From: Kevin Wolf <kwolf@redhat.com>
To: John Snow <jsnow@redhat.com>
Cc: Craig Mull <cmull@us.ibm.com>,
pkrempa@redhat.com, qemu-devel@nongnu.org,
Qemu-block <qemu-block@nongnu.org>, Leo Luan <leoluan@us.ibm.com>
Subject: Re: Qemu Dirty Bitmap backup to encrypted target
Date: Tue, 1 Oct 2019 10:45:53 +0200 [thread overview]
Message-ID: <20191001084553.GA4688@linux.fritz.box> (raw)
In-Reply-To: <facf5e37-18e0-7de5-09cf-a088f471d8ad@redhat.com>
Am 01.10.2019 um 02:24 hat John Snow geschrieben:
>
>
> On 9/30/19 3:26 PM, Craig Mull wrote:
> > How can have QEMU backup write the output to an encrypted target?
> >
> > Blocks in the dirty bitmap are unencrypted, and as such when I write
> > them with QEMU backup they are written to the target unencrypted.
> >
> > I've experimented with providing a json string as the target but with no
> > luck.
> >
> >
> > transaction='{ "execute": "transaction",
> >
> > "arguments": {
> >
> > "actions": [
> >
> > {"type": "block-dirty-bitmap-add",
> >
> > "data": {"node": "drive-virtio-disk0", "granularity": 2097152,
> > "name": "mybitmap"} },
> >
> > {"type": "drive-backup",
> >
> > "data": {"device": "drive-virtio-disk0", "target":
> > "json:{\"encrypt.format\": \"luks\", \"encrypt.key-secret\":
> > \"virtio-disk0-luks-secret0\", \"driver\": \"qcow2\", \"file\":
> > {\"driver\": \"file\", \"filename\": \"/tmp/target-encrypt-test.qcow2\"}}",
> >
> > "sync": "full", "format": "qcow2"} }
> >
> > ]
> >
> > }
> >
> > }'
> >
> >
> >
> > virsh -c qemu:///system qemu-monitor-command --pretty 28 $transaction
> >
> >
> >
> > {
> >
> > "id": "libvirt-45",
> >
> > "error": {
> >
> > "class": "GenericError",
> >
> > "desc": "Unknown protocol 'json'"
> >
> > }
> >
> > }
> >
> >
>
> I'll be honest, I'm not very good at the json specifications and don't
> really know when they're appropriate to use. At the basic level,
> drive-backup expects a filename. Sometimes the filename can get fancy,
> but... I stay away from that.
>
> Try using qmp-blockdev-create to create the target node instead, and
> then using blockdev-backup to backup to that target.
As the actual invocation is a virsh command, I think this is more of a
libvirt question than a QEMU one.
I suspect that libvirt won't support this without -blockdev support
(which will enable blockdev-backup instead of drive-backup), but even
then libvirt might not even offer an API for an encrypted target. Not
sure, though, so CCing Peter.
Kevin
next prev parent reply other threads:[~2019-10-01 8:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-30 19:26 Qemu Dirty Bitmap backup to encrypted target Craig Mull
2019-10-01 0:24 ` John Snow
2019-10-01 8:45 ` Kevin Wolf [this message]
2019-10-01 11:43 ` Peter Krempa
2019-10-02 11:35 ` Craig Mull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001084553.GA4688@linux.fritz.box \
--to=kwolf@redhat.com \
--cc=cmull@us.ibm.com \
--cc=jsnow@redhat.com \
--cc=leoluan@us.ibm.com \
--cc=pkrempa@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).