From nobody Sat Apr 27 15:07:57 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 148977597434678.01892543876829;
 Fri, 17 Mar 2017 11:39:34 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 58C661C13C0;
	Fri, 17 Mar 2017 18:39:33 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 2FDB877711;
	Fri, 17 Mar 2017 18:39:33 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id D85EA1853D04;
	Fri, 17 Mar 2017 18:39:32 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v2HId7bC025168 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 17 Mar 2017 14:39:07 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 7FD4FBFA6E; Fri, 17 Mar 2017 18:39:07 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com
	[10.3.116.76])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 3DE96627DD
	for <libvir-list@redhat.com>; Fri, 17 Mar 2017 18:39:07 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 58C661C13C0
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 58C661C13C0
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Fri, 17 Mar 2017 14:38:55 -0400
Message-Id: <20170317183901.5267-2-jferlan@redhat.com>
In-Reply-To: <20170317183901.5267-1-jferlan@redhat.com>
References: <20170317183901.5267-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v3 1/7] qemu: Create #define for TLS configuration
	setup.
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]);
 Fri, 17 Mar 2017 18:39:34 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Create GET_CONFIG_TLS_CERT to set up the TLS for 'chardev' TLS setting.
Soon to be reused.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_conf.c | 39 +++++++++++++++++++++++++--------------
 1 file changed, 25 insertions(+), 14 deletions(-)

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 0a338d7..9db2bc3 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -530,22 +530,33 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPt=
r cfg,
     if (virConfGetValueBool(conf, "spice_auto_unix_socket", &cfg->spiceAut=
oUnixSocket) < 0)
         goto cleanup;
=20
+#define GET_CONFIG_TLS_CERTINFO(val)                                      =
  \
+    do {                                                                  =
  \
+        if ((rv =3D virConfGetValueBool(conf, #val "_tls_x509_verify",    =
    \
+                                      &cfg->val## TLSx509verify)) < 0)    =
  \
+            goto cleanup;                                                 =
  \
+        if (rv =3D=3D 0)                                                  =
      \
+            cfg->val## TLSx509verify =3D cfg->defaultTLSx509verify;       =
    \
+        if (virConfGetValueString(conf, #val "_tls_x509_cert_dir",        =
  \
+                                  &cfg->val## TLSx509certdir) < 0)        =
  \
+            goto cleanup;                                                 =
  \
+        if (virConfGetValueString(conf,                                   =
  \
+                                  #val "_tls_x509_secret_uuid",           =
  \
+                                  &cfg->val## TLSx509secretUUID) < 0)     =
  \
+            goto cleanup;                                                 =
  \
+        if (!cfg->val## TLSx509secretUUID &&                              =
  \
+            cfg->defaultTLSx509secretUUID) {                              =
  \
+            if (VIR_STRDUP(cfg->val## TLSx509secretUUID,                  =
  \
+                           cfg->defaultTLSx509secretUUID) < 0)            =
  \
+                goto cleanup;                                             =
  \
+        }                                                                 =
  \
+    } while (false);
+
     if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0)
         goto cleanup;
-    if (virConfGetValueString(conf, "chardev_tls_x509_cert_dir", &cfg->cha=
rdevTLSx509certdir) < 0)
-        goto cleanup;
-    if ((rv =3D virConfGetValueBool(conf, "chardev_tls_x509_verify", &cfg-=
>chardevTLSx509verify)) < 0)
-        goto cleanup;
-    if (rv =3D=3D 0)
-        cfg->chardevTLSx509verify =3D cfg->defaultTLSx509verify;
-    if (virConfGetValueString(conf, "chardev_tls_x509_secret_uuid",
-                              &cfg->chardevTLSx509secretUUID) < 0)
-        goto cleanup;
-    if (!cfg->chardevTLSx509secretUUID && cfg->defaultTLSx509secretUUID) {
-        if (VIR_STRDUP(cfg->chardevTLSx509secretUUID,
-                       cfg->defaultTLSx509secretUUID) < 0)
-            goto cleanup;
-    }
+    GET_CONFIG_TLS_CERTINFO(chardev);
+
+#undef GET_CONFIG_TLS_CERTINFO
=20
     if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSo=
cketPortMin) < 0)
         goto cleanup;
--=20
2.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Sat Apr 27 15:07:57 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 148977598344488.41193020756748;
 Fri, 17 Mar 2017 11:39:43 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id DB6EC80515;
	Fri, 17 Mar 2017 18:39:42 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (unknown [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B121E1899B;
	Fri, 17 Mar 2017 18:39:42 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 66A724ED23;
	Fri, 17 Mar 2017 18:39:42 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v2HId7JS025173 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 17 Mar 2017 14:39:07 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id EB6ACBFA73; Fri, 17 Mar 2017 18:39:07 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com
	[10.3.116.76])
	by smtp.corp.redhat.com (Postfix) with ESMTP id A9EFA627DD
	for <libvir-list@redhat.com>; Fri, 17 Mar 2017 18:39:07 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com DB6EC80515
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com DB6EC80515
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Fri, 17 Mar 2017 14:38:56 -0400
Message-Id: <20170317183901.5267-3-jferlan@redhat.com>
In-Reply-To: <20170317183901.5267-1-jferlan@redhat.com>
References: <20170317183901.5267-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]);
 Fri, 17 Mar 2017 18:39:43 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Add a new TLS X.509 certificate type - "migrate". This will handle the
creation of a TLS certificate capability (and possibly repository) to
be used for migrations. Similar to chardev's, credentials will be handled
via a libvirt secrets; however, unlike chardev's enablement and usage
will be via a CLI flag instead of a conf flag and a domain XML attribute.
