From: Kevin Wolf <kwolf@redhat.com>
To: John Snow <jsnow@redhat.com>
Cc: Craig Mull <cmull@us.ibm.com>,
pkrempa@redhat.com, qemu-devel@nongnu.org,
Qemu-block <qemu-block@nongnu.org>, Leo Luan <leoluan@us.ibm.com>
Subject: Re: Qemu Dirty Bitmap backup to encrypted target
Date: Tue, 1 Oct 2019 10:45:53 +0200 [thread overview]
Message-ID: <20191001084553.GA4688@linux.fritz.box> (raw)
In-Reply-To: <facf5e37-18e0-7de5-09cf-a088f471d8ad@redhat.com>
Am 01.10.2019 um 02:24 hat John Snow geschrieben:
>
>
> On 9/30/19 3:26 PM, Craig Mull wrote:
> > How can have QEMU backup write the output to an encrypted target?
> >
> > Blocks in the dirty bitmap are unencrypted, and as such when I write
> > them with QEMU backup they are written to the target unencrypted.
> >
> > I've experimented with providing a json string as the target but with no
> > luck.
> >
> >
> > transaction='{ "execute": "transaction",
> >
> > "arguments": {
> >
> > "actions": [
> >
> > {"type": "block-dirty-bitmap-add",
> >
> > "data": {"node": "drive-virtio-disk0", "granularity": 2097152,
> > "name": "mybitmap"} },
> >
> > {"type": "drive-backup",
> >
> > "data": {"device": "drive-virtio-disk0", "target":
> > "json:{\"encrypt.format\": \"luks\", \"encrypt.key-secret\":
> > \"virtio-disk0-luks-secret0\", \"driver\": \"qcow2\", \"file\":
> > {\"driver\": \"file\", \"filename\": \"/tmp/target-encrypt-test.qcow2\"}}",
> >
> > "sync": "full", "format": "qcow2"} }
> >
> > ]
> >
> > }
> >
> > }'
> >
> >
> >
> > virsh -c qemu:///system qemu-monitor-command --pretty 28 $transaction
> >
> >
> >
> > {
> >
> > "id": "libvirt-45",
> >
> > "error": {
> >
> > "class": "GenericError",
> >
> > "desc": "Unknown protocol 'json'"
> >
> > }
> >
> > }
> >
> >
>
> I'll be honest, I'm not very good at the json specifications and don't
> really know when they're appropriate to use. At the basic level,
> drive-backup expects a filename. Sometimes the filename can get fancy,
> but... I stay away from that.
>
> Try using qmp-blockdev-create to create the target node instead, and
> then using blockdev-backup to backup to that target.
As the actual invocation is a virsh command, I think this is more of a
libvirt question than a QEMU one.
I suspect that libvirt won't support this without -blockdev support
(which will enable blockdev-backup instead of drive-backup), but even
then libvirt might not even offer an API for an encrypted target. Not
sure, though, so CCing Peter.
Kevin
next prev parent reply other threads:[~2019-10-01 8:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-30 19:26 Qemu Dirty Bitmap backup to encrypted target Craig Mull
2019-10-01 0:24 ` John Snow
2019-10-01 8:45 ` Kevin Wolf [this message]
2019-10-01 11:43 ` Peter Krempa
2019-10-02 11:35 ` Craig Mull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001084553.GA4688@linux.fritz.box \
--to=kwolf@redhat.com \
--cc=cmull@us.ibm.com \
--cc=jsnow@redhat.com \
--cc=leoluan@us.ibm.com \
--cc=pkrempa@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.