[libvirt] [PATCH v2 0/5] qemu: Forbid old qcow/qcow2 encryption
John Ferlan
jferlan at redhat.com
Thu May 31 11:22:28 UTC 2018
On 05/31/2018 02:18 AM, Peter Krempa wrote:
> On Wed, May 30, 2018 at 16:14:31 -0400, John Ferlan wrote:
>>
>>
>> On 05/23/2018 10:13 AM, Peter Krempa wrote:
>>> The old qcow/qcow2 encryption format is so broken that qemu decided to
>>> drop it completely. This series forbids the use of such images even with
>>> qemus prior to this and removes all the cruft necessary to support it.
>>>
>>> v2:
>>> - fixed check to include the qcow format too
>>> - reworded the error message slightly
>>> - split second patch into two with proper justification for the
>>> user-alias test since checking LUKS there actually makes sense
>>>
>>> Peter Krempa (5):
>>> tests: qemuxml2argv: Drop disk encryption from 'interface-server' test
>>> tests: qemuxml2argv: Verify that disk secret alias is correct with
>>> user-aliases
>>> tests: qemublock: Switch to qcow2+luks in test files
>>> qemu: domain: Forbid storage with old QCOW2 encryption
>>> qemu: Remove code for setting up disk passphrases
>>>
>>
>> Why not remove it from storage as well? It's not like anything could or
>> would want to use whatever the storage driver created. There's always
>> the fall back to indicate to use qemu-img for the die hards.
>
> If we've ever supported the use case of converting a qcow2 encrypted
> volume even into a unencrypted volume, we should keep that for allowing
> migration from those volumes.
>
Without (at least parts of) for qemu's 2.9 or later:
https://www.redhat.com/archives/libvir-list/2018-May/msg01268.html
it won't work anyway because of qemu secret work.
I think you probably need to make some documentation updates too. If not
removing things, then updating certain pages to indicate as of libvirt
4.X.0 it won't be possible to use for domains (and possibly storage).
John
More information about the libvir-list
mailing list