The migrations will also require the client-cert.pem and client-key.pem
files to be present in the clients TLS directory.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/libvirtd_qemu.aug         |  5 +++++
 src/qemu/qemu.conf                 | 37 ++++++++++++++++++++++++++++++++++=
+++
 src/qemu/qemu_conf.c               |  6 ++++++
 src/qemu/qemu_conf.h               |  4 ++++
 src/qemu/test_libvirtd_qemu.aug.in |  3 +++
 5 files changed, 55 insertions(+)

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 82bae9e..e1983d1 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -54,6 +54,10 @@ module Libvirtd_qemu =3D
                  | bool_entry "chardev_tls_x509_verify"
                  | str_entry "chardev_tls_x509_secret_uuid"
=20
+   let migrate_entry =3D str_entry "migrate_tls_x509_cert_dir"
+                 | bool_entry "migrate_tls_x509_verify"
+                 | str_entry "migrate_tls_x509_secret_uuid"
+
    let nogfx_entry =3D bool_entry "nographics_allow_host_audio"
=20
    let remote_display_entry =3D int_entry "remote_display_port_min"
@@ -116,6 +120,7 @@ module Libvirtd_qemu =3D
              | vnc_entry
              | spice_entry
              | chardev_entry
+             | migrate_entry
              | nogfx_entry
              | remote_display_entry
              | security_entry
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 9925ac9..40bcec3 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -13,6 +13,11 @@
 #
 #  dh-params.pem - the DH params configuration file
 #
+# When using TLS for migrations, the directory must also contain
+#
+#  client-cert.pem - the client certificate signed with the ca-cert.pem
+#  client-key.pem - the client private key
+#
 #default_tls_x509_cert_dir =3D "/etc/pki/qemu"
=20
=20
@@ -238,6 +243,38 @@
 #chardev_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000"
=20
=20
+# In order to override the default TLS certificate location for migration
+# certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist then the default_tls_x509_cert_dir path
+# will be used. Once/if a default certificate is enabled/defined, migration
+# will then be able to use the certificate via migration API flags.
+#
+#migrate_tls_x509_cert_dir =3D "/etc/pki/libvirt-migrate"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing a x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem
+#
+#migrate_tls_x509_verify =3D 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#migrate_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000"
+
+
 # By default, if no graphical front end is configured, libvirt will disable
 # QEMU audio output since directly talking to alsa/pulseaudio may not work
 # with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 9db2bc3..4c271cd 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -280,6 +280,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool priv=
ileged)
     SET_TLS_X509_CERT_DEFAULT(vnc);
     SET_TLS_X509_CERT_DEFAULT(spice);
     SET_TLS_X509_CERT_DEFAULT(chardev);
+    SET_TLS_X509_CERT_DEFAULT(migrate);
=20
 #undef SET_TLS_X509_CERT_DEFAULT
=20
@@ -395,6 +396,9 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->chardevTLSx509certdir);
     VIR_FREE(cfg->chardevTLSx509secretUUID);
=20
+    VIR_FREE(cfg->migrateTLSx509certdir);
+    VIR_FREE(cfg->migrateTLSx509secretUUID);
+
     while (cfg->nhugetlbfs) {
         cfg->nhugetlbfs--;
         VIR_FREE(cfg->hugetlbfs[cfg->nhugetlbfs].mnt_dir);
@@ -556,6 +560,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr =
cfg,
         goto cleanup;
     GET_CONFIG_TLS_CERTINFO(chardev);
=20
+    GET_CONFIG_TLS_CERTINFO(migrate);
+
 #undef GET_CONFIG_TLS_CERTINFO
=20
     if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSo=
cketPortMin) < 0)
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index e585f81..1407eef 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -137,6 +137,10 @@ struct _virQEMUDriverConfig {
     bool chardevTLSx509verify;
     char *chardevTLSx509secretUUID;
=20
+    char *migrateTLSx509certdir;
+    bool migrateTLSx509verify;
+    char *migrateTLSx509secretUUID;
+
     unsigned int remotePortMin;
     unsigned int remotePortMax;
=20
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe=
mu.aug.in
index 6f03898..3e317bc 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -25,6 +25,9 @@ module Test_libvirtd_qemu =3D
 { "chardev_tls_x509_cert_dir" =3D "/etc/pki/libvirt-chardev" }
 { "chardev_tls_x509_verify" =3D "1" }
 { "chardev_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000=
" }
+{ "migrate_tls_x509_cert_dir" =3D "/etc/pki/libvirt-migrate" }
+{ "migrate_tls_x509_verify" =3D "1" }
+{ "migrate_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000=
" }
 { "nographics_allow_host_audio" =3D "1" }
 { "remote_display_port_min" =3D "5900" }
 { "remote_display_port_max" =3D "65535" }
--=20
2.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Sat Apr 27 15:07:57 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1489775956989662.3866544960033;
 Fri, 17 Mar 2017 11:39:16 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id E86E380480;
	Fri, 17 Mar 2017 18:39:15 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (unknown [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id BCD4117DEC;
	Fri, 17 Mar 2017 18:39:15 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2CC934BB75;
	Fri, 17 Mar 2017 18:39:12 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v2HId8VS025181 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 17 Mar 2017 14:39:08 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 5FF59BFA6B; Fri, 17 Mar 2017 18:39:08 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com
	[10.3.116.76])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 1F3FDBFA67
	for <libvir-list@redhat.com>; Fri, 17 Mar 2017 18:39:08 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E86E380480
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com E86E380480
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Fri, 17 Mar 2017 14:38:57 -0400
Message-Id: <20170317183901.5267-4-jferlan@redhat.com>
In-Reply-To: <20170317183901.5267-1-jferlan@redhat.com>
References: <20170317183901.5267-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v3 3/7] Add new migration flag VIR_MIGRATE_TLS
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]);
 Fri, 17 Mar 2017 18:39:16 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 include/libvirt/libvirt-domain.h | 8 ++++++++
 src/qemu/qemu_migration.h        | 3 ++-
 tools/virsh-domain.c             | 7 +++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom=
ain.h
index c490d71..620606c 100644
--- a/include/libvirt/libvirt-domain.h
+++ b/include/libvirt/libvirt-domain.h
@@ -815,6 +815,14 @@ typedef enum {
      * post-copy mode. See virDomainMigrateStartPostCopy for more details.
      */
     VIR_MIGRATE_POSTCOPY          =3D (1 << 15),
+
+    /* Setting the VIR_MIGRATE_TLS flag will cause the migration to attempt
+     * to use the TLS environment configured by the hypervisor in order to
+     * perform the migration. If incorrectly configured on either source or
+     * destination, the migration will fail.
+     */
+    VIR_MIGRATE_TLS               =3D (1 << 16),
+
 } virDomainMigrateFlags;
=20
=20
diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h
index 14c6178..bcebf06 100644
--- a/src/qemu/qemu_migration.h
+++ b/src/qemu/qemu_migration.h
@@ -45,7 +45,8 @@ typedef qemuMigrationCompression *qemuMigrationCompressio=
nPtr;
      VIR_MIGRATE_ABORT_ON_ERROR |               \
      VIR_MIGRATE_AUTO_CONVERGE |                \
      VIR_MIGRATE_RDMA_PIN_ALL |                 \
-     VIR_MIGRATE_POSTCOPY)
+     VIR_MIGRATE_POSTCOPY |                     \
+     VIR_MIGRATE_TLS)
=20
 /* All supported migration parameters and their types. */
 # define QEMU_MIGRATION_PARAMETERS                                \
diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
index 09a9f82..ebd4b33 100644
--- a/tools/virsh-domain.c
+++ b/tools/virsh-domain.c
@@ -10222,6 +10222,10 @@ static const vshCmdOptDef opts_migrate[] =3D {
      .type =3D VSH_OT_STRING,
      .help =3D N_("filename containing updated persistent XML for the targ=
et")
     },
+    {.name =3D "tls",
+     .type =3D VSH_OT_BOOL,
+     .help =3D N_("use TLS for migration")
+    },
     {.name =3D NULL}
 };
=20
@@ -10463,6 +10467,9 @@ doMigrate(void *opaque)
     if (vshCommandOptBool(cmd, "postcopy"))
         flags |=3D VIR_MIGRATE_POSTCOPY;
=20
+    if (vshCommandOptBool(cmd, "tls"))
+        flags |=3D VIR_MIGRATE_TLS;
+
     if (flags & VIR_MIGRATE_PEER2PEER || vshCommandOptBool(cmd, "direct"))=
 {
         if (virDomainMigrateToURI3(dom, desturi, params, nparams, flags) =
=3D=3D 0)
             ret =3D '0';
--=20
2.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Sat Apr 27 15:07:57 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 148977597774928.514232349841222;
 Fri, 17 Mar 2017 11:39:37 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 17BB464DC;
	Fri, 17 Mar 2017 18:39:37 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id D67491899F;
	Fri, 17 Mar 2017 18:39:36 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 802711853D0F;
	Fri, 17 Mar 2017 18:39:36 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v2HId8JJ025186 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 17 Mar 2017 14:39:08 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id C8CC6BFA67; Fri, 17 Mar 2017 18:39:08 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com
	[10.3.116.76])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 884F8627DD
	for <libvir-list@redhat.com>; Fri, 17 Mar 2017 18:39:08 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 17BB464DC
Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 17BB464DC
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Fri, 17 Mar 2017 14:38:58 -0400
Message-Id: <20170317183901.5267-5-jferlan@redhat.com>
In-Reply-To: <20170317183901.5267-1-jferlan@redhat.com>
References: <20170317183901.5267-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v3 4/7] qemu: Add TLS params to
	_qemuMonitorMigrationParams
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]);
 Fri, 17 Mar 2017 18:39:37 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Add the fields to support setting tls-creds and tls-hostname during
a migration (either source or target). Modify the query migration
function to check for the presence and set the field for future
consumers to determine which of 3 conditions is being met (not
present, present and set to "", or present and sent to something).

