From 37537a7c64b43be2eebf8b0cea7c6d445e214806 Mon Sep 17 00:00:00 2001 From: John Ferlan Date: Thu, 14 Sep 2017 09:32:57 -0400 Subject: [PATCH] conf: Add/Allow parsing the encryption in the disk source Since the virStorageEncryptionPtr encryption; is a member of _virStorageSource it really should be allowed to be a subelement of the disk for various disk formats: Source{File|Dir|Block|Volume} SourceProtocol{RBD|ISCSI|NBD|Gluster|Simple|HTTP} NB: Simple includes sheepdog, ftp, ftps, tftp That way we can set up to allow the element to be formatted within the disk source, but we still need to be wary from whence the element was read - see keep track and when it comes to format the data, ensure it's written in the correct place. Modify the qemuxml2argvtest to add a parse failure when there is an as a child of *and* an as a child of . The virschematest will read the new test files and validate from a RNG viewpoint things are fine. --- docs/formatdomain.html.in | 15 +++- docs/schemas/domaincommon.rng | 30 +++++++ src/conf/domain_conf.c | 68 +++++++++++++-- src/util/virstoragefile.h | 1 + .../qemuxml2argv-luks-disks-source-both.xml | 40 +++++++++ .../qemuxml2argv-luks-disks-source.args | 62 ++++++++++++++ .../qemuxml2argv-luks-disks-source.xml | 81 ++++++++++++++++++ tests/qemuxml2argvtest.c | 2 + .../qemuxml2xmlout-luks-disks-source.xml | 84 +++++++++++++++++++ .../qemuxml2xmlout-luks-disks.xml | 46 +++++++++- tests/qemuxml2xmltest.c | 1 + 11 files changed, 420 insertions(+), 10 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source-both.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks-source.xml mode change 120000 => 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index af1080683d..b7d7cba5ac 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -2712,6 +2712,14 @@ attribute matching the key that was specified in the secret object. +
Since libvirt 3.9.0, the + encryption can be a sub-element of the + source element for encrypted storage sources. + If present, specifies how the storage source is encrypted + See the + Storage Encryption + page for more information. +

@@ -3117,8 +3125,11 @@ Since 0.8.8

encryption
-
If present, specifies how the volume is encrypted. See - the Storage Encryption page +
Starting with libvirt 3.9.0 the + encryption element is preferred to be a sub-element + of the source element. If present, specifies how the + volume is encrypted using "qcow". See the + Storage Encryption page for more information.
readonly
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index c99ee4f89b..710b3af7f7 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -1471,6 +1471,9 @@ + + + @@ -1492,6 +1495,9 @@ + + + @@ -1511,6 +1517,9 @@ + + + @@ -1583,6 +1592,9 @@ + + + @@ -1598,6 +1610,9 @@ + + + @@ -1611,6 +1626,9 @@ + + + @@ -1626,6 +1644,9 @@ + + + @@ -1638,6 +1659,9 @@ + + + @@ -1650,6 +1674,9 @@ + + + @@ -1708,6 +1735,9 @@ + + + diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index b207d33dae..ce9b4ee7f0 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -8301,6 +8301,29 @@ virDomainDiskSourceAuthParse(xmlNodePtr node, } +static int +virDomainDiskSourceEncryptionParse(xmlNodePtr node, + virStorageEncryptionPtr *encryptionsrc) +{ + xmlNodePtr child; + virStorageEncryptionPtr encryption = NULL; + + for (child = node->children; child; child = child->next) { + if (child->type == XML_ELEMENT_NODE && + virXMLNodeNameEqual(child, "encryption")) { + + if (!(encryption = virStorageEncryptionParseNode(node->doc, child))) + return -1; + + *encryptionsrc = encryption; + return 0; + } + } + + return 0; +} + + int virDomainDiskSourceParse(xmlNodePtr node, xmlXPathContextPtr ctxt, @@ -8341,6 +8364,9 @@ virDomainDiskSourceParse(xmlNodePtr node, if (virDomainDiskSourceAuthParse(node, &src->auth) < 0) goto cleanup; + if (virDomainDiskSourceEncryptionParse(node, &src->encryption) < 0) + goto cleanup; + /* People sometimes pass a bogus '' source path when they mean to omit the * source element completely (e.g. CDROM without media). This is just a * little compatibility check to help those broken apps */ @@ -9000,6 +9026,18 @@ virDomainDiskDefParseXML(virDomainXMLOptionPtr xmlopt, if (def->src->auth) def->src->authInherited = true; + /* Similarly for - it's a child of too + * and we cannot find in both places */ + if (encryption && def->src->encryption) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("an