[pve-devel] [PATCH qemu-server] vzdump: add master key support
Thomas Lamprecht
t.lamprecht at proxmox.com
Fri May 28 13:50:55 CEST 2021
On 08.02.21 14:08, Fabian Grünbichler wrote:
> running outdated VMs without master key support will generate a warning
> but proceed with a backup without encrypted key upload.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
>
> Notes:
> requires libpve-storage-perl with master key support.
>
needs a rebase
> PVE/VZDump/QemuServer.pm | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/PVE/VZDump/QemuServer.pm b/PVE/VZDump/QemuServer.pm
> index b5e74d3..e3f785a 100644
> --- a/PVE/VZDump/QemuServer.pm
> +++ b/PVE/VZDump/QemuServer.pm
> @@ -485,6 +485,7 @@ sub archive_pbs {
> my $repo = PVE::PBSClient::get_repository($scfg);
> my $password = PVE::Storage::PBSPlugin::pbs_get_password($scfg, $opts->{storage});
> my $keyfile = PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, $opts->{storage});
> + my $master_keyfile = PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage});
>
> my $diskcount = scalar(@{$task->{disks}});
> # proxmox-backup-client can only handle raw files and block devs
> @@ -533,6 +534,12 @@ sub archive_pbs {
> . "sure you've installed the latest version and the VM has been restarted.\n";
> }
>
> + if (!defined($qemu_support->{"pbs-masterkey"}) && -e $master_keyfile) {
> + $self->loginfo("WARNING: backup target is configured with master key, but running QEMU version does not support master keys.");
> + $self->loginfo("Please make sure you've installed the latest version and the VM has been restarted to use master key feature.");
> + $master_keyfile = undef; # skip rest of master key handling below
> + }
> +
> my $fs_frozen = $self->qga_fs_freeze($task, $vmid);
>
> my $params = {
> @@ -551,7 +558,13 @@ sub archive_pbs {
> $self->loginfo("enabling encryption");
> $params->{keyfile} = $keyfile;
> $params->{encrypt} = JSON::true;
> + if (defined($master_keyfile) && -e $master_keyfile) {
> + $self->loginfo("enabling master key feature");
> + $params->{"master-keyfile"} = $master_keyfile;
> + }
> } else {
> + $self->loginfo("WARNING: backup target is configured with master key, but this backup is not encrypted - master key settings will be ignored!")
> + if defined($master_keyfile) && -e $master_keyfile;
> $params->{encrypt} = JSON::false;
> }
>
>
More information about the pve-devel
mailing list