Modify code paths that either allocate or use stack space in order
to call qemuMigrationParamsClear or qemuMigrationParamsFree for cleanup.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_driver.c       |  4 +++-
 src/qemu/qemu_migration.c    | 26 +++++++++++++++++++++++++-
 src/qemu/qemu_migration.h    |  6 ++++++
 src/qemu/qemu_monitor.c      | 11 ++++++++---
 src/qemu/qemu_monitor.h      |  3 +++
 src/qemu/qemu_monitor_json.c | 28 ++++++++++++++++++++++++++++
 tests/qemumonitorjsontest.c  | 25 ++++++++++++++++++++++++-
 7 files changed, 97 insertions(+), 6 deletions(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index dcd823f..03e3f8d 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -11845,6 +11845,7 @@ qemuDomainMigratePerform(virDomainPtr dom,
                                flags, dname, resource, false);
=20
  cleanup:
+    qemuMigrationParamsClear(&migParams);
     VIR_FREE(compression);
     return ret;
 }
@@ -12253,6 +12254,7 @@ qemuDomainMigratePerform3(virDomainPtr dom,
                                flags, dname, resource, true);
=20
  cleanup:
+    qemuMigrationParamsClear(&migParams);
     VIR_FREE(compression);
     return ret;
 }
@@ -12343,7 +12345,7 @@ qemuDomainMigratePerform3Params(virDomainPtr dom,
                                flags, dname, bandwidth, true);
  cleanup:
     VIR_FREE(compression);
-    VIR_FREE(migParams);
+    qemuMigrationParamsFree(&migParams);
     VIR_FREE(migrate_disks);
     return ret;
 }
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index f5711bc..66a5062 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -3508,6 +3508,28 @@ qemuMigrationSetCompression(virQEMUDriverPtr driver,
 }
=20
=20
+void
+qemuMigrationParamsClear(qemuMonitorMigrationParamsPtr migParams)
+{
+    if (!migParams)
+        return;
+
+    VIR_FREE(migParams->migrateTLSAlias);
+    VIR_FREE(migParams->migrateTLSHostname);
+}
+
+
+void
+qemuMigrationParamsFree(qemuMonitorMigrationParamsPtr *migParams)
+{
+    if (!*migParams)
+        return;
+
+    qemuMigrationParamsClear(*migParams);
+    VIR_FREE(*migParams);
+}
+
+
 qemuMonitorMigrationParamsPtr
 qemuMigrationParams(virTypedParameterPtr params,
                     int nparams,
@@ -3549,7 +3571,7 @@ qemuMigrationParams(virTypedParameterPtr params,
     return migParams;
=20
  error:
-    VIR_FREE(migParams);
+    qemuMigrationParamsFree(&migParams);
     return NULL;
 }
=20
@@ -3909,6 +3931,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
         virDomainObjRemoveTransientDef(vm);
         qemuDomainRemoveInactive(driver, vm);
     }
+    qemuMigrationParamsClear(&migParams);
     virDomainObjEndAPI(&vm);
     qemuDomainEventQueue(driver, event);
     qemuMigrationCookieFree(mig);
@@ -5244,6 +5267,7 @@ static int doPeer2PeerMigrate2(virQEMUDriverPtr drive=
r,
         virSetError(orig_err);
         virFreeError(orig_err);
     }
+    qemuMigrationParamsClear(&migParams);
     VIR_FREE(uri_out);
     VIR_FREE(cookie);
     VIR_FREE(compression);
diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h
index bcebf06..4c8f2c9 100644
--- a/src/qemu/qemu_migration.h
+++ b/src/qemu/qemu_migration.h
@@ -121,6 +121,12 @@ int qemuMigrationCompressionDump(qemuMigrationCompress=
ionPtr compression,
                                  int *maxparams,
                                  unsigned long *flags);
=20
+void
+qemuMigrationParamsClear(qemuMonitorMigrationParamsPtr migParams);
+
+void
+qemuMigrationParamsFree(qemuMonitorMigrationParamsPtr *migParams);
+
 qemuMonitorMigrationParamsPtr
 qemuMigrationParams(virTypedParameterPtr params,
                     int nparams,
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 79da472..ee0e116 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -2530,12 +2530,15 @@ qemuMonitorSetMigrationParams(qemuMonitorPtr mon,
 {
     VIR_DEBUG("compressLevel=3D%d:%d compressThreads=3D%d:%d "
               "decompressThreads=3D%d:%d cpuThrottleInitial=3D%d:%d "
-              "cpuThrottleIncrement=3D%d:%d",
+              "cpuThrottleIncrement=3D%d:%d tlsAlias=3D%s "
+              "tlsHostname=3D%s",
               params->compressLevel_set, params->compressLevel,
               params->compressThreads_set, params->compressThreads,
               params->decompressThreads_set, params->decompressThreads,
               params->cpuThrottleInitial_set, params->cpuThrottleInitial,
-              params->cpuThrottleIncrement_set, params->cpuThrottleIncreme=
nt);
+              params->cpuThrottleIncrement_set, params->cpuThrottleIncreme=
nt,
+              NULLSTR(params->migrateTLSAlias),
+              NULLSTR(params->migrateTLSHostname));
=20
     QEMU_CHECK_MONITOR_JSON(mon);
=20
@@ -2543,7 +2546,9 @@ qemuMonitorSetMigrationParams(qemuMonitorPtr mon,
         !params->compressThreads_set &&
         !params->decompressThreads_set &&
