From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) client-ip=209.132.183.25; envelope-from=libvir-list-bounces@redhat.com; helo=mx4-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25]) by mx.zohomail.com with SMTPS id 1487360592059842.1350732088523; Fri, 17 Feb 2017 11:43:12 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJe1aV012585; Fri, 17 Feb 2017 14:40:01 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdXHf012467 for ; Fri, 17 Feb 2017 14:39:33 -0500 Received: by smtp.corp.redhat.com (Postfix) id EA8F7BAFEC; Fri, 17 Feb 2017 19:39:33 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id AAEBCBAFE3 for ; Fri, 17 Feb 2017 19:39:33 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:18 -0500 Message-Id: <20170217193930.14943-2-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 01/13] qemu: Create #define for TLS configuration setup. X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Create GET_CONFIG_TLS_CERT to set up the TLS for 'chardev' TLS setting. Soon to be reused. Signed-off-by: John Ferlan --- src/qemu/qemu_conf.c | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index b5b0645..09066e4 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -529,22 +529,31 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPt= r cfg, if (virConfGetValueBool(conf, "spice_auto_unix_socket", &cfg->spiceAut= oUnixSocket) < 0) goto cleanup; =20 - if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0) - goto cleanup; - if (virConfGetValueString(conf, "chardev_tls_x509_cert_dir", &cfg->cha= rdevTLSx509certdir) < 0) - goto cleanup; - if ((rv =3D virConfGetValueBool(conf, "chardev_tls_x509_verify", &cfg-= >chardevTLSx509verify)) < 0) - goto cleanup; - if (rv =3D=3D 0) - cfg->chardevTLSx509verify =3D cfg->defaultTLSx509verify; - if (virConfGetValueString(conf, "chardev_tls_x509_secret_uuid", - &cfg->chardevTLSx509secretUUID) < 0) - goto cleanup; - if (!cfg->chardevTLSx509secretUUID && cfg->defaultTLSx509secretUUID) { - if (VIR_STRDUP(cfg->chardevTLSx509secretUUID, - cfg->defaultTLSx509secretUUID) < 0) - goto cleanup; - } +#define GET_CONFIG_TLS_CERT(val) = \ + do { = \ + if (virConfGetValueBool(conf, #val "_tls", &cfg->val## TLS) < 0) = \ + goto cleanup; = \ + if ((rv =3D virConfGetValueBool(conf, #val "_tls_x509_verify", = \ + &cfg->val## TLSx509verify)) < 0) = \ + goto cleanup; = \ + if (rv =3D=3D 0) = \ + cfg->val## TLSx509verify =3D cfg->defaultTLSx509verify; = \ + if (virConfGetValueString(conf, #val "_tls_x509_cert_dir", = \ + &cfg->val## TLSx509certdir) < 0) = \ + goto cleanup; = \ + if (virConfGetValueString(conf, = \ + #val "_tls_x509_secret_uuid", = \ + &cfg->val## TLSx509secretUUID) < 0) = \ + goto cleanup; = \ + if (!cfg->val## TLSx509secretUUID && = \ + cfg->defaultTLSx509secretUUID) { = \ + if (VIR_STRDUP(cfg->val## TLSx509secretUUID, = \ + cfg->defaultTLSx509secretUUID) < 0) = \ + goto cleanup; = \ + } = \ + } while (false); + + GET_CONFIG_TLS_CERT(chardev); =20 if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSo= cketPortMin) < 0) goto cleanup; --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) client-ip=209.132.183.25; envelope-from=libvir-list-bounces@redhat.com; helo=mx4-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25]) by mx.zohomail.com with SMTPS id 1487360597239709.3664072627861; Fri, 17 Feb 2017 11:43:17 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdau7012560; Fri, 17 Feb 2017 14:39:36 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdYgm012475 for ; Fri, 17 Feb 2017 14:39:34 -0500 Received: by smtp.corp.redhat.com (Postfix) id 5E1C9BBA29; Fri, 17 Feb 2017 19:39:34 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1E316B682B for ; Fri, 17 Feb 2017 19:39:34 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:19 -0500 Message-Id: <20170217193930.14943-3-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 02/13] conf: Introduce migrate_tls_x509_cert_dir X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add a new TLS X.509 certificate type - "migrate". This will handle the creation of a TLS certificate capability (and possibly repository) to be used for migrations. Similar to chardev's, credentials will be handled via a libvirt secrets. Signed-off-by: John Ferlan --- src/qemu/libvirtd_qemu.aug | 6 ++++++ src/qemu/qemu.conf | 39 ++++++++++++++++++++++++++++++++++= ++++ src/qemu/qemu_conf.c | 2 ++ src/qemu/qemu_conf.h | 5 +++++ src/qemu/test_libvirtd_qemu.aug.in | 4 ++++ 5 files changed, 56 insertions(+) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index 82bae9e..18679c1 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -54,6 +54,11 @@ module Libvirtd_qemu =3D | bool_entry "chardev_tls_x509_verify" | str_entry "chardev_tls_x509_secret_uuid" =20 + let migrate_entry =3D bool_entry "migrate_tls" + | str_entry "migrate_tls_x509_cert_dir" + | bool_entry "migrate_tls_x509_verify" + | str_entry "migrate_tls_x509_secret_uuid" + let nogfx_entry =3D bool_entry "nographics_allow_host_audio" =20 let remote_display_entry =3D int_entry "remote_display_port_min" @@ -116,6 +121,7 @@ module Libvirtd_qemu =3D | vnc_entry | spice_entry | chardev_entry + | migrate_entry | nogfx_entry | remote_display_entry | security_entry diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 97d769d..83d91b6 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -238,6 +238,45 @@ #chardev_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000" =20 =20 +# Enable use of TLS encryption for migration +# +# It is necessary to setup CA and issue a server certificate +# before enabling this. +# +#migrate_tls =3D 1 + + +# In order to override the default TLS certificate location for migration +# certificates, supply a valid path to the certificate directory. If the +# provided path does not exist then the default_tls_x509_cert_dir path +# will be used. +# +#migrate_tls_x509_cert_dir =3D "/etc/pki/libvirt-migrate" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing a x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client who does not have a +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem +# +#migrate_tls_x509_verify =3D 1 + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +#migrate_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000" + + # By default, if no graphical front end is configured, libvirt will disable # QEMU audio output since directly talking to alsa/pulseaudio may not work # with various security settings. If you know what you're doing, enable diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 09066e4..a03fcf0 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -555,6 +555,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr = cfg, =20 GET_CONFIG_TLS_CERT(chardev); =20 + GET_CONFIG_TLS_CERT(migrate); + if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSo= cketPortMin) < 0) goto cleanup; if (cfg->webSocketPortMin < QEMU_WEBSOCKET_PORT_MIN) { diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index e585f81..ac7badb 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -137,6 +137,11 @@ struct _virQEMUDriverConfig { bool chardevTLSx509verify; char *chardevTLSx509secretUUID; =20 + bool migrateTLS; + char *migrateTLSx509certdir; + bool migrateTLSx509verify; + char *migrateTLSx509secretUUID; + unsigned int remotePortMin; unsigned int remotePortMax; =20 diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index bd25235..3d884e5 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -25,6 +25,10 @@ module Test_libvirtd_qemu =3D { "chardev_tls_x509_cert_dir" =3D "/etc/pki/libvirt-chardev" } { "chardev_tls_x509_verify" =3D "1" } { "chardev_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } +{ "migrate_tls" =3D "1" } +{ "migrate_tls_x509_cert_dir" =3D "/etc/pki/libvirt-migrate" } +{ "migrate_tls_x509_verify" =3D "1" } +{ "migrate_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } { "nographics_allow_host_audio" =3D "1" } { "remote_display_port_min" =3D "5900" } { "remote_display_port_max" =3D "65535" } --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) client-ip=209.132.183.37; envelope-from=libvir-list-bounces@redhat.com; helo=mx5-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) by mx.zohomail.com with SMTPS id 1487360622542483.73037025057454; Fri, 17 Feb 2017 11:43:42 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1HJe2B9009695; Fri, 17 Feb 2017 14:40:02 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdYq0012480 for ; Fri, 17 Feb 2017 14:39:34 -0500 Received: by smtp.corp.redhat.com (Postfix) id C439DB682B; Fri, 17 Feb 2017 19:39:34 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 845D0BBA29 for ; Fri, 17 Feb 2017 19:39:34 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:20 -0500 Message-Id: <20170217193930.14943-4-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 03/13] qemu: Rename qemuAliasTLSObjFromChardevAlias X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" It's not really 'Chardev' specific - we can reuse this for other objects. Signed-off-by: John Ferlan --- src/qemu/qemu_alias.c | 8 ++++---- src/qemu/qemu_alias.h | 2 +- src/qemu/qemu_command.c | 4 ++-- src/qemu/qemu_hotplug.c | 6 +++--- src/qemu/qemu_monitor_json.c | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c index 8521a44..4cccf23 100644 --- a/src/qemu/qemu_alias.c +++ b/src/qemu/qemu_alias.c @@ -609,17 +609,17 @@ qemuDomainGetSecretAESAlias(const char *srcalias, } =20 =20 -/* qemuAliasTLSObjFromChardevAlias - * @chardev_alias: Pointer to the chardev alias string +/* qemuAliasTLSObjFromSrcAlias + * @srcAlias: Pointer to a source alias string * * Generate and return a string to be used as the TLS object alias */ char * -qemuAliasTLSObjFromChardevAlias(const char *chardev_alias) +qemuAliasTLSObjFromSrcAlias(const char *srcAlias) { char *ret; =20 - ignore_value(virAsprintf(&ret, "obj%s_tls0", chardev_alias)); + ignore_value(virAsprintf(&ret, "obj%s_tls0", srcAlias)); =20 return ret; } diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h index dea05cf..300fd4d 100644 --- a/src/qemu/qemu_alias.h +++ b/src/qemu/qemu_alias.h @@ -81,7 +81,7 @@ char *qemuDomainGetMasterKeyAlias(void); char *qemuDomainGetSecretAESAlias(const char *srcalias, bool isLuks); =20 -char *qemuAliasTLSObjFromChardevAlias(const char *chardev_alias) +char *qemuAliasTLSObjFromSrcAlias(const char *srcAlias) ATTRIBUTE_NONNULL(1); =20 char *qemuAliasChardevFromDevAlias(const char *devAlias) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index c00a47a..d831d56 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -782,7 +782,7 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd, qemuCaps, &props) < 0) goto cleanup; =20 - if (!(objalias =3D qemuAliasTLSObjFromChardevAlias(inalias))) + if (!(objalias =3D qemuAliasTLSObjFromSrcAlias(inalias))) goto cleanup; =20 if (!(tmp =3D virQEMUBuildObjectCommandlineFromJSON("tls-creds-x509", @@ -5098,7 +5098,7 @@ qemuBuildChrChardevStr(virLogManagerPtr logManager, charAlias, qemuCaps) < 0) goto cleanup; =20 - if (!(objalias =3D qemuAliasTLSObjFromChardevAlias(charAlias))) + if (!(objalias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) goto cleanup; virBufferAsprintf(&buf, ",tls-creds=3D%s", objalias); VIR_FREE(objalias); diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 2f209f1..8d15eee 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1561,7 +1561,7 @@ qemuDomainGetChardevTLSObjects(virQEMUDriverConfigPtr= cfg, tlsProps) < 0) return -1; =20 - if (!(*tlsAlias =3D qemuAliasTLSObjFromChardevAlias(charAlias))) + if (!(*tlsAlias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) return -1; dev->data.tcp.tlscreds =3D true; =20 @@ -4016,7 +4016,7 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver, if (chr->source->type =3D=3D VIR_DOMAIN_CHR_TYPE_TCP && chr->source->data.tcp.haveTLS =3D=3D VIR_TRISTATE_BOOL_YES) { =20 - if (!(tlsAlias =3D qemuAliasTLSObjFromChardevAlias(charAlias))) + if (!(tlsAlias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) goto cleanup; =20 /* Best shot at this as the secinfo is destroyed after process lau= nch @@ -4095,7 +4095,7 @@ qemuDomainRemoveRNGDevice(virQEMUDriverPtr driver, goto cleanup; =20 if (rng->backend =3D=3D VIR_DOMAIN_RNG_BACKEND_EGD) { - if (!(tlsAlias =3D qemuAliasTLSObjFromChardevAlias(charAlias))) + if (!(tlsAlias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) goto cleanup; =20 /* Best shot at this as the secinfo is destroyed after process lau= nch diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index 1d281af..7aa9e31 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -6303,7 +6303,7 @@ qemuMonitorJSONAttachCharDevCommand(const char *chrID, virJSONValueObjectAppendBoolean(data, "server", chr->data.tcp.= listen) < 0) goto error; if (chr->data.tcp.tlscreds) { - if (!(tlsalias =3D qemuAliasTLSObjFromChardevAlias(chrID))) + if (!(tlsalias =3D qemuAliasTLSObjFromSrcAlias(chrID))) goto error; =20 if (virJSONValueObjectAppendString(data, "tls-creds", tlsalias= ) < 0) --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) client-ip=209.132.183.25; envelope-from=libvir-list-bounces@redhat.com; helo=mx4-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25]) by mx.zohomail.com with SMTPS id 1487360602560425.413309561535; Fri, 17 Feb 2017 11:43:22 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJe4X6012601; Fri, 17 Feb 2017 14:40:04 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdZTF012487 for ; Fri, 17 Feb 2017 14:39:35 -0500 Received: by smtp.corp.redhat.com (Postfix) id 378AFB682B; Fri, 17 Feb 2017 19:39:35 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id EB7EBBBA29 for ; Fri, 17 Feb 2017 19:39:34 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:21 -0500 Message-Id: <20170217193930.14943-5-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 04/13] qemu: Introduce qemuDomainSecretMigrate{Prepare|Destroy} X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Introduce API's to Prepare/Destroy a qemuDomainSecretInfoPtr to be used with a migrate or nbd TLS object Signed-off-by: John Ferlan --- src/qemu/qemu_domain.c | 73 +++++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_domain.h | 88 +++++++++++++++++++++++++++++-----------------= ---- 2 files changed, 124 insertions(+), 37 deletions(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index be44843..dd3cfd5 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -1370,6 +1370,77 @@ qemuDomainSecretChardevPrepare(virConnectPtr conn, } =20 =20 +/* qemuDomainSecretMigrateDestroy: + * @migSecinfo: Pointer to the secinfo from the incoming def + * + * Clear and destroy memory associated with the secret + */ +void +qemuDomainSecretMigrateDestroy(qemuDomainSecretInfoPtr *migSecinfo) +{ + if (!*migSecinfo) + return; + + qemuDomainSecretInfoFree(migSecinfo); +} + + +/* qemuDomainSecretMigratePrepare + * @conn: Pointer to connection + * @priv: pointer to domain private object + * @srcAlias: Alias to use (either migrate or nbd) + * @secretUUID: UUID for the secret from the cfg (migrate or nbd) + * + * Create and prepare the qemuDomainSecretInfoPtr to be used for either + * a migration or nbd. Unlike other domain secret prepare functions, this + * is only expected to be called for a single object/instance. Theoretical= ly + * the object could be reused, although that results in keeping a secret + * stored in memory for perhaps longer than expected or necessary. + * + * Returns 0 on success, -1 on failure + */ +int +qemuDomainSecretMigratePrepare(virConnectPtr conn, + qemuDomainObjPrivatePtr priv, + const char *srcAlias, + const char *secretUUID) +{ + virSecretLookupTypeDef seclookupdef =3D {0}; + qemuDomainSecretInfoPtr secinfo =3D NULL; + + if (virUUIDParse(secretUUID, seclookupdef.u.uuid) < 0) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("malformed %s TLS secret uuid in qemu.conf"), + srcAlias); + return -1; + } + seclookupdef.type =3D VIR_SECRET_LOOKUP_TYPE_UUID; + + if (VIR_ALLOC(secinfo) < 0) + return -1; + + if (qemuDomainSecretSetup(conn, priv, secinfo, srcAlias, + VIR_SECRET_USAGE_TYPE_TLS, NULL, + &seclookupdef, false) < 0) + goto error; + + if (secinfo->type =3D=3D VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("TLS X.509 requires encrypted secrets " + "to be supported")); + goto error; + } + priv->migSecinfo =3D secinfo; + + return 0; + + error: + qemuDomainSecretInfoFree(&secinfo); + return -1; +} + + + /* qemuDomainSecretDestroy: * @vm: Domain object * @@ -1634,6 +1705,8 @@ qemuDomainObjPrivateFree(void *data) =20 VIR_FREE(priv->libDir); VIR_FREE(priv->channelTargetDir); + + qemuDomainSecretMigrateDestroy(&priv->migSecinfo); qemuDomainMasterKeyFree(priv); =20 VIR_FREE(priv); diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index 524a672..f796306 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -175,6 +175,43 @@ VIR_ENUM_DECL(qemuDomainNamespace) bool qemuDomainNamespaceEnabled(virDomainObjPtr vm, qemuDomainNamespace ns); =20 +/* Type of domain secret */ +typedef enum { + VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN =3D 0, + VIR_DOMAIN_SECRET_INFO_TYPE_AES, /* utilize GNUTLS_CIPHER_AES_256_CBC= */ + + VIR_DOMAIN_SECRET_INFO_TYPE_LAST +} qemuDomainSecretInfoType; + +typedef struct _qemuDomainSecretPlain qemuDomainSecretPlain; +typedef struct _qemuDomainSecretPlain *qemuDomainSecretPlainPtr; +struct _qemuDomainSecretPlain { + char *username; + uint8_t *secret; + size_t secretlen; +}; + +# define QEMU_DOMAIN_AES_IV_LEN 16 /* 16 bytes for 128 bit random */ + /* initialization vector */ +typedef struct _qemuDomainSecretAES qemuDomainSecretAES; +typedef struct _qemuDomainSecretAES *qemuDomainSecretAESPtr; +struct _qemuDomainSecretAES { + char *username; + char *alias; /* generated alias for secret */ + char *iv; /* base64 encoded initialization vector */ + char *ciphertext; /* encoded/encrypted secret */ +}; + +typedef struct _qemuDomainSecretInfo qemuDomainSecretInfo; +typedef qemuDomainSecretInfo *qemuDomainSecretInfoPtr; +struct _qemuDomainSecretInfo { + qemuDomainSecretInfoType type; + union { + qemuDomainSecretPlain plain; + qemuDomainSecretAES aes; + } s; +}; + typedef struct _qemuDomainObjPrivate qemuDomainObjPrivate; typedef qemuDomainObjPrivate *qemuDomainObjPrivatePtr; struct _qemuDomainObjPrivate { @@ -246,48 +283,15 @@ struct _qemuDomainObjPrivate { =20 /* note whether memory device alias does not correspond to slot number= */ bool memAliasOrderMismatch; + + /* for migration's using TLS with a secret (not to be saved in our */ + /* private XML). */ + qemuDomainSecretInfoPtr migSecinfo; }; =20 # define QEMU_DOMAIN_PRIVATE(vm) \ ((qemuDomainObjPrivatePtr) (vm)->privateData) =20 -/* Type of domain secret */ -typedef enum { - VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN =3D 0, - VIR_DOMAIN_SECRET_INFO_TYPE_AES, /* utilize GNUTLS_CIPHER_AES_256_CBC= */ - - VIR_DOMAIN_SECRET_INFO_TYPE_LAST -} qemuDomainSecretInfoType; - -typedef struct _qemuDomainSecretPlain qemuDomainSecretPlain; -typedef struct _qemuDomainSecretPlain *qemuDomainSecretPlainPtr; -struct _qemuDomainSecretPlain { - char *username; - uint8_t *secret; - size_t secretlen; -}; - -# define QEMU_DOMAIN_AES_IV_LEN 16 /* 16 bytes for 128 bit random */ - /* initialization vector */ -typedef struct _qemuDomainSecretAES qemuDomainSecretAES; -typedef struct _qemuDomainSecretAES *qemuDomainSecretAESPtr; -struct _qemuDomainSecretAES { - char *username; - char *alias; /* generated alias for secret */ - char *iv; /* base64 encoded initialization vector */ - char *ciphertext; /* encoded/encrypted secret */ -}; - -typedef struct _qemuDomainSecretInfo qemuDomainSecretInfo; -typedef qemuDomainSecretInfo *qemuDomainSecretInfoPtr; -struct _qemuDomainSecretInfo { - qemuDomainSecretInfoType type; - union { - qemuDomainSecretPlain plain; - qemuDomainSecretAES aes; - } s; -}; - # define QEMU_DOMAIN_DISK_PRIVATE(disk) \ ((qemuDomainDiskPrivatePtr) (disk)->privateData) =20 @@ -763,6 +767,16 @@ int qemuDomainSecretChardevPrepare(virConnectPtr conn, ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5); =20 +void qemuDomainSecretMigrateDestroy(qemuDomainSecretInfoPtr *migSecinfo) + ATTRIBUTE_NONNULL(1); + +int qemuDomainSecretMigratePrepare(virConnectPtr conn, + qemuDomainObjPrivatePtr priv, + const char *srcAlias, + const char *secretUUID) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) + ATTRIBUTE_NONNULL(4); + void qemuDomainSecretDestroy(virDomainObjPtr vm) ATTRIBUTE_NONNULL(1); =20 --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) client-ip=209.132.183.37; envelope-from=libvir-list-bounces@redhat.com; helo=mx5-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) by mx.zohomail.com with SMTPS id 1487360609594549.912545638619; Fri, 17 Feb 2017 11:43:29 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1HJe5Ff009711; Fri, 17 Feb 2017 14:40:05 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdZuK012492 for ; Fri, 17 Feb 2017 14:39:35 -0500 Received: by smtp.corp.redhat.com (Postfix) id 9D296B6FE4; Fri, 17 Feb 2017 19:39:35 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5E129BBA29 for ; Fri, 17 Feb 2017 19:39:35 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:22 -0500 Message-Id: <20170217193930.14943-6-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 05/13] qemu: Refactor hotplug to introduce qemuDomain{Add|Del}TLSObjects X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Refactor the TLS object adding code to make two separate API's that will handle the add/remove of the "secret" and "tls-creds-x509" objects including the Enter/Exit monitor commands. Signed-off-by: John Ferlan --- src/qemu/qemu_hotplug.c | 169 ++++++++++++++++++++++++++++----------------= ---- src/qemu/qemu_hotplug.h | 13 ++++ 2 files changed, 111 insertions(+), 71 deletions(-) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 8d15eee..fb8a052 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1526,6 +1526,89 @@ qemuDomainAttachHostPCIDevice(virQEMUDriverPtr drive= r, } =20 =20 +void +qemuDomainDelTLSObjects(virQEMUDriverPtr driver, + virDomainObjPtr vm, + const char *secAlias, + const char *tlsAlias) +{ + qemuDomainObjPrivatePtr priv =3D vm->privateData; + virErrorPtr orig_err; + + /* Nothing to do if neither defined */ + if (!tlsAlias && !secAlias) + return; + + orig_err =3D virSaveLastError(); + + qemuDomainObjEnterMonitor(driver, vm); + if (tlsAlias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias)); + if (secAlias) + ignore_value(qemuMonitorDelObject(priv->mon, secAlias)); + if (orig_err) { + virSetError(orig_err); + virFreeError(orig_err); + } + ignore_value(qemuDomainObjExitMonitor(driver, vm)); +} + + +int +qemuDomainAddTLSObjects(virQEMUDriverPtr driver, + virDomainObjPtr vm, + const char *secAlias, + virJSONValuePtr *secProps, + const char *tlsAlias, + virJSONValuePtr *tlsProps) +{ + qemuDomainObjPrivatePtr priv =3D vm->privateData; + int rc; + bool secobjAdded =3D false; + bool tlsobjAdded =3D false; + virErrorPtr orig_err; + + /* Nothing to do if neither defined */ + if (!tlsAlias && !secAlias) + return 0; + + qemuDomainObjEnterMonitor(driver, vm); + + if (secAlias) { + rc =3D qemuMonitorAddObject(priv->mon, "secret", + secAlias, *secProps); + *secProps =3D NULL; /* qemuMonitorAddObject consumes */ + if (rc < 0) + goto exit_monitor; + secobjAdded =3D true; + } + + if (tlsAlias) { + rc =3D qemuMonitorAddObject(priv->mon, "tls-creds-x509", + tlsAlias, *tlsProps); + *tlsProps =3D NULL; /* qemuMonitorAddObject consumes */ + if (rc < 0) + goto exit_monitor; + tlsobjAdded =3D true; + } + + return qemuDomainObjExitMonitor(driver, vm); + + exit_monitor: + orig_err =3D virSaveLastError(); + if (tlsobjAdded) + ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias)); + if (secobjAdded) + ignore_value(qemuMonitorDelObject(priv->mon, secAlias)); + if (orig_err) { + virSetError(orig_err); + virFreeError(orig_err); + } + ignore_value(qemuDomainObjExitMonitor(driver, vm)); + return -1; +} + + static int qemuDomainGetChardevTLSObjects(virQEMUDriverConfigPtr cfg, qemuDomainObjPrivatePtr priv, @@ -1582,8 +1665,6 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr conn, char *charAlias =3D NULL; char *devstr =3D NULL; bool chardevAdded =3D false; - bool tlsobjAdded =3D false; - bool secobjAdded =3D false; virJSONValuePtr tlsProps =3D NULL; virJSONValuePtr secProps =3D NULL; char *tlsAlias =3D NULL; @@ -1619,25 +1700,11 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr co= nn, &secProps, &secAlias) < 0) goto cleanup; =20 - qemuDomainObjEnterMonitor(driver, vm); - - if (secAlias) { - rc =3D qemuMonitorAddObject(priv->mon, "secret", - secAlias, secProps); - secProps =3D NULL; - if (rc < 0) - goto exit_monitor; - secobjAdded =3D true; - } + if (qemuDomainAddTLSObjects(driver, vm, secAlias, &secProps, + tlsAlias, &tlsProps) < 0) + goto cleanup; =20 - if (tlsAlias) { - rc =3D qemuMonitorAddObject(priv->mon, "tls-creds-x509", - tlsAlias, tlsProps); - tlsProps =3D NULL; /* qemuMonitorAddObject consumes */ - if (rc < 0) - goto exit_monitor; - tlsobjAdded =3D true; - } + qemuDomainObjEnterMonitor(driver, vm); =20 if (qemuMonitorAttachCharDev(priv->mon, charAlias, @@ -1672,15 +1739,12 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr co= nn, /* detach associated chardev on error */ if (chardevAdded) ignore_value(qemuMonitorDetachCharDev(priv->mon, charAlias)); - if (tlsobjAdded) - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias)); - if (secobjAdded) - ignore_value(qemuMonitorDelObject(priv->mon, secAlias)); if (orig_err) { virSetError(orig_err); virFreeError(orig_err); } ignore_value(qemuDomainObjExitMonitor(driver, vm)); + qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); goto audit; } =20 @@ -1858,10 +1922,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, virDomainChrSourceDefPtr dev =3D chr->source; char *charAlias =3D NULL; bool chardevAttached =3D false; - bool tlsobjAdded =3D false; bool teardowncgroup =3D false; bool teardowndevice =3D false; - bool secobjAdded =3D false; virJSONValuePtr tlsProps =3D NULL; char *tlsAlias =3D NULL; virJSONValuePtr secProps =3D NULL; @@ -1908,24 +1970,11 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, &secProps, &secAlias) < 0) goto cleanup; =20 - qemuDomainObjEnterMonitor(driver, vm); - if (secAlias) { - rc =3D qemuMonitorAddObject(priv->mon, "secret", - secAlias, secProps); - secProps =3D NULL; - if (rc < 0) - goto exit_monitor; - secobjAdded =3D true; - } + if (qemuDomainAddTLSObjects(driver, vm, secAlias, &secProps, + tlsAlias, &tlsProps) < 0) + goto cleanup; =20 - if (tlsAlias) { - rc =3D qemuMonitorAddObject(priv->mon, "tls-creds-x509", - tlsAlias, tlsProps); - tlsProps =3D NULL; /* qemuMonitorAddObject consumes */ - if (rc < 0) - goto exit_monitor; - tlsobjAdded =3D true; - } + qemuDomainObjEnterMonitor(driver, vm); =20 if (qemuMonitorAttachCharDev(priv->mon, charAlias, chr->source) < 0) goto exit_monitor; @@ -1966,16 +2015,13 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, /* detach