Re: [pve-devel] [PATCH qemu-server] vzdump: add master key support

Fri, 28 May 2021 04:51:48 -0700 

On 08.02.21 14:08, Fabian Grünbichler wrote:
> running outdated VMs without master key support will generate a warning
> but proceed with a backup without encrypted key upload.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
> ---
> 
> Notes:
>     requires libpve-storage-perl with master key support.
> 

needs a rebase

>  PVE/VZDump/QemuServer.pm | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/PVE/VZDump/QemuServer.pm b/PVE/VZDump/QemuServer.pm
> index b5e74d3..e3f785a 100644
> --- a/PVE/VZDump/QemuServer.pm
> +++ b/PVE/VZDump/QemuServer.pm
> @@ -485,6 +485,7 @@ sub archive_pbs {
>      my $repo = PVE::PBSClient::get_repository($scfg);
>      my $password = PVE::Storage::PBSPlugin::pbs_get_password($scfg, 
> $opts->{storage});
>      my $keyfile = 
> PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, 
> $opts->{storage});
> +    my $master_keyfile = 
> PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage});
>  
>      my $diskcount = scalar(@{$task->{disks}});
>      # proxmox-backup-client can only handle raw files and block devs
> @@ -533,6 +534,12 @@ sub archive_pbs {
>             . "sure you've installed the latest version and the VM has been 
> restarted.\n";
>       }
>  
> +     if (!defined($qemu_support->{"pbs-masterkey"}) && -e $master_keyfile) {
> +         $self->loginfo("WARNING: backup target is configured with master 
> key, but running QEMU version does not support master keys.");
> +         $self->loginfo("Please make sure you've installed the latest 
> version and the VM has been restarted to use master key feature.");
> +         $master_keyfile = undef; # skip rest of master key handling below
> +     }
> +
>       my $fs_frozen = $self->qga_fs_freeze($task, $vmid);
>  
>       my $params = {
> @@ -551,7 +558,13 @@ sub archive_pbs {
>           $self->loginfo("enabling encryption");
>           $params->{keyfile} = $keyfile;
>           $params->{encrypt} = JSON::true;
> +         if (defined($master_keyfile) && -e $master_keyfile) {
> +             $self->loginfo("enabling master key feature");
> +             $params->{"master-keyfile"} = $master_keyfile;
> +         }
>       } else {
> +         $self->loginfo("WARNING: backup target is configured with master 
> key, but this backup is not encrypted - master key settings will be ignored!")
> +             if defined($master_keyfile) && -e $master_keyfile;
>           $params->{encrypt} = JSON::false;
>       }
>  
> 



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to