         !params->cpuThrottleInitial_set &&
-        !params->cpuThrottleIncrement_set)
+        !params->cpuThrottleIncrement_set &&
+        !params->migrateTLSAlias &&
+        !params->migrateTLSHostname)
         return 0;
=20
     return qemuMonitorJSONSetMigrationParams(mon, params);
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index c3d3f2f..315f361 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -571,6 +571,9 @@ struct _qemuMonitorMigrationParams {
=20
     bool cpuThrottleIncrement_set;
     int cpuThrottleIncrement;
+
+    char *migrateTLSAlias;
+    char *migrateTLSHostname;
 };
=20
 int qemuMonitorGetMigrationParams(qemuMonitorPtr mon,
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index 553544a..125cc6a 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -2566,6 +2566,7 @@ qemuMonitorJSONGetMigrationParams(qemuMonitorPtr mon,
     virJSONValuePtr result;
     virJSONValuePtr cmd =3D NULL;
     virJSONValuePtr reply =3D NULL;
+    const char *tlsStr =3D NULL;
=20
     memset(params, 0, sizeof(*params));
=20
@@ -2595,6 +2596,21 @@ qemuMonitorJSONGetMigrationParams(qemuMonitorPtr mon,
=20
 #undef PARSE
=20
+    /* NB: First supported in QEMU 2.7; however, there was no way to
+     * clear, so 2.9 altered the definition to allow using an empty string
+     * to disable. Additionally, it defined the variable to an empty string
+     * by default if not defined ever. Use this as our marker to determine
+     * whether TLS can be supported or not. */
+    if ((tlsStr =3D virJSONValueObjectGetString(result, "tls-creds"))) {
+        if (VIR_STRDUP(params->migrateTLSAlias, tlsStr) < 0)
+            goto cleanup;
+    }
+
+    if ((tlsStr =3D virJSONValueObjectGetString(result, "tls-hostname"))) {
+        if (VIR_STRDUP(params->migrateTLSHostname, tlsStr) < 0)
+            goto cleanup;
+    }
+
     ret =3D 0;
  cleanup:
     virJSONValueFree(cmd);
@@ -2637,6 +2653,18 @@ qemuMonitorJSONSetMigrationParams(qemuMonitorPtr mon,
=20
 #undef APPEND
=20
+    /* See query, value will be either NULL, "", or something valid.
+     * NULL will indicate no support, while "" will indicate to disable */
+    if (params->migrateTLSAlias &&
+        virJSONValueObjectAppendString(args, "tls-creds",
+                                       params->migrateTLSAlias) < 0)
+        goto cleanup;
+
+    if (params->migrateTLSHostname &&
+        virJSONValueObjectAppendString(args, "tls-hostname",
+                                       params->migrateTLSHostname) < 0)
+        goto cleanup;
+
     if (virJSONValueObjectAppend(cmd, "arguments", args) < 0)
         goto cleanup;
     args =3D NULL;
diff --git a/tests/qemumonitorjsontest.c b/tests/qemumonitorjsontest.c
index d0f9381..0f802eb 100644
--- a/tests/qemumonitorjsontest.c
+++ b/tests/qemumonitorjsontest.c
@@ -1789,7 +1789,9 @@ testQemuMonitorJSONqemuMonitorJSONGetMigrationParams(=
const void *data)
                                "        \"cpu-throttle-increment\": 10,"
                                "        \"compress-threads\": 8,"
                                "        \"compress-level\": 1,"
-                               "        \"cpu-throttle-initial\": 20"
+                               "        \"cpu-throttle-initial\": 20,"
+                               "        \"tls-creds\": \"tls0\","
+                               "        \"tls-hostname\": \"\""
                                "    }"
                                "}") < 0) {
         goto cleanup;
@@ -1821,9 +1823,30 @@ testQemuMonitorJSONqemuMonitorJSONGetMigrationParams=
(const void *data)
=20
 #undef CHECK
=20
+#define CHECK(VAR, FIELD, VALUE)                                          =
  \
+    do {                                                                  =
  \
+        if (!params.VAR) {                                                =
  \
+            virReportError(VIR_ERR_INTERNAL_ERROR, "%s is not set", FIELD)=
; \
+            goto cleanup;                                                 =
  \
+        }                                                                 =
  \
+        if (STRNEQ(params.VAR, VALUE)) {                                  =
  \
+            virReportError(VIR_ERR_INTERNAL_ERROR,                        =
  \
+                           "Invalid %s:'%s', expected '%s'",              =
  \
+                           FIELD, params.VAR, VALUE);                     =
  \
+            goto cleanup;                                                 =
  \
+        }                                                                 =
  \
+    } while (0)
+
+    CHECK(migrateTLSAlias, "tls-creds", "tls0");
+    CHECK(migrateTLSHostname, "tls-hostname", "");
+
+#undef CHECK
+
     ret =3D 0;
=20
  cleanup:
+    VIR_FREE(params.migrateTLSAlias);
