Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KVM support for luks volmes? #1345

Closed
OpenNebulaProject opened this issue Nov 20, 2017 · 13 comments
Closed

KVM support for luks volmes? #1345

OpenNebulaProject opened this issue Nov 20, 2017 · 13 comments
Assignees
@xorel
Labels
Priority: Normal Status: Accepted Type: Feature
Milestone
Release 6.0

Comments

@OpenNebulaProject
Copy link

Author Name: Laurence Gill (Laurence Gill)
Original Redmine Issue: 5402, https://dev.opennebula.org/issues/5402
Original Date: 2017-09-25

Is there any plans to support luks volumes for virtual machines? I have not managed to find any discussions around this on any opennebula mailing lists.

https://libvirt.org/formatstorageencryption.html#StorageEncryptionLuks

I think it would require qemu 2.6:

https://wiki.qemu.org/ChangeLog/2.6#Block_devices_2

...and also libvirt 2.2.0, and I'd guess you need to create a secret on the hypervisor, unless it could be randomly generated if you are creating a empty datablock to install to. Although if you created the volume outside of opennebula I suppose you could pass the parameters through using the raw kvm contextualisation.

Thoughts? Silly idea?

Cheers
@OpenNebulaProject
Copy link
Author

Original Redmine Comment
Author Name: Laurence Gill (Laurence Gill)
Original Date: 2017-10-03T16:03:48Z

I made a bit of progress on this, see
laurencegill@d9ecac7

Tested on debian jessie and you need to install the qemu/libvirt packages from backports to get the encryption support:

apt-get -t jessie-backports install libvirt0
apt-get -t jessie-backports install qemu-kvm qemu-utils qemu-block-extra qemu-system-common qemu-system-x86

Then create the image and import, create the libvirt secret etc, then you can attach the disk and it is decrypted, if it doesn't work you will still see the device as an encrypted luks disk (luksDump)

The question now is how to generate this the libvirt xml at deployment to contain the libvirt xml? I am a bit stuck here, does the LibVirtDriverKVM.cc file need changing, or is there a simpler way to change what is generated in the deployment file when instantiating the VM?

@OpenNebulaProject
Copy link
Author

Original Redmine Comment
Author Name: Anton Todorov (Anton Todorov)
Original Date: 2017-10-04T07:16:38Z

There is an entry in the backlog addressing the option to alter the VM deployment XML before deploy (#4880).

Currently I am patching the vmm/kvm/deploy script to execute a script to edit the deployment XML file before it is passed to libvirt.

Best Regards,
Anton Todorov

@OpenNebulaProject
Copy link
Author

Original Redmine Comment
Author Name: Laurence Gill (Laurence Gill)
Original Date: 2017-10-07T11:55:50Z

On balance, I figured it would be less lines of code to patch the driver:

laurencegill@fa44566

Seems to work, requires some further testing though...

@FlorianHeigl
Copy link
Contributor

Hey Laurence, if you ever see this:
I like this a lot, but what is your view on the actual security, does the passphrase end up visible on the context iso, or is it only visible to the driver?

@laurencegill
Copy link
Contributor

Hey Laurence, if you ever see this:
I like this a lot, but what is your view on the actual security, does the passphrase end up visible on the context iso, or is it only visible to the driver?

The UUID of the secret is referenced in the image attributes, for example as:
LUKS_SECRET = "35cdaa8f-6923-4378-b8bf-1d819b0f03e8",
The passphrase itself is a private libvirt secret. I have the full documentation somewhere...

I was actually going to bump this to see if there is any chance of merging this patch, as I have to manually patch the packages each time we upgrade, so, bump, anybody..?

@laurencegill
Copy link
Contributor

laurencegill commented Dec 3, 2018
edited

Basically it is these 2 commits:
laurencegill@d9ecac7
laurencegill@fa44566

It seems I did try to get it merged
#528

@stale
Copy link

stale bot commented Dec 3, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. The OpenNebula Dev Team

@laurencegill
Copy link
Contributor

We've been using this in production for 2 years for persistent VMs without any issues. It would be good to have it merged rather than ignored and marked as abandoned.

@stale stale bot removed the Status: Abandoned label Dec 3, 2019
@cloudweavers
Copy link

I strongly support this as well. I think it is a very useful feature, does not interfere in any way - I would be happy to see it merged.

@tinova
Copy link
Member

tinova commented Dec 10, 2019

Ok! You speak, we listen.