definition already found for " + "the definition")); + goto error; + } + + if (def->src->encryption) + def->src->encryptionInherited = true; + source = true; startupPolicy = virXMLPropString(cur, "startupPolicy"); @@ -9081,11 +9119,18 @@ virDomainDiskDefParseXML(virDomainXMLOptionPtr xmlopt, virXMLNodeNameEqual(cur, "state")) { /* Legacy back-compat. Don't add any more attributes here */ devaddr = virXMLPropString(cur, "devaddr"); - } else if (encryption == NULL && + } else if (!encryption && virXMLNodeNameEqual(cur, "encryption")) { - encryption = virStorageEncryptionParseNode(node->doc, - cur); - if (encryption == NULL) + /* If we've already parsed and found an child, + * then generate an error to avoid ambiguity */ + if (def->src->encryptionInherited) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("an definition already found for " + "disk source")); + goto error; + } + + if (!(encryption = virStorageEncryptionParseNode(node->doc, cur))) goto error; } else if (!serial && virXMLNodeNameEqual(cur, "serial")) { @@ -9303,8 +9348,8 @@ virDomainDiskDefParseXML(virDomainXMLOptionPtr xmlopt, target = NULL; if (authdef) VIR_STEAL_PTR(def->src->auth, authdef); - def->src->encryption = encryption; - encryption = NULL; + if (encryption) + VIR_STEAL_PTR(def->src->encryption, encryption); def->domain_name = domain_name; domain_name = NULL; def->serial = serial; @@ -22087,6 +22132,12 @@ virDomainDiskSourceFormatInternal(virBufferPtr buf, goto error; } + /* If we found encryption as a child of , then format it + * as we found it. */ + if (src->encryption && src->encryptionInherited && + virStorageEncryptionFormat(&childBuf, src->encryption) < 0) + return -1; + if (virXMLFormatElement(buf, "source", &attrBuf, &childBuf) < 0) goto error; } @@ -22406,7 +22457,10 @@ virDomainDiskDefFormat(virBufferPtr buf, virBufferEscapeString(buf, "%s\n", def->wwn); virBufferEscapeString(buf, "%s\n", def->vendor); virBufferEscapeString(buf, "%s\n", def->product); - if (def->src->encryption && + + /* If originally found as a child of , then format thusly; + * otherwise, will be formatted as child of */ + if (def->src->encryption && !def->src->encryptionInherited && virStorageEncryptionFormat(buf, def->src->encryption) < 0) return -1; virDomainDeviceInfoFormat(buf, &def->info, diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h index 3a6f9f2653..af8f56c8a1 100644 --- a/src/util/virstoragefile.h +++ b/src/util/virstoragefile.h @@ -242,6 +242,7 @@ struct _virStorageSource { virStorageAuthDefPtr auth; bool authInherited; virStorageEncryptionPtr encryption; + bool encryptionInherited; virObjectPtr privateData; diff --git a/tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source-both.xml b/tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source-both.xml new file mode 100644 index 0000000000..c4b762a1ed --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source-both.xml @@ -0,0 +1,40 @@ + + encryptdisk + 496898a6-e6ff-f7c8-5dc2-3cf410945ee9 + 1048576 + 524288 + 1 + + hvm + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + + + + + + + + + + +
+ + +
+ + + + + +
+ + + diff --git a/tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.args b/tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.args new file mode 100644 index 0000000000..fec46945ce --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.args @@ -0,0 +1,62 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/home/test \ +USER=test \ +LOGNAME=test \ +QEMU_AUDIO_DRV=none \ +/usr/bin/qemu-system-x86_64 \ +-name encryptdisk \ +-S \ +-object secret,id=masterKey0,format=raw,\ +file=/tmp/lib/domain--1-encryptdisk/master-key.aes \ +-M pc-i440fx-2.1 \ +-m 1024 \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid 496898a6-e6ff-f7c8-5dc2-3cf410945ee9 \ +-nographic \ +-nodefaults \ +-chardev socket,id=charmonitor,\ +path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \ +-mon chardev=charmonitor,id=monitor,mode=readline \ +-no-acpi \ +-boot c \ +-usb \ +-object secret,id=virtio-disk0-luks-secret0,\ +data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ +keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ +-drive file=/storage/guest_disks/encryptdisk,\ +key-secret=virtio-disk0-luks-secret0,format=luks,if=none,id=drive-virtio-disk0 \ +-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ +id=virtio-disk0 \ +-object secret,id=virtio-disk1-luks-secret0,\ +data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ +keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ +-drive file=/storage/guest_disks/encryptdisk2,\ +key-secret=virtio-disk1-luks-secret0,format=luks,if=none,id=drive-virtio-disk1 \ +-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,\ +id=virtio-disk1 \ +-object secret,id=virtio-disk2-luks-secret0,\ +data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ +keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ +-drive file=iscsi://myname:AQCVn5hO6HzFAhAAq0NCv8jtJcIcE+HOBlMQ1A@example.org:\ +6000/iqn.1992-01.com.example%3Astorage/1,key-secret=virtio-disk2-luks-secret0,\ +format=luks,if=none,id=drive-virtio-disk2 \ +-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk2,\ +id=virtio-disk2 \ +-object secret,id=virtio-disk3-luks-secret0,\ +data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ +keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ +-drive file=iscsi://iscsi.example.com:3260/demo-target/3,\ +key-secret=virtio-disk3-luks-secret0,format=luks,if=none,id=drive-virtio-disk3 \ +-device virtio-blk-pci,bus=pci.0,addr=0x7,drive=drive-virtio-disk3,\ +id=virtio-disk3 \ +-object secret,id=virtio-disk4-luks-secret0,\ +data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ +keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ +-drive 'file=rbd:pool/image:auth_supported=none:mon_host=mon1.example.org\:\ +6321\;mon2.example.org\:6322\;mon3.example.org\:6322,\ +key-secret=virtio-disk4-luks-secret0,format=luks,if=none,\ +id=drive-virtio-disk4' \ +-device virtio-blk-pci,bus=pci.0,addr=0x8,drive=drive-virtio-disk4,\ +id=virtio-disk4 \ +-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.xml b/tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.xml new file mode 100644 index 0000000000..293877df9e --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.xml @@ -0,0 +1,81 @@ + + encryptdisk + 496898a6-e6ff-f7c8-5dc2-3cf410945ee9 + 1048576 + 524288 + 1 + + hvm + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + + + + + + + +
+ + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index ab5641484d..ec6fad453d 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1666,10 +1666,12 @@ mymain(void) DO_TEST("encrypted-disk-usage", NONE); # ifdef HAVE_GNUTLS_CIPHER_ENCRYPT DO_TEST("luks-disks", QEMU_CAPS_OBJECT_SECRET); + DO_TEST("luks-disks-source", QEMU_CAPS_OBJECT_SECRET); # else DO_TEST_FAILURE("luks-disks", QEMU_CAPS_OBJECT_SECRET); # endif DO_TEST_PARSE_ERROR("luks-disk-invalid", NONE); + DO_TEST_PARSE_ERROR("luks-disks-source-both", QEMU_CAPS_OBJECT_SECRET); DO_TEST("memtune", NONE); DO_TEST("memtune-unlimited", NONE); diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks-source.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks-source.xml new file mode 100644 index 0000000000..1cad3af7a6 --- /dev/null +++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks-source.xml @@ -0,0 +1,84 @@ + + encryptdisk + 496898a6-e6ff-f7c8-5dc2-3cf410945ee9 + 1048576 + 524288 + 1 + + hvm + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + + + + + + + +
+ + + + + + + + + +
+ + + + + + + + + + + + + +
+ + + + + + + + + +
+ + + + + + + + + + + + +
+ + +
+ + + + + +
+ + + diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks.xml deleted file mode 120000 index b59dc672fc..0000000000 --- a/tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks.xml +++ /dev/null @@ -1 +0,0 @@ -../qemuxml2argvdata/qemuxml2argv-luks-disks.xml \ No newline at end of file diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks.xml new file mode 100644 index 0000000000..c84af442a6 --- /dev/null +++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks.xml @@ -0,0 +1,45 @@ + + encryptdisk + 496898a6-e6ff-f7c8-5dc2-3cf410945ee9 + 1048576 + 524288 + 1 + + hvm + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + + + + + + +
+ + + + + + + + +
+ + +
+ + + + + +
+ + + diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c index 4efaefe58a..41663a0ea4 100644 --- a/tests/qemuxml2xmltest.c +++ b/tests/qemuxml2xmltest.c @@ -625,6 +625,7 @@ mymain(void) DO_TEST("encrypted-disk", NONE); DO_TEST("encrypted-disk-usage", NONE); DO_TEST("luks-disks", NONE); + DO_TEST("luks-disks-source", NONE); DO_TEST("memtune", NONE); DO_TEST("memtune-unlimited", NONE); DO_TEST("blkiotune", NONE);