New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KVM support for luks volmes? #1345
Comments
Original Redmine Comment I made a bit of progress on this, see Tested on debian jessie and you need to install the qemu/libvirt packages from backports to get the encryption support: apt-get -t jessie-backports install libvirt0 Then create the image and import, create the libvirt secret etc, then you can attach the disk and it is decrypted, if it doesn't work you will still see the device as an encrypted luks disk (luksDump) The question now is how to generate this the libvirt xml at deployment to contain the libvirt xml? I am a bit stuck here, does the LibVirtDriverKVM.cc file need changing, or is there a simpler way to change what is generated in the deployment file when instantiating the VM? |
Original Redmine Comment There is an entry in the backlog addressing the option to alter the VM deployment XML before deploy (#4880). Currently I am patching the vmm/kvm/deploy script to execute a script to edit the deployment XML file before it is passed to libvirt. Best Regards, |
Original Redmine Comment On balance, I figured it would be less lines of code to patch the driver: Seems to work, requires some further testing though... |
Hey Laurence, if you ever see this: |
The UUID of the secret is referenced in the image attributes, for example as: I was actually going to bump this to see if there is any chance of merging this patch, as I have to manually patch the packages each time we upgrade, so, bump, anybody..? |
Basically it is these 2 commits: It seems I did try to get it merged |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. The OpenNebula Dev Team |
We've been using this in production for 2 years for persistent VMs without any issues. It would be good to have it merged rather than ignored and marked as abandoned. |
I strongly support this as well. I think it is a very useful feature, does not interfere in any way - I would be happy to see it merged. |
Ok! You speak, we listen. Bumping this to 5.12 (although this is not a commitment) |
Do you expect this to make the 5.17.7 release @tinova ? Is there anything I can do to help? |
Unfortunately @laurencegill we need to remove this from 5.12 roadmap as it will soon enter feature freeze (it's an LTS release). We will do out best to tackle this for 6.0. If you could check that the PRs can still be applied into master that will help indeed. |
I think I have fixed the conflicts, but appear to have upset gitcop, presumably with the historical commit messages not confirming to the standard, which are now buried among the commits as I merged upstream. Shall I just create a new PR and remove the old one, and reference the github issue, as this dates back to the Redmine system? |
* F #1345: KVM support for persistent luks volmes Support for attaching a persistent qemu luks encrypted disk, created as per the libvirt/qemu documentation. Private secret must be defined on the hypervisor for decryption and the image should contain "LUKS_SECRET" attribute. 1) Create the image and import into datastore: # qemu-img create --object secret,id=sec0,data=secretphrase -o key-secret=sec0 -f luks volume 1G 2) Create the secret on the hypervisor: # virsh secret-define volume-secret.xml # MYSECRET=`printf %s "secretphrase" | base64` # virsh secret-set-value $MYUUID $MYSECRET # virsh secret-dumpxml $MYUUID <secret ephemeral='no' private='yes'> <uuid>$MYUUID</uuid> <description>luks key</description> <usage type='volume'> <volume>rbd:one/one-123</volume> </usage> </secret> 3) Set the UUID in the image attributes, ie: # oneimage show 123 |grep LUKS LUKS_SECRET="$MYUUID" This should allow the disk attach to decryt the luks image and use as a normal disk within the VM. Co-authored-by: Laurence <laurencegill@users.noreply.github.com>
Author Name: Laurence Gill (Laurence Gill)
Original Redmine Issue: 5402, https://dev.opennebula.org/issues/5402
Original Date: 2017-09-25
Is there any plans to support luks volumes for virtual machines? I have not managed to find any discussions around this on any opennebula mailing lists.
https://libvirt.org/formatstorageencryption.html#StorageEncryptionLuks
I think it would require qemu 2.6:
https://wiki.qemu.org/ChangeLog/2.6#Block_devices_2
...and also libvirt 2.2.0, and I'd guess you need to create a secret on the hypervisor, unless it could be randomly generated if you are creating a empty datablock to install to. Although if you created the volume outside of opennebula I suppose you could pass the parameters through using the raw kvm contextualisation.
Thoughts? Silly idea?
Cheers
The text was updated successfully, but these errors were encountered: