_STORAGE_FILE_QCOW ||
+ vol->target.format == VIR_STORAGE_FILE_QCOW2)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("resize of qcow2 encrypted image is not supported"));
+ return -1;
+ }
img_tool = virFindFileInPath("qemu-img");
if (!img_tool) {
"pool-dir", "vol-file-iso",
"iso-input", 0);
+ DO_TEST_FAIL("pool-dir", "vol-qcow2-encryption",
+ NULL, NULL,
+ "qcow2-encryption", 0);
+
DO_TEST("pool-dir", "vol-luks",
NULL, NULL,
"luks", 0);
--- /dev/null
+<volume>
+ <name>OtherDemo.img</name>
+ <key>/var/lib/libvirt/images/OtherDemo.img</key>
+ <source>
+ </source>
+ <capacity unit="G">5</capacity>
+ <allocation>294912</allocation>
+ <target>
+ <path>/var/lib/libvirt/images/OtherDemo.img</path>
+ <format type='qcow2'/>
+ <permissions>
+ <mode>0644</mode>
+ <owner>0</owner>
+ <group>0</group>
+ <label>unconfined_u:object_r:virt_image_t:s0</label>
+ </permissions>
+ <encryption format='qcow'>
+ <secret type='passphrase' uuid='e78d4b51-a2af-485f-b0f5-afca709a80f4'/>
+ </encryption>
+ </target>
+ <backingStore>
+ <path>/dev/null</path>
+ <format type='raw'/>
+ <permissions>
+ <mode>0644</mode>
+ <owner>0</owner>
+ <group>0</group>
+ <label>unconfined_u:object_r:virt_image_t:s0</label>
+ </permissions>
+ </backingStore>
+</volume>
--- /dev/null
+<volume type='file'>
+ <name>OtherDemo.img</name>
+ <key>/var/lib/libvirt/images/OtherDemo.img</key>
+ <source>
+ </source>
+ <capacity unit='bytes'>5368709120</capacity>
+ <allocation unit='bytes'>294912</allocation>
+ <target>
+ <path>/var/lib/libvirt/images/OtherDemo.img</path>
+ <format type='qcow2'/>
+ <permissions>
+ <mode>0644</mode>
+ <owner>0</owner>
+ <group>0</group>
+ <label>unconfined_u:object_r:virt_image_t:s0</label>
+ </permissions>
+ <encryption format='qcow'>
+ <secret type='passphrase' uuid='e78d4b51-a2af-485f-b0f5-afca709a80f4'/>
+ </encryption>
+ </target>
+ <backingStore>
+ <path>/dev/null</path>
+ <format type='raw'/>
+ <permissions>
+ <mode>0644</mode>
+ <owner>0</owner>
+ <group>0</group>
+ <label>unconfined_u:object_r:virt_image_t:s0</label>
+ </permissions>
+ </backingStore>
+</volume>
DO_TEST("pool-dir", "vol-qcow2-lazy");
DO_TEST("pool-dir", "vol-qcow2-0.10-lazy");
DO_TEST("pool-dir", "vol-qcow2-nobacking");
+ DO_TEST("pool-dir", "vol-qcow2-encryption");
DO_TEST("pool-dir", "vol-luks");
DO_TEST("pool-dir", "vol-luks-cipher");
DO_TEST("pool-disk", "vol-partition");
projects / libvirt.git / commitdiff