从网上找了一些资料,看了libvirt文档等,最后终于能够使用luks加密磁盘启动vm了。
libvirt和qemu-kvm的版本很关键否则会有问题,一开始的环境libvirt 是3.2 qemu是 1.5.3,都是centos 自带的,define volume时会报错:
-
# virsh vol-create ocz-5ef92v58m9be7jo9 /tmp/in
-
error: Failed to create vol from /tmp/in
-
error: unsupported configuration: storage pool does not support encrypted volumes
关键是最后一行,一开始以为标准版的就可以,后来替换virt版才解决问题。
添加repo:
-
# cat /etc/yum.repos.d/CentOS-QEMU-EV.repo
-
[centos-qemu-ev]
-
name=CentOS-$releasever - QEMU EV
-
baseurl=http://mirror.centos.org/centos/$releasever/virt/$basearch/kvm-common/
-
gpgcheck=0
-
enabled=1
-
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Virtualization
-
-
-
[centos-qemu-ev-test]
-
name=CentOS-$releasever - QEMU EV Testing
-
baseurl=http://buildlogs.centos.org/centos/$releasever/virt/$basearch/kvm-common/
-
gpgcheck=0
-
enabled=0
-
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Virtualization
-
-
-
[libvirt-last]
-
name=CentOS-libvirt-last
-
baseurl=http://buildlogs.centos.org/centos/$releasever/virt/$basearch/libvirt-latest/
-
gpgcheck=0
-
enabled=1
然后yum update qemu-kvm libvirt-deamon
1、首先定义pool
-
# cat log.pool
-
<pool type='logical'>
-
<name>lp</name>
-
<capacity unit='bytes'>0</capacity>
-
<allocation unit='bytes'>0</allocation>
-
<available unit='bytes'>0</available>
-
<source>
-
<device path='/dev/sda3'/>
-
<name>logical</name>
-
<format type='lvm2'/>
-
</source>
-
<target>
-
<path>/dev/lp</path>
-
<permissions>
-
<mode>0755</mode>
-
</permissions>
-
</target>
-
</pool>
-
virsh pool-define log.pool
-
virsh pool-build lp
-
virsh pool-start lp
中间出了点小插曲,virsh pool-build报错,具体忘记了,然后我pvcreate pvremove操作了下就能继续了,可能sda3磁盘中有数据的问题吧。
2、创建volume
-
# cat sec2.xml
-
<secret ephemeral='no' private='yes'>
-
<uuid>b9cdf965-bf99-4a07-886e-63e193907a5e</uuid>
-
</secret>
-
-
# cat vol1.xml
-
<volume>
-
<name>vol1</name>
-
<capacity unit='G'>5</capacity>
-
<target>
-
<path>/dev/logical/vol1</path>
-
<format type='raw'/>
-
<encryption format='luks'>
-
<secret type='passphrase' uuid='b9cdf965-bf99-4a07-886e-63e193907a5e'/>
-
</encryption>
-
</target>
-
</volume>
-
-
#virsh secret-define sec2.xml
-
#virsh secret-set-value b9cdf965-bf99-4a07-886e-63e193907a5e
-
#MYSECRET=`printf %s "redhat" | base64`
-
#virsh secret-set-value b9cdf965-bf99-4a07-886e-63e193907a5e $MYSECRET
-
#virsh vol-create lp vol1.xml
这时候就能看到逻辑卷了,执行
-
# lvs
-
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
-
root centos -wi-ao---- 50.00g
-
swap centos -wi-ao---- 7.75g
-
vol1 logical -wi-ao---- 5.00g ------------------看这一行
3、创建vm
-
...
-
<disk type='volume' device='disk'>
-
<driver name='qemu' type='raw'/>
-
<source pool='lp' volume='vol1'/>
-
<target dev='sda' bus='scsi'/>
-
<encryption format='luks'>
-
<secret type='passphrase' uuid='b9cdf965-bf99-4a07-886e-63e193907a5e'/>
-
</encryption>
-
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
-
</disk>
-
...
-
-
#virsh define centos7_3.xml
-
#virsh start centos7_qcow2encrypt
之后操作的就是加密磁盘。
也可以直接使用qemu-img 创建加密的luks磁盘
点击(此处)折叠或打开
-
#MYSECRET=`echo 123456|base64`
-
#qemu-img create -f luks --object secret,data=$MYSECRET,id=sec0,format=base64,qom-type=secret -o key-secret=sec0 a.luks 1G
-
编辑一个sec xml文件
-
# cat sec3.xml
-
<secret ephemeral='no' private='yes'>
-
<uuid>b9cdf965-bf99-4a08-886e-63e193907a5e</uuid>
-
</secret>
-
#virsh secret-set-value b9cdf965-bf99-4a08-886e-63e193907a5e $MYSECRET
然后再vm里就可以使用该磁盘了:
-
<disk type='file' device='disk'>
-
<driver name='qemu' type='raw'/>
-
<source file='/var/lib/libvirt/images/a.luks'/>
-
<target dev='sdb' bus='scsi'/>
-
<encryption format='luks'>
-
<secret type='passphrase' uuid='b9cdf965-bf99-4a08-886e-63e193907a5e'/>
-
</encryption>
-
</disk>
扩展:
luks格式磁盘创建快照:
-
qemu-img create -f qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 -b 'json:{"driver": "luks", "file": {"driver": "file", "filename": "/home/qgx_1/vm/disk-encrypt/base.luks"}, "key-secret": "sec0"}' -F luks sn1.qcow2
阅读(2860) | 评论(0) | 转发(0) |
