回复: Cannot pass secret id for backing file after taking external snapshot on encrypted qcow2 file
Hi,
I used 'virsh snapshot-create' create an encrypted external snapshot, when I
try to use 'qemu-img check' top file, found no entrance to pass backing-file's
secret-id
1、Version
centos-release-8.2-2.2004.0.1.el8.x86_64
libvirt.x86_64 6.0.0-17.el8
qemu-kvm.x86_64 15:4.2.0-19.el82、Reproduce Steps
1)Create an encrypted qcow2
qemu-img create --object secret,id=sec0,data=123456 -f qcow2 -o
encrypt.format=luks,encrypt.key-secret=sec0 first.qcow2 1G
2)Create external snapshot with 'encrypted' xml
# cat snap.xml
# virsh dumpxml test-vm | awk '/
3)try to qemu-img check top qcow2 file
Note: The secid of the backing file is not recorded, so when I use qemu-img
check/etc.. how to pass the secret to qemu of backing files
# qemu-img info -U first-snapshot.qcow2
image: first-snapshot.qcow2
file format: qcow2
virtual size: 1 GiB (1073741824 bytes)
disk size: 544 KiB
encrypted: yes
cluster_size: 65536
backing file: /root/first.qcow2 ### backing file: json:{"encrypt.format":
"luks", "encrypt.key-secret": "secrete-id"}
backing file format: luks
Format specific information:
compat: 1.1
lazy refcounts: false
refcount bits: 16
encrypt:
ivgen alg: plain64
hash alg: sha256
cipher alg: aes-256
uuid: e4158089-26e4-433f-990e-1d1d0723feee
format: luks
cipher mode: xts
slots:
[0]:
active: true
iters: 1257888
key offset: 4096
stripes: 4000
[1]:
active: false
key offset: 262144
[2]:
active: false
key offset: 520192
[3]:
active: false
key offset: 778240
[4]:
active: false
key offset: 1036288
[5]:
active: false
key offset: 1294336
[6]:
active: false
key offset: 1552384
[7]:
active: false
key offset: 1810432
payload offset: 2068480
master key iters: 300073
corrupt: false
# qemu-img check -U --object
secret,id=sec_1,file=/etc/libvirt/secrets/f52a81b2-424e-490c-823d-6bd4235bc572.base64,format=base64
--image-opts
encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2
--object
secret,id=sec_2,file=/etc/libvirt/secrets/f981dd17-143f-45bc-88e6-.base64,format=base64
qemu-img: Could not open
'encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2':
Could not open backing file: Parameter 'key-secret' is required for cipher
yaohua...@zstack.io
Cannot pass secret id for backing file after taking external snapshot on encrypted qcow2 file
Hi,
I used 'virsh snapshot-create' create an encrypted external snapshot, when I
try to use 'qemu-img check' top file, found no entrance to pass backing-file's
secret-id
1、Version
centos-release-8.2-2.2004.0.1.el8.x86_64
libvirt.x86_64 6.0.0-17.el8
qemu-kvm.x86_64 15:4.2.0-19.el82、Reproduce Steps
1)Create an encrypted qcow2
qemu-img create --object secret,id=sec0,data=123456 -f qcow2 -o
encrypt.format=luks,encrypt.key-secret=sec0 first.qcow2 1G
2)Create external snapshot with 'encrypted' xml
# cat snap.xml
# virsh dumpxml test-vm | awk '/
3)try to qemu-img check top qcow2 file
Note: The secid of the backing file is not recorded, so when I use qemu-img
check/etc.. how to pass the secret to qemu of backing files
# qemu-img info -U first-snapshot.qcow2
image: first-snapshot.qcow2
file format: qcow2
virtual size: 1 GiB (1073741824 bytes)
disk size: 544 KiB
encrypted: yes
cluster_size: 65536
backing file: /root/first.qcow2 ### backing file: json:{"encrypt.format":
"luks", "encrypt.key-secret": "secrete-id"}
backing file format: luks
Format specific information:
compat: 1.1
lazy refcounts: false
refcount bits: 16
encrypt:
ivgen alg: plain64
hash alg: sha256
cipher alg: aes-256
uuid: e4158089-26e4-433f-990e-1d1d0723feee
format: luks
cipher mode: xts
slots:
[0]:
active: true
iters: 1257888
key offset: 4096
stripes: 4000
[1]:
active: false
key offset: 262144
[2]:
active: false
key offset: 520192
[3]:
active: false
key offset: 778240
[4]:
active: false
key offset: 1036288
[5]:
active: false
key offset: 1294336
[6]:
active: false
key offset: 1552384
[7]:
active: false
key offset: 1810432
payload offset: 2068480
master key iters: 300073
corrupt: false
# qemu-img check -U --object
secret,id=sec_1,file=/etc/libvirt/secrets/f52a81b2-424e-490c-823d-6bd4235bc572.base64,format=base64
--image-opts
encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2
--object
secret,id=sec_2,file=/etc/libvirt/secrets/f981dd17-143f-45bc-88e6-.base64,format=base64
qemu-img: Could not open
'encrypt.format=luks,encrypt.key-secret=sec_1,file.filename=first-snapshot.qcow2':
Could not open backing file: Parameter 'key-secret' is required for cipher
yaohua...@zstack.io