associated chardev on error */ if (chardevAttached) qemuMonitorDetachCharDev(priv->mon, charAlias); - if (tlsobjAdded) - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias)); - if (secobjAdded) - ignore_value(qemuMonitorDelObject(priv->mon, secAlias)); if (orig_err) { virSetError(orig_err); virFreeError(orig_err); } =20 ignore_value(qemuDomainObjExitMonitor(driver, vm)); + qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); goto audit; } =20 @@ -2000,8 +2046,6 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, bool teardowndevice =3D false; bool chardevAdded =3D false; bool objAdded =3D false; - bool tlsobjAdded =3D false; - bool secobjAdded =3D false; virJSONValuePtr props =3D NULL; virJSONValuePtr tlsProps =3D NULL; virJSONValuePtr secProps =3D NULL; @@ -2076,27 +2120,13 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, charAlias, &tlsProps, &tlsAlias, &secProps, &secAlias) < 0) goto cleanup; - } - - qemuDomainObjEnterMonitor(driver, vm); =20 - if (secAlias) { - rv =3D qemuMonitorAddObject(priv->mon, "secret", - secAlias, secProps); - secProps =3D NULL; - if (rv < 0) - goto exit_monitor; - secobjAdded =3D true; + if (qemuDomainAddTLSObjects(driver, vm, secAlias, &secProps, + tlsAlias, &tlsProps) < 0) + goto cleanup; } =20 - if (tlsAlias) { - rv =3D qemuMonitorAddObject(priv->mon, "tls-creds-x509", - tlsAlias, tlsProps); - tlsProps =3D NULL; /* qemuMonitorAddObject consumes */ - if (rv < 0) - goto exit_monitor; - tlsobjAdded =3D true; - } + qemuDomainObjEnterMonitor(driver, vm); =20 if (rng->backend =3D=3D VIR_DOMAIN_RNG_BACKEND_EGD && qemuMonitorAttachCharDev(priv->mon, charAlias, @@ -2152,10 +2182,6 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, ignore_value(qemuMonitorDelObject(priv->mon, objAlias)); if (rng->backend =3D=3D VIR_DOMAIN_RNG_BACKEND_EGD && chardevAdded) ignore_value(qemuMonitorDetachCharDev(priv->mon, charAlias)); - if (tlsobjAdded) - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias)); - if (secobjAdded) - ignore_value(qemuMonitorDelObject(priv->mon, secAlias)); if (orig_err) { virSetError(orig_err); virFreeError(orig_err); @@ -2163,6 +2189,7 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, =20 if (qemuDomainObjExitMonitor(driver, vm) < 0) releaseaddr =3D false; + qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); goto audit; } =20 diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 13242ee..c4f33e0 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -33,6 +33,19 @@ int qemuDomainChangeEjectableMedia(virQEMUDriverPtr driv= er, virDomainDiskDefPtr disk, virStorageSourcePtr newsrc, bool force); + +void qemuDomainDelTLSObjects(virQEMUDriverPtr driver, + virDomainObjPtr vm, + const char *secAlias, + const char *tlsAlias); + +int qemuDomainAddTLSObjects(virQEMUDriverPtr driver, + virDomainObjPtr vm, + const char *secAlias, + virJSONValuePtr *secProps, + const char *tlsAlias, + virJSONValuePtr *tlsProps); + int qemuDomainAttachControllerDevice(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainControllerDefPtr controller); --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) client-ip=209.132.183.39; envelope-from=libvir-list-bounces@redhat.com; helo=mx6-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com [209.132.183.39]) by mx.zohomail.com with SMTPS id 1487360588767618.103196011659; Fri, 17 Feb 2017 11:43:08 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1HJde5I021062; Fri, 17 Feb 2017 14:39:40 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdavV012498 for ; Fri, 17 Feb 2017 14:39:36 -0500 Received: by smtp.corp.redhat.com (Postfix) id 0F61BB6FE4; Fri, 17 Feb 2017 19:39:36 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id C4ADFBBA29 for ; Fri, 17 Feb 2017 19:39:35 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:23 -0500 Message-Id: <20170217193930.14943-7-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 06/13] qemu: Refactor qemuDomainGetChardevTLSObjects to converge code X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Create a qemuDomainAddChardevTLSObjects which will encapsulate the qemuDomainGetChardevTLSObjects and qemuDomainAddTLSObjects so that the callers don't need to worry about the props. Move the dev->type and haveTLS checks in to the Add function to avoid an unnecessary call to qemuDomainAddTLSObjects Signed-off-by: John Ferlan --- src/qemu/qemu_hotplug.c | 80 ++++++++++++++++++++++++++-------------------= ---- 1 file changed, 43 insertions(+), 37 deletions(-) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index fb8a052..6dd1d9e 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1622,10 +1622,6 @@ qemuDomainGetChardevTLSObjects(virQEMUDriverConfigPt= r cfg, qemuDomainChrSourcePrivatePtr chrSourcePriv =3D QEMU_DOMAIN_CHR_SOURCE_PRIVATE(dev); =20 - if (dev->type !=3D VIR_DOMAIN_CHR_TYPE_TCP || - dev->data.tcp.haveTLS !=3D VIR_TRISTATE_BOOL_YES) - return 0; - /* Add a secret object in order to access the TLS environment. * The secinfo will only be created for serial TCP device. */ if (chrSourcePriv && chrSourcePriv->secinfo) { @@ -1652,6 +1648,43 @@ qemuDomainGetChardevTLSObjects(virQEMUDriverConfigPt= r cfg, } =20 =20 +static int +qemuDomainAddChardevTLSObjects(virQEMUDriverPtr driver, + virQEMUDriverConfigPtr cfg, + virDomainObjPtr vm, + virDomainChrSourceDefPtr dev, + char *charAlias, + char **tlsAlias, + char **secAlias) +{ + int ret =3D -1; + qemuDomainObjPrivatePtr priv =3D vm->privateData; + virJSONValuePtr tlsProps =3D NULL; + virJSONValuePtr secProps =3D NULL; + + if (dev->type !=3D VIR_DOMAIN_CHR_TYPE_TCP || + dev->data.tcp.haveTLS !=3D VIR_TRISTATE_BOOL_YES) + return 0; + + if (qemuDomainGetChardevTLSObjects(cfg, priv, dev, charAlias, + &tlsProps, tlsAlias, + &secProps, secAlias) < 0) + goto cleanup; + + if (qemuDomainAddTLSObjects(driver, vm, *secAlias, &secProps, + *tlsAlias, &tlsProps) < 0) + goto cleanup; + + ret =3D 0; + + cleanup: + virJSONValueFree(tlsProps); + virJSONValueFree(secProps); + + return ret; +} + + int qemuDomainAttachRedirdevDevice(virConnectPtr conn, virQEMUDriverPtr driver, virDomainObjPtr vm, @@ -1665,8 +1698,6 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr conn, char *charAlias =3D NULL; char *devstr =3D NULL; bool chardevAdded =3D false; - virJSONValuePtr tlsProps =3D NULL; - virJSONValuePtr secProps =3D NULL; char *tlsAlias =3D NULL; char *secAlias =3D NULL; bool need_release =3D false; @@ -1695,13 +1726,8 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr con= n, redirdev->source) < 0) goto cleanup; =20 - if (qemuDomainGetChardevTLSObjects(cfg, priv, redirdev->source, - charAlias, &tlsProps, &tlsAlias, - &secProps, &secAlias) < 0) - goto cleanup; - - if (qemuDomainAddTLSObjects(driver, vm, secAlias, &secProps, - tlsAlias, &tlsProps) < 0) + if (qemuDomainAddChardevTLSObjects(driver, cfg, vm, redirdev->source, + charAlias, &tlsAlias, &secAlias) < = 0) goto cleanup; =20 qemuDomainObjEnterMonitor(driver, vm); @@ -1726,9 +1752,7 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr conn, if (ret < 0 && need_release) qemuDomainReleaseDeviceAddress(vm, &redirdev->info, NULL); VIR_FREE(tlsAlias); - virJSONValueFree(tlsProps); VIR_FREE(secAlias); - virJSONValueFree(secProps); VIR_FREE(charAlias); VIR_FREE(devstr); virObjectUnref(cfg); @@ -1924,9 +1948,7 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, bool chardevAttached =3D false; bool teardowncgroup =3D false; bool teardowndevice =3D false; - virJSONValuePtr tlsProps =3D NULL; char *tlsAlias =3D NULL; - virJSONValuePtr secProps =3D NULL; char *secAlias =3D NULL; bool need_release =3D false; =20 @@ -1965,13 +1987,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, dev) < 0) goto cleanup; =20 - if (qemuDomainGetChardevTLSObjects(cfg, priv, dev, charAlias, - &tlsProps, &tlsAlias, - &secProps, &secAlias) < 0) - goto cleanup; - - if (qemuDomainAddTLSObjects(driver, vm, secAlias, &secProps, - tlsAlias, &tlsProps) < 0) + if (qemuDomainAddChardevTLSObjects(driver, cfg, vm, dev, charAlias, + &tlsAlias, &secAlias) < 0) goto cleanup; =20 qemuDomainObjEnterMonitor(driver, vm); @@ -2002,9 +2019,7 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, VIR_WARN("Unable to remove chr device from /dev"); } VIR_FREE(tlsAlias); - virJSONValueFree(tlsProps); VIR_FREE(secAlias); - virJSONValueFree(secProps); VIR_FREE(charAlias); VIR_FREE(devstr); virObjectUnref(cfg); @@ -2047,8 +2062,6 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, bool chardevAdded =3D false; bool objAdded =3D false; virJSONValuePtr props =3D NULL; - virJSONValuePtr tlsProps =3D NULL; - virJSONValuePtr secProps =3D NULL; virDomainCCWAddressSetPtr ccwaddrs =3D NULL; const char *type; int ret =3D -1; @@ -2116,13 +2129,8 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, rng->source.chardev) < 0) goto cleanup; =20 - if (qemuDomainGetChardevTLSObjects(cfg, priv, rng->source.chardev, - charAlias, &tlsProps, &tlsAlias, - &secProps, &secAlias) < 0) - goto cleanup; - - if (qemuDomainAddTLSObjects(driver, vm, secAlias, &secProps, - tlsAlias, &tlsProps) < 0) + if (qemuDomainAddChardevTLSObjects(driver, cfg, vm, rng->source.ch= ardev, + charAlias, &tlsAlias, &secAlias= ) < 0) goto cleanup; } =20 @@ -2155,8 +2163,6 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, audit: virDomainAuditRNG(vm, NULL, rng, "attach", ret =3D=3D 0); cleanup: - virJSONValueFree(tlsProps); - virJSONValueFree(secProps); virJSONValueFree(props); if (ret < 0) { if (releaseaddr) --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) client-ip=209.132.183.39; envelope-from=libvir-list-bounces@redhat.com; helo=mx6-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com [209.132.183.39]) by mx.zohomail.com with SMTPS id 1487360599429860.5963253901098; Fri, 17 Feb 2017 11:43:19 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1HJdwlm021090; Fri, 17 Feb 2017 14:39:58 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdaNs012505 for ; Fri, 17 Feb 2017 14:39:36 -0500 Received: by smtp.corp.redhat.com (Postfix) id 770FCBBA2B; Fri, 17 Feb 2017 19:39:36 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 374E0BBA29 for ; Fri, 17 Feb 2017 19:39:36 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:24 -0500 Message-Id: <20170217193930.14943-8-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 07/13] qemu: Move qemuDomainSecretChardevPrepare call X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Move the call to inside the qemuDomainAddChardevTLSObjects in order to further converge the code. Signed-off-by: John Ferlan --- src/qemu/qemu_hotplug.c | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 6dd1d9e..63ff1c6 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1649,10 +1649,12 @@ qemuDomainGetChardevTLSObjects(virQEMUDriverConfigP= tr cfg, =20 =20 static int -qemuDomainAddChardevTLSObjects(virQEMUDriverPtr driver, +qemuDomainAddChardevTLSObjects(virConnectPtr conn, + virQEMUDriverPtr driver, virQEMUDriverConfigPtr cfg, virDomainObjPtr vm, virDomainChrSourceDefPtr dev, + char *devAlias, char *charAlias, char **tlsAlias, char **secAlias) @@ -1666,6 +1668,9 @@ qemuDomainAddChardevTLSObjects(virQEMUDriverPtr drive= r, dev->data.tcp.haveTLS !=3D VIR_TRISTATE_BOOL_YES) return 0; =20 + if (qemuDomainSecretChardevPrepare(conn, cfg, priv, devAlias, dev) < 0) + goto cleanup; + if (qemuDomainGetChardevTLSObjects(cfg, priv, dev, charAlias, &tlsProps, tlsAlias, &secProps, secAlias) < 0) @@ -1722,12 +1727,9 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr con= n, if (VIR_REALLOC_N(def->redirdevs, def->nredirdevs+1) < 0) goto cleanup; =20 - if (qemuDomainSecretChardevPrepare(conn, cfg, priv, redirdev->info.ali= as, - redirdev->source) < 0) - goto cleanup; - - if (qemuDomainAddChardevTLSObjects(driver, cfg, vm, redirdev->source, - charAlias, &tlsAlias, &secAlias) < = 0) + if (qemuDomainAddChardevTLSObjects(conn, driver, cfg, vm, redirdev->so= urce, + redirdev->info.alias, charAlias, + &tlsAlias, &secAlias) < 0) goto cleanup; =20 qemuDomainObjEnterMonitor(driver, vm); @@ -1983,11 +1985,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, if (qemuDomainChrPreInsert(vmdef, chr) < 0) goto cleanup; =20 - if (qemuDomainSecretChardevPrepare(conn, cfg, priv, chr->info.alias, - dev) < 0) - goto cleanup; - - if (qemuDomainAddChardevTLSObjects(driver, cfg, vm, dev, charAlias, + if (qemuDomainAddChardevTLSObjects(conn, driver, cfg, vm, dev, + chr->info.alias, charAlias, &tlsAlias, &secAlias) < 0) goto cleanup; =20 @@ -2125,12 +2124,10 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, goto cleanup; =20 if (rng->backend =3D=3D VIR_DOMAIN_RNG_BACKEND_EGD) { - if (qemuDomainSecretChardevPrepare(conn, cfg, priv, rng->info.alia= s, - rng->source.chardev) < 0) - goto cleanup; - - if (qemuDomainAddChardevTLSObjects(driver, cfg, vm, rng->source.ch= ardev, - charAlias, &tlsAlias, &secAlias= ) < 0) + if (qemuDomainAddChardevTLSObjects(conn, driver, cfg, vm, + rng->source.chardev, + rng->info.alias, charAlias, + &tlsAlias, &secAlias) < 0) goto cleanup; } =20 --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) client-ip=209.132.183.37; envelope-from=libvir-list-bounces@redhat.com; helo=mx5-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) by mx.zohomail.com with SMTPS id 1487360594822231.8277768928383; Fri, 17 Feb 2017 11:43:14 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1HJdw9X009667; Fri, 17 Feb 2017 14:39:58 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdaup012515 for ; Fri, 17 Feb 2017 14:39:36 -0500 Received: by smtp.corp.redhat.com (Postfix) id DE174BBA29; Fri, 17 Feb 2017 19:39:36 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9EB39B6FE4 for ; Fri, 17 Feb 2017 19:39:36 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:25 -0500 Message-Id: <20170217193930.14943-9-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 08/13] qemu: Move qemuDomainPrepareChardevSourceTLS call X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Move the call to inside the qemuDomainAddChardevTLSObjects in order to further converge the code. Signed-off-by: John Ferlan --- src/qemu/qemu_hotplug.c | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 63ff1c6..c76a91e 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1651,7 +1651,6 @@ qemuDomainGetChardevTLSObjects(virQEMUDriverConfigPtr= cfg, static int qemuDomainAddChardevTLSObjects(virConnectPtr conn, virQEMUDriverPtr driver, - virQEMUDriverConfigPtr cfg, virDomainObjPtr vm, virDomainChrSourceDefPtr dev, char *devAlias, @@ -1660,13 +1659,19 @@ qemuDomainAddChardevTLSObjects(virConnectPtr conn, char **secAlias) { int ret =3D -1; + virQEMUDriverConfigPtr cfg =3D virQEMUDriverGetConfig(driver); qemuDomainObjPrivatePtr priv =3D vm->privateData; virJSONValuePtr tlsProps =3D NULL; virJSONValuePtr secProps =3D NULL; =20 + /* NB: This may alter haveTLS based on cfg */ + qemuDomainPrepareChardevSourceTLS(dev, cfg); + if (dev->type !=3D VIR_DOMAIN_CHR_TYPE_TCP || - dev->data.tcp.haveTLS !=3D VIR_TRISTATE_BOOL_YES) + dev->data.tcp.haveTLS !=3D VIR_TRISTATE_BOOL_YES) { + virObjectUnref(cfg); return 0; + } =20 if (qemuDomainSecretChardevPrepare(conn, cfg, priv, devAlias, dev) < 0) goto cleanup; @@ -1685,6 +1690,7 @@ qemuDomainAddChardevTLSObjects(virConnectPtr conn, cleanup: virJSONValueFree(tlsProps); virJSONValueFree(secProps); + virObjectUnref(cfg); =20 return ret; } @@ -1697,7 +1703,6 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr conn, { int ret =3D -1; int rc; - virQEMUDriverConfigPtr cfg =3D virQEMUDriverGetConfig(driver); qemuDomainObjPrivatePtr priv =3D vm->privateData; virDomainDefPtr def =3D vm->def; char *charAlias =3D NULL; @@ -1708,8 +1713,6 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr conn, bool need_release =3D false; virErrorPtr orig_err; =20 - qemuDomainPrepareChardevSourceTLS(redirdev->source, cfg); - if (qemuAssignDeviceRedirdevAlias(def, redirdev, -1) < 0) goto cleanup; =20 @@ -1727,7 +1730,7 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr conn, if (VIR_REALLOC_N(def->redirdevs, def->nredirdevs+1) < 0) goto cleanup; =20 - if (qemuDomainAddChardevTLSObjects(conn, driver, cfg, vm, redirdev->so= urce, + if (qemuDomainAddChardevTLSObjects(conn, driver, vm, redirdev->source, redirdev->info.alias, charAlias, &tlsAlias, &secAlias) < 0) goto cleanup; @@ -1757,7 +1760,6 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr conn, VIR_FREE(secAlias); VIR_FREE(charAlias); VIR_FREE(devstr); - virObjectUnref(cfg); return ret; =20 exit_monitor: @@ -1940,7 +1942,6 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, virDomainChrDefPtr chr) { int ret =3D -1, rc; - virQEMUDriverConfigPtr cfg =3D virQEMUDriverGetConfig(driver); qemuDomainObjPrivatePtr priv =3D vm->privateData; virErrorPtr orig_err; virDomainDefPtr vmdef =3D vm->def; @@ -1958,8 +1959,6 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, qemuDomainPrepareChannel(chr, priv->channelTargetDir) < 0) goto cleanup; =20 - qemuDomainPrepareChardevSourceTLS(dev, cfg); - if (qemuAssignDeviceChrAlias(vmdef, chr, -1) < 0) goto cleanup; =20 @@ -1985,7 +1984,7 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, if (qemuDomainChrPreInsert(vmdef, chr) < 0) goto cleanup; =20 - if (qemuDomainAddChardevTLSObjects(conn, driver, cfg, vm, dev, + if (qemuDomainAddChardevTLSObjects(conn, driver, vm, dev, chr->info.alias, charAlias, &tlsAlias, &secAlias) < 0) goto cleanup; @@ -2021,7 +2020,6 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, VIR_FREE(secAlias); VIR_FREE(charAlias); VIR_FREE(devstr); - virObjectUnref(cfg); return ret; =20 exit_monitor: @@ -2046,7 +2044,6 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, virDomainObjPtr vm, virDomainRNGDefPtr rng) { - virQEMUDriverConfigPtr cfg =3D virQEMUDriverGetConfig(driver); qemuDomainObjPrivatePtr priv =3D vm->privateData; virDomainDeviceDef dev =3D { VIR_DOMAIN_DEVICE_RNG, { .rng =3D rng } }; virErrorPtr orig_err; @@ -2107,9 +2104,6 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, goto cleanup; teardowncgroup =3D true; =20 - if (rng->backend =3D=3D VIR_DOMAIN_RNG_BACKEND_EGD) - qemuDomainPrepareChardevSourceTLS(rng->source.chardev, cfg); - /* build required metadata */ if (!