I guess I can partially answer my own question as I found that using engine='librbd' instead of engine='qemu' will allow the VM to read zeros from sparse regions of the image instead of random data. However I would like to be able to use engine='qemu' in order to work with older versions of qemu/librbd that don't support the librbd encryption engine. Is there any way to do that without reading random data from sparse regions?
Thanks, Will On Oct 17, 2025 at 11:18:39 AM, Will Gorman <[email protected]> wrote: > I have a question about some behavior I'm seeing when using Ceph RBD > images as block devices in a VM. I'm using rbd encryption format ( > https://docs.ceph.com/en/reef/rbd/rbd-encryption/#encryption-format) to > encrypt the images with LUKS1 and then creating the qemu VM using libvirt > and providing the passphrase so that it can present the image as an > unencrypted disk to the VM. Inside the VM I can see the plaintext data of > the image as expected. However when I read the entire contents of the > image I find that regions of the image that are sparse and have never had > any data written to them will return apparently random data, rather than > returning zeros as they would normally in a sparse RBD image that does not > use LUKS. Is this behavior expected and is there any way to avoid it? > > For more context, this is how I'm providing the disk to the VM from libvirt > > <disk type='network' device='disk'> > <driver name='qemu' type='raw' discard='unmap'/> > <auth username='some-user'> > <secret type='ceph' usage='some.auth.key'/> > </auth> > <source protocol='rbd' name='some-pool/some-image' index='11'> > <host name='192.0.2.1' port='3300'/> > <encryption format='luks' engine='qemu'> > <secret type='passphrase' > uuid='624c13aa-8d06-4ac0-a5b2-c679e33d5cea'/> > </encryption> > </source> > <target dev='sdi' bus='scsi'/> > <alias name='scsi1-0-0-1'/> > <serial>vol08a5f70c4d37e4646</serial> > <address type='drive' controller='1' bus='0' target='0' unit='1'/> > </disk> > > > and these are the qemu flags generated by libvirt > > -object > '{"qom-type":"secret","id":"libvirt-2-storage-auth-secret0","data":"<redacted>","keyid":"masterKey0","iv":"<redacted>","format":"base64"}' > \ > -object > '{"qom-type":"secret","id":"libvirt-2-format-encryption-secret0","data":"<redacted>","keyid":"mas > terKey0","iv":"<redacted>","format":"base64"}' \ > -blockdev > '{"driver":"rbd","pool":"some-pool","image":"some-image","server":[{"host":"192.0.2.1","port":"3300"}],"user":"some-user","auth-client-required":["cephx","none"],"key-s > ecret":"libvirt-2-storage-auth-secret0","node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' > \ > -blockdev > '{"node-name":"libvirt-2-format","read-only":false,"discard":"unmap","driver":"luks","key-secret":"libvirt-2-format-encryption-secret0","file":"libvi > rt-2-storage"}' \ > -device > '{"driver":"scsi-hd","bus":"scsi0.0","channel":0,"scsi-id":0,"lun":0,"device_id":"vol08a5f70c4d37e4646","drive":"libvirt-2-format","id":"scsi0-0-0-0"," > bootindex":1,"serial":"vol08a5f70c4d37e4646"}' \ > > > > Thanks, > Will >