Bumping this to 5.12 (although this is not a commitment)

@tinova tinova added this to the Release 5.12 milestone Dec 10, 2019
@laurencegill laurencegill mentioned this issue Dec 13, 2019
Closed
@tinova tinova modified the milestones: Release 5.12, Release 5.12.1 Jun 16, 2020
@tinova tinova modified the milestones: Release 5.12.1, Release 5.12.2 Jul 8, 2020
@tinova tinova modified the milestones: Release 5.12.2, Release 5.12.3 Aug 5, 2020
@tinova tinova modified the milestones: Release 5.12.3, Release 5.12.4 Sep 3, 2020
@tinova tinova removed this from the Release 5.12.4 milestone Sep 23, 2020
@tinova tinova added this to the Release 5.12.5 milestone Sep 23, 2020
@tinova tinova modified the milestones: Release 5.12.5, Release 5.12.6 Oct 21, 2020
@tinova tinova modified the milestones: Release 5.12.6, Release 5.12.7 Nov 5, 2020
@laurencegill
Copy link
Contributor

Do you expect this to make the 5.17.7 release @tinova ? Is there anything I can do to help?

@tinova tinova modified the milestones: Release 5.12.7, Release 6.0 Dec 10, 2020
@tinova
Copy link
Member

tinova commented Dec 10, 2020

Unfortunately @laurencegill we need to remove this from 5.12 roadmap as it will soon enter feature freeze (it's an LTS release). We will do out best to tackle this for 6.0. If you could check that the PRs can still be applied into master that will help indeed.

@laurencegill
Copy link
Contributor

I think I have fixed the conflicts, but appear to have upset gitcop, presumably with the historical commit messages not confirming to the standard, which are now buried among the commits as I merged upstream. Shall I just create a new PR and remove the old one, and reference the github issue, as this dates back to the Redmine system?

xorel added a commit to OpenNebula/docs that referenced this issue Feb 18, 2021
@xorel
F OpenNebula/one#1345: LUKS encrypted image
1d7c2a6
xorel added a commit to OpenNebula/docs that referenced this issue Feb 18, 2021
@xorel
F OpenNebula/one#1345: LUKS encrypted image
4bb3465
rsmontero pushed a commit to OpenNebula/docs that referenced this issue Feb 18, 2021
@xorel
F OpenNebula/one#1345: LUKS encrypted image (#1477)
89c7371
rsmontero added a commit that referenced this issue Feb 24, 2021
@rsmontero
F #1345: Support for Image Encrypted attributes
60dd3a3
rsmontero pushed a commit that referenced this issue Feb 24, 2021
@xorel @laurencegill
F 1345: Allow using LUKS volumes for KVM (#808)
73c27a9 
* F #1345: KVM support for persistent luks volmes

Support for attaching a persistent qemu luks encrypted disk, created as
per the libvirt/qemu documentation.

Private secret must be defined on the hypervisor for decryption and the
image should contain "LUKS_SECRET" attribute.

1) Create the image and import into datastore:

 # qemu-img create --object secret,id=sec0,data=secretphrase -o key-secret=sec0 -f luks volume 1G

2) Create the secret on the hypervisor:

 # virsh secret-define volume-secret.xml
 # MYSECRET=`printf %s "secretphrase" | base64`
 # virsh secret-set-value $MYUUID $MYSECRET

 # virsh secret-dumpxml $MYUUID
 <secret ephemeral='no' private='yes'>
   <uuid>$MYUUID</uuid>
   <description>luks key</description>
   <usage type='volume'>
     <volume>rbd:one/one-123</volume>
   </usage>
 </secret>

3) Set the UUID in the image attributes, ie:

 # oneimage show 123 |grep LUKS
 LUKS_SECRET="$MYUUID"

This should allow the disk attach to decryt the luks image and
use as a normal disk within the VM.

Co-authored-by: Laurence <laurencegill@users.noreply.github.com>
rsmontero pushed a commit that referenced this issue May 5, 2021
@xorel
F #1345: Allow LUKS img in ceph DS (#1151)
f5d4d8b
atodorov-storpool pushed a commit to storpool/one that referenced this issue May 13, 2021
@xorel @atodorov-storpool
F OpenNebula#1345: Allow LUKS img in ceph DS (OpenNebula#1151)
bb94e1b
rsmontero pushed a commit that referenced this issue May 18, 2021
@xorel @rsmontero
F #1345: Allow LUKS img in ceph DS (#1151)
1e20ad8 
(cherry picked from commit f5d4d8b)
rsmontero pushed a commit that referenced this issue Jul 2, 2021
F #5441: Allow disabling fallocate for fs DS_MAD (#1345)
14a0c04
atodorov-storpool pushed a commit to storpool/one that referenced this issue Aug 3, 2021
@atodorov-storpool
F OpenNebula#5441: Allow disabling fallocate for fs DS_MAD (OpenNebul…
767c80e 
…a#1345)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xorel xorel

Labels
Priority: Normal Status: Accepted Type: Feature
Projects
None yet
Milestone
Release 6.0
Development

No branches or pull requests
7 participants
@tinova @rsmontero @laurencegill @xorel @FlorianHeigl @cloudweavers @OpenNebulaProject