+    VIR_FREE(params.migrateTLSHostname);
     qemuMonitorTestFree(test);
     return ret;
 }
--=20
2.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Sat Apr 27 15:07:57 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 148977598172261.7981904658094;
 Fri, 17 Mar 2017 11:39:41 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id AB6E07E9FD;
	Fri, 17 Mar 2017 18:39:40 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 7840F1796B;
	Fri, 17 Mar 2017 18:39:40 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2618B1853D11;
	Fri, 17 Mar 2017 18:39:40 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v2HId9e3025196 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 17 Mar 2017 14:39:09 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 45721BFA67; Fri, 17 Mar 2017 18:39:09 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com
	[10.3.116.76])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 00BAEBFA73
	for <libvir-list@redhat.com>; Fri, 17 Mar 2017 18:39:08 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com AB6E07E9FD
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com AB6E07E9FD
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Fri, 17 Mar 2017 14:38:59 -0400
Message-Id: <20170317183901.5267-6-jferlan@redhat.com>
In-Reply-To: <20170317183901.5267-1-jferlan@redhat.com>
References: <20170317183901.5267-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v3 5/7] qemu: Add job for
	qemuDomain{Add|Del}TLSObjects
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]);
 Fri, 17 Mar 2017 18:39:41 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Add an asyncJob argument for add/delete TLS Objects. A future patch will
add/delete TLS objects from a migration which may hae a job to join.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_hotplug.c | 24 ++++++++++++++++--------
 src/qemu/qemu_hotplug.h |  2 ++
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index ddcbc5e..9adb04a 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1531,6 +1531,7 @@ qemuDomainAttachHostPCIDevice(virQEMUDriverPtr driver,
 void
 qemuDomainDelTLSObjects(virQEMUDriverPtr driver,
                         virDomainObjPtr vm,
+                        qemuDomainAsyncJob asyncJob,
                         const char *secAlias,
                         const char *tlsAlias)
 {
@@ -1542,7 +1543,8 @@ qemuDomainDelTLSObjects(virQEMUDriverPtr driver,
=20
     orig_err =3D virSaveLastError();
=20
-    qemuDomainObjEnterMonitor(driver, vm);
+    if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
+        goto cleanup;
=20
     if (tlsAlias)
         ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias));
@@ -1552,6 +1554,7 @@ qemuDomainDelTLSObjects(virQEMUDriverPtr driver,
=20
     ignore_value(qemuDomainObjExitMonitor(driver, vm));
=20
+ cleanup:
     if (orig_err) {
         virSetError(orig_err);
         virFreeError(orig_err);
@@ -1562,6 +1565,7 @@ qemuDomainDelTLSObjects(virQEMUDriverPtr driver,
 int
 qemuDomainAddTLSObjects(virQEMUDriverPtr driver,
                         virDomainObjPtr vm,
+                        qemuDomainAsyncJob asyncJob,
                         const char *secAlias,
                         virJSONValuePtr *secProps,
                         const char *tlsAlias,
@@ -1574,7 +1578,8 @@ qemuDomainAddTLSObjects(virQEMUDriverPtr driver,
     if (!tlsAlias && !secAlias)
         return 0;
=20
-    qemuDomainObjEnterMonitor(driver, vm);
+    if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
+        return -1;
=20
     if (secAlias) {
         rc =3D qemuMonitorAddObject(priv->mon, "secret",
@@ -1601,7 +1606,7 @@ qemuDomainAddTLSObjects(virQEMUDriverPtr driver,
         virSetError(orig_err);
         virFreeError(orig_err);
     }
-    qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias);
+    qemuDomainDelTLSObjects(driver, vm, asyncJob, secAlias, tlsAlias);
=20
     return -1;
 }
@@ -1682,8 +1687,8 @@ qemuDomainAddChardevTLSObjects(virConnectPtr conn,
         goto cleanup;
     dev->data.tcp.tlscreds =3D true;
=20
-    if (qemuDomainAddTLSObjects(driver, vm, *secAlias, &secProps,
-                                *tlsAlias, &tlsProps) < 0)
+    if (qemuDomainAddTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE,
+                                *secAlias, &secProps, *tlsAlias, &tlsProps=
) < 0)
         goto cleanup;
=20
     ret =3D 0;
@@ -1773,7 +1778,8 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr conn,
         virSetError(orig_err);
         virFreeError(orig_err);
     }
-    qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias);
+    qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE,
+                            secAlias, tlsAlias);
     goto audit;
 }
=20
@@ -2034,7 +2040,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
         virFreeError(orig_err);
     }