(devstr =3D qemuBuildRNGDevStr(vm->def, rng, priv->qemuCaps))) goto cleanup; @@ -2124,7 +2118,7 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, goto cleanup; =20 if (rng->backend =3D=3D VIR_DOMAIN_RNG_BACKEND_EGD) { - if (qemuDomainAddChardevTLSObjects(conn, driver, cfg, vm, + if (qemuDomainAddChardevTLSObjects(conn, driver, vm, rng->source.chardev, rng->info.alias, charAlias, &tlsAlias, &secAlias) < 0) @@ -2176,7 +2170,6 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, VIR_FREE(objAlias); VIR_FREE(devstr); virDomainCCWAddressSetFree(ccwaddrs); - virObjectUnref(cfg); return ret; =20 exit_monitor: --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) client-ip=209.132.183.39; envelope-from=libvir-list-bounces@redhat.com; helo=mx6-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com [209.132.183.39]) by mx.zohomail.com with SMTPS id 1487360600304895.7691856165104; Fri, 17 Feb 2017 11:43:20 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1HJe0Dp021101; Fri, 17 Feb 2017 14:40:00 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdbDs012520 for ; Fri, 17 Feb 2017 14:39:37 -0500 Received: by smtp.corp.redhat.com (Postfix) id 523F4B95BA; Fri, 17 Feb 2017 19:39:37 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 115FEBBA29 for ; Fri, 17 Feb 2017 19:39:36 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:26 -0500 Message-Id: <20170217193930.14943-10-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 09/13] qemu: Introduce qemuDomainGetTLSObjects X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Split apart and rename qemuDomainGetChardevTLSObjects in order to make a more generic API that can create the TLS JSON prop objects (secret and tls-creds-x509) to be used to create the objects Signed-off-by: John Ferlan --- src/qemu/qemu_hotplug.c | 55 ++++++++++++++++++++++++++-------------------= ---- src/qemu/qemu_hotplug.h | 11 ++++++++++ 2 files changed, 40 insertions(+), 26 deletions(-) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index c76a91e..f5323f7 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1609,40 +1609,34 @@ qemuDomainAddTLSObjects(virQEMUDriverPtr driver, } =20 =20 -static int -qemuDomainGetChardevTLSObjects(virQEMUDriverConfigPtr cfg, - qemuDomainObjPrivatePtr priv, - virDomainChrSourceDefPtr dev, - char *charAlias, - virJSONValuePtr *tlsProps, - char **tlsAlias, - virJSONValuePtr *secProps, - char **secAlias) +int +qemuDomainGetTLSObjects(virQEMUCapsPtr qemuCaps, + qemuDomainSecretInfoPtr secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, + const char *srcAlias, + virJSONValuePtr *tlsProps, + char **tlsAlias, + virJSONValuePtr *secProps, + char **secAlias) { - qemuDomainChrSourcePrivatePtr chrSourcePriv =3D - QEMU_DOMAIN_CHR_SOURCE_PRIVATE(dev); - /* Add a secret object in order to access the TLS environment. * The secinfo will only be created for serial TCP device. */ - if (chrSourcePriv && chrSourcePriv->secinfo) { - if (qemuBuildSecretInfoProps(chrSourcePriv->secinfo, secProps) < 0) + if (secinfo) { + if (qemuBuildSecretInfoProps(secinfo, secProps) < 0) return -1; =20 - if (!(*secAlias =3D qemuDomainGetSecretAESAlias(charAlias, false))) + if (!(*secAlias =3D qemuDomainGetSecretAESAlias(srcAlias, false))) return -1; } =20 - if (qemuBuildTLSx509BackendProps(cfg->chardevTLSx509certdir, - dev->data.tcp.listen, - cfg->chardevTLSx509verify, - *secAlias, - priv->qemuCaps, - tlsProps) < 0) + if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, + *secAlias, qemuCaps, tlsProps) < 0) return -1; =20 - if (!(*tlsAlias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) + if (!(*tlsAlias =3D qemuAliasTLSObjFromSrcAlias(srcAlias))) return -1; - dev->data.tcp.tlscreds =3D true; =20 return 0; } @@ -1661,6 +1655,8 @@ qemuDomainAddChardevTLSObjects(virConnectPtr conn, int ret =3D -1; virQEMUDriverConfigPtr cfg =3D virQEMUDriverGetConfig(driver); qemuDomainObjPrivatePtr priv =3D vm->privateData; + qemuDomainChrSourcePrivatePtr chrSourcePriv; + qemuDomainSecretInfoPtr secinfo =3D NULL; virJSONValuePtr tlsProps =3D NULL; virJSONValuePtr secProps =3D NULL; =20 @@ -1676,10 +1672,17 @@ qemuDomainAddChardevTLSObjects(virConnectPtr conn, if (qemuDomainSecretChardevPrepare(conn, cfg, priv, devAlias, dev) < 0) goto cleanup; =20 - if (qemuDomainGetChardevTLSObjects(cfg, priv, dev, charAlias, - &tlsProps, tlsAlias, - &secProps, secAlias) < 0) + if ((chrSourcePriv =3D QEMU_DOMAIN_CHR_SOURCE_PRIVATE(dev))) + secinfo =3D chrSourcePriv->secinfo; + + if (qemuDomainGetTLSObjects(priv->qemuCaps, secinfo, + cfg->chardevTLSx509certdir, + dev->data.tcp.listen, + cfg->chardevTLSx509verify, + charAlias, &tlsProps, tlsAlias, + &secProps, secAlias) < 0) goto cleanup; + dev->data.tcp.tlscreds =3D true; =20 if (qemuDomainAddTLSObjects(driver, vm, *secAlias, &secProps, *tlsAlias, &tlsProps) < 0) diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index c4f33e0..458c818 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -46,6 +46,17 @@ int qemuDomainAddTLSObjects(virQEMUDriverPtr driver, const char *tlsAlias, virJSONValuePtr *tlsProps); =20 +int qemuDomainGetTLSObjects(virQEMUCapsPtr qemuCaps, + qemuDomainSecretInfoPtr secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, + const char *srcAlias, + virJSONValuePtr *tlsProps, + char **tlsAlias, + virJSONValuePtr *secProps, + char **secAlias); + int qemuDomainAttachControllerDevice(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainControllerDefPtr controller); --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) client-ip=209.132.183.37; envelope-from=libvir-list-bounces@redhat.com; helo=mx5-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) by mx.zohomail.com with SMTPS id 1487360601107834.8839053427706; Fri, 17 Feb 2017 11:43:21 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1HJe11E009686; Fri, 17 Feb 2017 14:40:01 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdbWP012530 for ; Fri, 17 Feb 2017 14:39:37 -0500 Received: by smtp.corp.redhat.com (Postfix) id B73F7B95BA; Fri, 17 Feb 2017 19:39:37 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 787B0BBA29 for ; Fri, 17 Feb 2017 19:39:37 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:27 -0500 Message-Id: <20170217193930.14943-11-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 10/13] qemu: Add TLS params to _qemuMonitorMigrationParams X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add the fields to support setting tls-creds and tls-hostname during a migration (either source or target) Signed-off-by: John Ferlan --- src/qemu/qemu_monitor.c | 12 +++++++++--- src/qemu/qemu_monitor.h | 7 +++++++ src/qemu/qemu_monitor_json.c | 11 +++++++++++ 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index b15207a..f5720d3 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -2504,12 +2504,16 @@ qemuMonitorSetMigrationParams(qemuMonitorPtr mon, { VIR_DEBUG("compressLevel=3D%d:%d compressThreads=3D%d:%d " "decompressThreads=3D%d:%d cpuThrottleInitial=3D%d:%d " - "cpuThrottleIncrement=3D%d:%d", + "cpuThrottleIncrement=3D%d:%d tlsAlias=3D%d:%s " + "tlsHostname=3D%d:%s", params->compressLevel_set, params->compressLevel, params->compressThreads_set, params->compressThreads, params->decompressThreads_set, params->decompressThreads, params->cpuThrottleInitial_set, params->cpuThrottleInitial, - params->cpuThrottleIncrement_set, params->cpuThrottleIncreme= nt); + params->cpuThrottleIncrement_set, params->cpuThrottleIncreme= nt, + params->migrateTLSAlias_set, NULLSTR(params->migrateTLSAlias= ), + params->migrateTLSHostname_set, + NULLSTR(params->migrateTLSHostname)); =20 QEMU_CHECK_MONITOR_JSON(mon); =20 @@ -2517,7 +2521,9 @@ qemuMonitorSetMigrationParams(qemuMonitorPtr mon, !params->compressThreads_set && !params->decompressThreads_set && !params->cpuThrottleInitial_set && - !params->cpuThrottleIncrement_set) + !params->cpuThrottleIncrement_set && + !params->migrateTLSAlias_set && + !params->migrateTLSHostname_set) return 0; =20 return qemuMonitorJSONSetMigrationParams(mon, params); diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h index 8811d85..d719112 100644 --- a/src/qemu/qemu_monitor.h +++ b/src/qemu/qemu_monitor.h @@ -570,6 +570,13 @@ struct _qemuMonitorMigrationParams { =20 bool cpuThrottleIncrement_set; int cpuThrottleIncrement; + + /* Input only for destination */ + bool migrateTLSAlias_set; + char *migrateTLSAlias; + + bool migrateTLSHostname_set; + char *migrateTLSHostname; }; =20 int qemuMonitorGetMigrationParams(qemuMonitorPtr mon, diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index 7aa9e31..7a70366 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -2637,6 +2637,17 @@ qemuMonitorJSONSetMigrationParams(qemuMonitorPtr mon, =20 #undef APPEND =20 + /* Set only parameters for TLS migration options */ + if (params->migrateTLSAlias_set && + virJSONValueObjectAppendString(args, "tls-creds", + params->migrateTLSAlias) < 0) + goto cleanup; + + if (params->migrateTLSHostname_set && + virJSONValueObjectAppendString(args, "tls-hostname", + params->migrateTLSHostname) < 0) + goto cleanup; + if (virJSONValueObjectAppend(cmd, "arguments", args) < 0) goto cleanup; args =3D NULL; --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) client-ip=209.132.183.39; envelope-from=libvir-list-bounces@redhat.com; helo=mx6-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com [209.132.183.39]) by mx.zohomail.com with SMTPS id 148736058893457.00168691464421; Fri, 17 Feb 2017 11:43:08 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1HJe2r7021121; Fri, 17 Feb 2017 14:40:03 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdcHg012535 for ; Fri, 17 Feb 2017 14:39:38 -0500 Received: by smtp.corp.redhat.com (Postfix) id 2A627BBA29; Fri, 17 Feb 2017 19:39:38 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id DF043B95BA for ; Fri, 17 Feb 2017 19:39:37 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:28 -0500 Message-Id: <20170217193930.14943-12-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 11/13] Add new migration flag VIR_MIGRATE_TLS X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Signed-off-by: John Ferlan --- include/libvirt/libvirt-domain.h | 8 ++++++++ src/qemu/qemu_migration.h | 1 + tools/virsh-domain.c | 7 +++++++ 3 files changed, 16 insertions(+) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index e303140..931ff68 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -815,6 +815,14 @@ typedef enum { * post-copy mode. See virDomainMigrateStartPostCopy for more details. */ VIR_MIGRATE_POSTCOPY =3D (1 << 15), + + /* Setting the VIR_MIGRATE_TLS flag will cause the migration to attempt + * to use the TLS environment configured by the hypervisor in order to + * perform the migration. If incorrectly configured on either source or + * destination, the migration will fail. + */ + VIR_MIGRATE_TLS =3D (1 << 16), + } virDomainMigrateFlags; =20 =20 diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index 14c6178..8d88632 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -33,6 +33,7 @@ typedef qemuMigrationCompression *qemuMigrationCompressio= nPtr; (VIR_MIGRATE_LIVE | \ VIR_MIGRATE_PEER2PEER | \ VIR_MIGRATE_TUNNELLED | \ + VIR_MIGRATE_TLS | \ VIR_MIGRATE_PERSIST_DEST | \ VIR_MIGRATE_UNDEFINE_SOURCE | \ VIR_MIGRATE_PAUSED | \ diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 023ec8a..63ca236 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -10140,6 +10140,10 @@ static const vshCmdOptDef opts_migrate[] =3D { .type =3D VSH_OT_STRING, .help =3D N_("filename containing updated persistent XML for the targ= et") }, + {.name =3D "tls", + .type =3D VSH_OT_BOOL, + .help =3D N_("use TLS for migration") + }, {.name =3D NULL} }; =20 @@ -10381,6 +10385,9 @@ doMigrate(void *opaque) if (vshCommandOptBool(cmd, "postcopy")) flags |=3D VIR_MIGRATE_POSTCOPY; =20 + if (vshCommandOptBool(cmd, "tls")) + flags |=3D VIR_MIGRATE_TLS; + if (flags & VIR_MIGRATE_PEER2PEER || vshCommandOptBool(cmd, "direct"))= { if (virDomainMigrateToURI3(dom, desturi, params, nparams, flags) = =3D=3D 0) ret =3D '0'; --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.24 as permitted sender) client-ip=209.132.183.24; envelope-from=libvir-list-bounces@redhat.com; helo=mx3-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.24 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx3-phx2.redhat.com (mx3-phx2.redhat.com [209.132.183.24]) by mx.zohomail.com with SMTPS id 1487360628255759.908985899338; Fri, 17 Feb 2017 11:43:48 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx3-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJe0rm005953; Fri, 17 Feb 2017 14:40:00 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJdcqI012545 for ; Fri, 17 Feb 2017 14:39:38 -0500 Received: by smtp.corp.redhat.com (Postfix) id 91F26BBA29; Fri, 17 Feb 2017 19:39:38 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 52CD3B6FE4 for ; Fri, 17 Feb 2017 19:39:38 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:29 -0500 Message-Id: <20170217193930.14943-13-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 12/13] qemu: Set up the migrate TLS objects for target X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Support TLS for a migration is a multistep process. The target guest must be started using the "-object tls-creds-x509,endpoint=3Dserver,...". If that TLS object requires a passphrase an addition "-object security..." would also be created. The alias/id used for the TLS object is "objmigrate_tls0", while the alias/id used for the security object is "migrate-secret0". Once the domain is started, the "tls-creds" migration parameter must be set to the alias/id of the "tls-creds-x509" object. Once the migration completes, removing the two objects is necessary since the newly started domain could then become the source of a migration and thus would not be an endpoint. Handle the possibility of libvirtd stop/reconnect by saving the fact that a migration is using TLS was started in a "migrateTLS" boolean. Signed-off-by: John Ferlan --- src/qemu/qemu_command.c | 29 ++++++++++++++++- src/qemu/qemu_command.h | 4 ++- src/qemu/qemu_domain.c | 5 +++ src/qemu/qemu_domain.h | 1 + src/qemu/qemu_migration.c | 80 +++++++++++++++++++++++++++++++++++++++++++= ++++ src/qemu/qemu_process.c | 4 +++ 6 files changed, 121 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index d831d56..d8373aa 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -802,6 +802,27 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd, } =20 =20 +static int +qemuBuildMigrateTLSCommandLine(virCommandPtr cmd, + virQEMUDriverConfigPtr cfg, + virQEMUCapsPtr qemuCaps, + qemuDomainSecretInfoPtr migSecinfo) +{ + if (migSecinfo && qemuBuildObjectSecretCommandLine(cmd, migSecinfo) < = 0) + return -1; + + /* When starting from command line this is the target of a migration + * so we need to start a TLS endpoint server (3rd param) */ + if (qemuBuildTLSx509CommandLine(cmd, cfg->migrateTLSx509certdir, + true, cfg->migrateTLSx509verify, + !!cfg->migrateTLSx509secretUUID, + "migrate", qemuCaps) < 0) + return -1; + + return 0; +} + + #define QEMU_DEFAULT_NBD_PORT "10809" #define QEMU_DEFAULT_GLUSTER_PORT "24007" =20 @@ -9639,6 +9660,8 @@ qemuBuildCommandLine(virQEMUDriverPtr driver, bool monitor_json, virQEMUCapsPtr qemuCaps, const char *migrateURI, + bool migrateTLS, + qemuDomainSecretInfoPtr migSecinfo, virDomainSnapshotObjPtr snapshot, virNetDevVPortProfileOp vmop, bool standalone, @@ -9831,8 +9854,12 @@ qemuBuildCommandLine(virQEMUDriverPtr driver, if (qemuBuildHostdevCommandLine(cmd, def, qemuCaps, &bootHostdevNet) <= 0) goto error; =20 - if (migrateURI) + if (migrateURI) { virCommandAddArgList(cmd, "-incoming", migrateURI, NULL); + if (migrateTLS && qemuBuildMigrateTLSCommandLine(cmd, cfg, qemuCap= s, + migSecinfo) < 0) + goto error; + } =20 if (qemuBuildMemballoonCommandLine(cmd, def, qemuCaps) < 0) goto error; diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index 69fe846..d6349be 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -50,6 +50,8 @@ virCommandPtr qemuBuildCommandLine(virQEMUDriverPtr drive= r, bool monitor_json, virQEMUCapsPtr qemuCaps, const char *migrateURI, + bool migrateTLS, + qemuDomainSecretInfoPtr migSecinfo, virDomainSnapshotObjPtr snapshot, virNetDevVPortProfileOp vmop, bool standalone, @@ -58,7 +60,7 @@ virCommandPtr qemuBuildCommandLine(virQEMUDriverPtr drive= r, size_t *nnicindexes, int **nicindexes, const char *domainLibDir) - ATTRIBUTE_NONNULL(15); + ATTRIBUTE_NONNULL(17); =20 =20 /* Generate the object properties for a secret */ diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index dd3cfd5..100ab9c 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -1864,6 +1864,9 @@ qemuDomainObjPrivateXMLFormat(virBufferPtr buf, virBufferEscapeString(buf, "\n", priv->channelTargetDir); =20 + if (priv->migrateTLS) + virBufferAddLit(buf, "\n"); + return 0; } =20 @@ -2132,6 +2135,8 @@ qemuDomainObjPrivateXMLParse(xmlXPathContextPtr ctxt, if (qemuDomainSetPrivatePathsOld(driver, vm) < 0) goto error; =20 + priv->migrateTLS =3D virXPathBoolean("boolean(./migrateTLS)", ctxt) = =3D=3D 1; + return 0; =20 error: diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index f796306..06af44a 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -287,6 +287,7 @@ struct _qemuDomainObjPrivate { /* for migration's using TLS with a secret (not to be saved in our */ /* private XML). */ qemuDomainSecretInfoPtr migSecinfo; + bool migrateTLS; }; =20 # define QEMU_DOMAIN_PRIVATE(vm) \ diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 0db1616..448d94e 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1487,6 +1487,55 @@ qemuMigrationEatCookie(virQEMUDriverPtr driver, return NULL; } =20 + +/* qemuMigrationCheckSetupTLS + * + * Check if flags