Re: [Qemu-devel] How to specify the full block driver tree on the CLI ?

[Kevin Wolf <kwolf@redhat.com>]

Am 29.10.2015 um 00:58 hat Daniel P. Berrange geschrieben:
> As previously mentioned, I'm working on support for LUKS full disk
> encryption in QEMU. I have a simple driver implemented that works
> on top of plain files. eg I can launch qemu-io thus:
> 
>  $ qemu-io /home/berrange/VirtualMachines/demo.luks-aes-cbc-plain-sha256
> 
> and it'll probe the luks format & instantiate my "luks" block driver impl
> on top of the "file" driver. IIUC, I should be able to layer this format
> driver on top of any of the QEMU block driver backends though. In particular
> I want to be able to layer it on top of any of the network drivers (RBD,
> iSCSI and glusterfs).

This part should work automatically as well if you just use the right
URL. qemu probes the format even if you're using a non-file protocol.

> I'm struggling to figure out the right syntax to
> specify this to QEMU though, using either qemu-io, or the system emulators
> with the -drive arg.  Are there any docs somewhere about the way to
> structure the command line arguments to build up a stack of block drivers.

You have a two options. The one that is universal (that is, it works in
all places that open an image), but a bit awkward to use manually is the
json: pseudo-protocol. The "filename" then contains a JSON object of the
QAPI BlockdevOptions type. The QAPI schema (qapi/block-core.json) is
probably the best documentation you get. When specifying JSON objects on
the -drive command line option, don't forget to escape commas by
doubling.

For example:

    qemu-system-x86_64 -drive file='json:{"driver":"luks",,\
    "secret":"x",,"file":{"driver":"file",,"filename":"test.luks"}}'

In qemu proper, you can use a dot syntax for -drive instead:

    qemu-system-x86_64 -drive \
    driver=luks,\
    secret=x,\
    file.driver=file,\
    file.filename=test.luks

In qemu-io, you can't use such syntax on the command line, but the open
command supports an -o option that accepts the same dot syntax.

Note that qemu-img can't deal with this stuff yet, so you'll have
trouble creating an image with such a specification. I guess you need to
create it as a local file first and then use non-qemu tools to copy it
somewhere where it's exported by rbd, iscsi or gluster.

> I'd like to figure out the following combinations, for qemu-io, qemu-img
> and system emulator -drive syntax.
> 
>  - luks -> file
>  - qcow2 -> luks -> file

This is the only case that isn't exactly the same as the example above.
I guess eventually we'll want to make qemu probe on top of luks, so that
you can just specify file=foo.qcow2.luks and it works.

For now, you have to be explicit and nest a level deeper:

    qemu-system-x86_64 -drive \
    driver=qcow2,\
    file.driver=luks,\
    file.secret=x,\
    file.file.driver=file,\
    file.file.filename=test.luks

Or the same structure in JSON, of course.

>  - luks -> rbd
>  - luks -> iscsi
>  - luks -> glusterfs
> 
> Currently the only required QemuOpt for the luks driver is the ID of
> a secret to provide the password.

Hope that helps.

Kevin