=20
-    qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias);
+    qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE,
+                            secAlias, tlsAlias);
     goto audit;
 }
=20
@@ -2186,7 +2193,8 @@ qemuDomainAttachRNGDevice(virConnectPtr conn,
         virFreeError(orig_err);
     }
=20
-    qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias);
+    qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE,
+                            secAlias, tlsAlias);
     goto audit;
 }
=20
diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h
index 73f2b1f..f06f232 100644
--- a/src/qemu/qemu_hotplug.h
+++ b/src/qemu/qemu_hotplug.h
@@ -36,11 +36,13 @@ int qemuDomainChangeEjectableMedia(virQEMUDriverPtr dri=
ver,
=20
 void qemuDomainDelTLSObjects(virQEMUDriverPtr driver,
                              virDomainObjPtr vm,
+                             qemuDomainAsyncJob asyncJob,
                              const char *secAlias,
                              const char *tlsAlias);
=20
 int qemuDomainAddTLSObjects(virQEMUDriverPtr driver,
                             virDomainObjPtr vm,
+                            qemuDomainAsyncJob asyncJob,
                             const char *secAlias,
                             virJSONValuePtr *secProps,
                             const char *tlsAlias,
--=20
2.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Sat Apr 27 15:07:57 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1489775984606824.8828538668846;
 Fri, 17 Mar 2017 11:39:44 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 3309476E6;
	Fri, 17 Mar 2017 18:39:44 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 0802817DF0;
	Fri, 17 Mar 2017 18:39:44 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id AA6BA1853D14;
	Fri, 17 Mar 2017 18:39:43 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v2HId9J7025201 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 17 Mar 2017 14:39:09 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id D63D2BFA67; Fri, 17 Mar 2017 18:39:09 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com
	[10.3.116.76])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 80FE1627DD
	for <libvir-list@redhat.com>; Fri, 17 Mar 2017 18:39:09 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 3309476E6
Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 3309476E6
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Fri, 17 Mar 2017 14:39:00 -0400
Message-Id: <20170317183901.5267-7-jferlan@redhat.com>
In-Reply-To: <20170317183901.5267-1-jferlan@redhat.com>
References: <20170317183901.5267-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v3 6/7] qemu: Set up the migrate TLS objects for
	target
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]);
 Fri, 17 Mar 2017 18:39:44 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

If the migration flags indicate this migration will be using TLS,
then set up the destination during the prepare phase once the target
domain has been started to add the TLS objects to perform the migration.

This will create at least an "-object tls-creds-x509,endpoint=3Dserver,..."
and potentially an "-object secret,..." to handle the passphrase response
to access the TLS credentials. The alias/id used for the TLS objects
will contain "libvirt_migrate" as a mechanism to signify that libvirt
started the migration on the target (reaping benefits possibly).

Once the objects are created, the code will set the "tls-creds" and
"tls-hostname" migration parameters to signify usage of TLS.

During the Finish phase we'll be sure to attempt to clear the
migration parameters and delete those objects (whether or not they
were created).

Since incoming migrations that don't reach the Finish stage will be
killed in qemuProcessRecoverMigrationIn and the only purpose at that
point would be to free memory, it's not necessary to set up any sort
of recovery. Additionally, subsequent migrations will check if the
migration parameters are set and adjust them appropriately if for
some reason libvirtd restarts after setting the Finish marker, but
before actually resetting the environment.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_domain.c    |   7 +-
 src/qemu/qemu_domain.h    |  91 +++++++-----
 src/qemu/qemu_migration.c | 344 ++++++++++++++++++++++++++++++++++++++++++=
++++
 3 files changed, 403 insertions(+), 39 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index c239a06..f4636ed 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -782,7 +782,7 @@ qemuDomainSecretAESClear(qemuDomainSecretAES secret)
 }
=20
=20
-static void
+void
 qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr *secinfo)
 {
     if (!*secinfo)
@@ -1186,7 +1186,7 @@ qemuDomainSecretInfoNew(virConnectPtr conn,
  *
  * Returns qemuDomainSecretInfoPtr or NULL on error.