desired to use TLS and whether it's configured for the + * host it's being run on (src or dst depending on caller). If configured + * to use a secret for the TLS config, generate and save the migSecinfo. + * + * Returns 0 on success (or no TLS) + */ +static int +qemuMigrationCheckSetupTLS(virQEMUDriverPtr driver, + virConnectPtr dconn, + virDomainObjPtr vm, + unsigned int flags) +{ + int ret =3D -1; + qemuDomainObjPrivatePtr priv =3D vm->privateData; + virQEMUDriverConfigPtr cfg =3D NULL; + + if (flags & VIR_MIGRATE_TLS) { + cfg =3D virQEMUDriverGetConfig(driver); + + if (!cfg->migrateTLS) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("migration TLS not enabled for the host")); + goto cleanup; + } + + priv->migrateTLS =3D true; + if (virDomainSaveStatus(driver->xmlopt, cfg->stateDir, + vm, driver->caps) < 0) + VIR_WARN("Failed to save migrateTLS for vm %s", vm->def->name); + + /* If there's a secret associated with the migrate TLS, then we + * need to grab it before attempting to create the command line. */ + if (cfg->migrateTLSx509secretUUID && + qemuDomainSecretMigratePrepare(dconn, priv, "migrate", + cfg->migrateTLSx509secretUUID) = < 0) + goto cleanup; + } + + ret =3D 0; + + cleanup: + virObjectUnref(cfg); + return ret; +} + + static void qemuMigrationStoreDomainState(virDomainObjPtr vm) { @@ -3613,6 +3662,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, bool stopProcess =3D false; bool relabel =3D false; int rv; + char *tlsAlias =3D NULL; qemuMonitorMigrationParams migParams =3D { 0 }; =20 virNWFilterReadLockFilterUpdates(); @@ -3779,6 +3829,13 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, VIR_QEMU_PROCESS_START_AUTODESTROY) < 0) goto stopjob; =20 + if (qemuMigrationCheckSetupTLS(driver, dconn, vm, flags) < 0) + goto stopjob; + + if (priv->migrateTLS && + !(tlsAlias =3D qemuAliasTLSObjFromSrcAlias("migrate"))) + goto stopjob; + if (qemuProcessPrepareHost(driver, vm, !!incoming) < 0) goto stopjob; =20 @@ -3806,6 +3863,12 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, compression, &migParams) < 0) goto stopjob; =20 + /* A set only parameter to indicate the "tls-creds-x509" object id */ + if (priv->migrateTLS) { + migParams.migrateTLSAlias =3D tlsAlias; + migParams.migrateTLSAlias_set =3D true; + } + if (STREQ_NULLABLE(protocol, "rdma") && virProcessSetMaxMemLock(vm->pid, vm->def->mem.hard_limit << 10) < = 0) { goto stopjob; @@ -3891,6 +3954,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, ret =3D 0; =20 cleanup: + VIR_FREE(tlsAlias); qemuProcessIncomingDefFree(incoming); VIR_FREE(xmlout); VIR_FORCE_CLOSE(dataFD[0]); @@ -6185,6 +6249,22 @@ qemuMigrationFinish(virQEMUDriverPtr driver, qemuDomainCleanupRemove(vm, qemuMigrationPrepareCleanup); VIR_FREE(priv->job.completed); =20 + /* If migration used TLS, then command line creation generated a + * secinfo object and a TLS server object. Remove both now as this + * domain would now be a potential client of the next migration. */ + if (priv->migrateTLS) { + char *tlsAlias =3D qemuAliasTLSObjFromSrcAlias("migrate"); + char *secAlias =3D qemuDomainGetSecretAESAlias("migrate", false); + + qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); + qemuDomainSecretMigrateDestroy(&priv->migSecinfo); + VIR_FREE(tlsAlias); + priv->migrateTLS =3D false; + if (virDomainSaveStatus(driver->xmlopt, cfg->stateDir, + vm, driver->caps) < 0) + VIR_WARN("Failed to save migrateTLS on vm %s", vm->def->name); + } + cookie_flags =3D QEMU_MIGRATION_COOKIE_NETWORK | QEMU_MIGRATION_COOKIE_STATS | QEMU_MIGRATION_COOKIE_NBD; diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 76f132b..b9d6a9d 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -5469,6 +5469,8 @@ qemuProcessLaunch(virConnectPtr conn, vm->def, priv->monConfig, priv->monJSON, priv->qemuCaps, incoming ? incoming->launchURI : NULL, + priv->migrateTLS, + priv->migSecinfo, snapshot, vmop, false, qemuCheckFips(), @@ -5901,6 +5903,8 @@ qemuProcessCreatePretendCmd(virConnectPtr conn, priv->monJSON, priv->qemuCaps, migrateURI, + false, + NULL, NULL, VIR_NETDEV_VPORT_PROFILE_OP_NO_OP, standalone, --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 21:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) client-ip=209.132.183.25; envelope-from=libvir-list-bounces@redhat.com; helo=mx4-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25]) by mx.zohomail.com with SMTPS id 1487360594615951.5070146082174; Fri, 17 Feb 2017 11:43:14 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJe4gL012604; Fri, 17 Feb 2017 14:40:04 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1HJddST012550 for ; Fri, 17 Feb 2017 14:39:39 -0500 Received: by smtp.corp.redhat.com (Postfix) id 1270BBBA2B; Fri, 17 Feb 2017 19:39:39 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id B9544BBA29 for ; Fri, 17 Feb 2017 19:39:38 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Fri, 17 Feb 2017 14:39:30 -0500 Message-Id: <20170217193930.14943-14-jferlan@redhat.com> In-Reply-To: <20170217193930.14943-1-jferlan@redhat.com> References: <20170217193930.14943-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 13/13] qemu: Set up the migration TLS objects for source X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.redhat.com/show_bug.cgi?id=3D1300769 Modify the Begin phase to add the checks to determine whether a migration wishes to use TLS and whether it's configured including adding the secret into the priv->migSecinfo for the source domain. Modify the Perform phase in qemuMigrationRun in order to generate the TLS objects to be used for the migration and set the migration channel parameters 'tls-creds' and possibly 'tls-hostname' in order to enable TLS. Signed-off-by: John Ferlan --- src/qemu/qemu_migration.c | 55 +++++++++++++++++++++++++++++++++++++++++++= ++++ 1 file changed, 55 insertions(+) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 448d94e..84eb6a3 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3362,6 +3362,9 @@ qemuMigrationBegin(virConnectPtr conn, goto endjob; } =20 + if (qemuMigrationCheckSetupTLS(driver, conn, vm, flags) < 0) + goto endjob; + /* Check if there is any ejected media. * We don't want to require them on the destination. */ @@ -4709,8 +4712,14 @@ qemuMigrationRun(virQEMUDriverPtr driver, { int ret =3D -1; unsigned int migrate_flags =3D QEMU_MONITOR_MIGRATE_BACKGROUND; + virQEMUDriverConfigPtr cfg =3D NULL; qemuDomainObjPrivatePtr priv =3D vm->privateData; qemuMigrationCookiePtr mig =3D NULL; + virJSONValuePtr tlsProps =3D NULL; + virJSONValuePtr secProps =3D NULL; + char *tlsAlias =3D NULL; + char *tlsHostname =3D NULL; + char *secAlias =3D NULL; qemuMigrationIOThreadPtr iothread =3D NULL; int fd =3D -1; unsigned long migrate_speed =3D resource ? resource : priv->migMaxBand= width; @@ -4774,6 +4783,44 @@ qemuMigrationRun(virQEMUDriverPtr driver, if (qemuDomainMigrateGraphicsRelocate(driver, vm, mig, graphicsuri) < = 0) VIR_WARN("unable to provide data for graphics client relocation"); =20 + /* If we're using TLS attempt to add the objects */ + if (priv->migrateTLS) { + cfg =3D virQEMUDriverGetConfig(driver); + + if (qemuDomainGetTLSObjects(priv->qemuCaps, priv->migSecinfo, + cfg->migrateTLSx509certdir, false, + cfg->migrateTLSx509verify, + "migrate", &tlsProps, &tlsAlias, + &secProps, &secAlias) < 0) + goto cleanup; + + /* Ensure the domain doesn't already have the TLS objects defined.= .. + * This should prevent any issues just in case some cleanup wasn't + * properly completed (both src and dst use the same aliases) or + * some other error path between now and perform . */ + qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); + + /* Add the migrate TLS objects to the domain */ + if (qemuDomainAddTLSObjects(driver, vm, secAlias, &secProps, + tlsAlias, &tlsProps) < 0) + goto cleanup; + + migParams->migrateTLSAlias =3D tlsAlias; + migParams->migrateTLSAlias_set =3D true; + + /* We need to add the tls-hostname only for special circumstances. + * When using "fd:" or "exec:", qemu needs to know the hostname of + * the target qemu to correctly validate the x509 certificate + * it receives. */ + if (STREQ(spec->dest.host.protocol, "fd") || + STREQ(spec->dest.host.protocol, "exec")) { + if (VIR_STRDUP(tlsHostname, spec->dest.host.name) < 0) + goto cleanup; + migParams->migrateTLSHostname =3D tlsHostname; + migParams->migrateTLSHostname_set =3D true; + } + } + if (migrate_flags & (QEMU_MONITOR_MIGRATE_NON_SHARED_DISK | QEMU_MONITOR_MIGRATE_NON_SHARED_INC)) { if (mig->nbd) { @@ -4954,6 +5001,14 @@ qemuMigrationRun(virQEMUDriverPtr driver, ret =3D -1; } =20 + qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); + virJSONValueFree(tlsProps); + virJSONValueFree(secProps); + VIR_FREE(tlsAlias); + VIR_FREE(tlsHostname); + VIR_FREE(secAlias); + virObjectUnref(cfg); + if (spec->fwdType !=3D MIGRATION_FWD_DIRECT) { if (iothread && qemuMigrationStopTunnel(iothread, ret < 0) < 0) ret =3D -1; --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list