  */
-static qemuDomainSecretInfoPtr
+qemuDomainSecretInfoPtr
 qemuDomainSecretInfoTLSNew(virConnectPtr conn,
                            qemuDomainObjPrivatePtr priv,
                            const char *srcAlias,
@@ -1677,6 +1677,9 @@ qemuDomainObjPrivateFree(void *data)
=20
     VIR_FREE(priv->libDir);
     VIR_FREE(priv->channelTargetDir);
+
+    qemuDomainSecretInfoFree(&priv->migSecinfo);
+    VIR_FREE(priv->migTLSAlias);
     qemuDomainMasterKeyFree(priv);
=20
     VIR_FREE(priv);
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 1f266bf..1dd3b1c 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -175,6 +175,43 @@ VIR_ENUM_DECL(qemuDomainNamespace)
 bool qemuDomainNamespaceEnabled(virDomainObjPtr vm,
                                 qemuDomainNamespace ns);
=20
+/* Type of domain secret */
+typedef enum {
+    VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN =3D 0,
+    VIR_DOMAIN_SECRET_INFO_TYPE_AES,  /* utilize GNUTLS_CIPHER_AES_256_CBC=
 */
+
+    VIR_DOMAIN_SECRET_INFO_TYPE_LAST
+} qemuDomainSecretInfoType;
+
+typedef struct _qemuDomainSecretPlain qemuDomainSecretPlain;
+typedef struct _qemuDomainSecretPlain *qemuDomainSecretPlainPtr;
+struct _qemuDomainSecretPlain {
+    char *username;
+    uint8_t *secret;
+    size_t secretlen;
+};
+
+# define QEMU_DOMAIN_AES_IV_LEN 16   /* 16 bytes for 128 bit random */
+                                     /*    initialization vector */
+typedef struct _qemuDomainSecretAES qemuDomainSecretAES;
+typedef struct _qemuDomainSecretAES *qemuDomainSecretAESPtr;
+struct _qemuDomainSecretAES {
+    char *username;
+    char *alias;      /* generated alias for secret */
+    char *iv;         /* base64 encoded initialization vector */
+    char *ciphertext; /* encoded/encrypted secret */
+};
+
+typedef struct _qemuDomainSecretInfo qemuDomainSecretInfo;
+typedef qemuDomainSecretInfo *qemuDomainSecretInfoPtr;
+struct _qemuDomainSecretInfo {
+    qemuDomainSecretInfoType type;
+    union {
+        qemuDomainSecretPlain plain;
+        qemuDomainSecretAES aes;
+    } s;
+};
+
 typedef struct _qemuDomainObjPrivate qemuDomainObjPrivate;
 typedef qemuDomainObjPrivate *qemuDomainObjPrivatePtr;
 struct _qemuDomainObjPrivate {
@@ -246,47 +283,18 @@ struct _qemuDomainObjPrivate {
=20
     /* note whether memory device alias does not correspond to slot number=
 */
     bool memAliasOrderMismatch;
-};
=20
-# define QEMU_DOMAIN_PRIVATE(vm)	\
-    ((qemuDomainObjPrivatePtr) (vm)->privateData)
+    /* for migrations using TLS with a secret (not to be saved in our */
+    /* private XML). */
+    qemuDomainSecretInfoPtr migSecinfo;
=20
-/* Type of domain secret */
-typedef enum {
-    VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN =3D 0,
-    VIR_DOMAIN_SECRET_INFO_TYPE_AES,  /* utilize GNUTLS_CIPHER_AES_256_CBC=
 */
-
-    VIR_DOMAIN_SECRET_INFO_TYPE_LAST
-} qemuDomainSecretInfoType;
-
-typedef struct _qemuDomainSecretPlain qemuDomainSecretPlain;
-typedef struct _qemuDomainSecretPlain *qemuDomainSecretPlainPtr;
-struct _qemuDomainSecretPlain {
-    char *username;
-    uint8_t *secret;
-    size_t secretlen;
+    /* Used when fetching/storing the current 'tls-creds' migration settin=
g */
+    /* (not to be saved in our private XML). */
+    char *migTLSAlias;
 };
=20
-# define QEMU_DOMAIN_AES_IV_LEN 16   /* 16 bytes for 128 bit random */
-                                     /*    initialization vector */
-typedef struct _qemuDomainSecretAES qemuDomainSecretAES;
-typedef struct _qemuDomainSecretAES *qemuDomainSecretAESPtr;
-struct _qemuDomainSecretAES {
-    char *username;
-    char *alias;      /* generated alias for secret */
-    char *iv;         /* base64 encoded initialization vector */
-    char *ciphertext; /* encoded/encrypted secret */
-};
-
-typedef struct _qemuDomainSecretInfo qemuDomainSecretInfo;
-typedef qemuDomainSecretInfo *qemuDomainSecretInfoPtr;
-struct _qemuDomainSecretInfo {
-    qemuDomainSecretInfoType type;
-    union {
-        qemuDomainSecretPlain plain;
-        qemuDomainSecretAES aes;
-    } s;
-};
+# define QEMU_DOMAIN_PRIVATE(vm)	\
+    ((qemuDomainObjPrivatePtr) (vm)->privateData)
=20
 # define QEMU_DOMAIN_DISK_PRIVATE(disk)	\
     ((qemuDomainDiskPrivatePtr) (disk)->privateData)
@@ -730,6 +738,9 @@ int qemuDomainMasterKeyCreate(virDomainObjPtr vm);
=20
 void qemuDomainMasterKeyRemove(qemuDomainObjPrivatePtr priv);
=20
+void qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr *secinfo)
+    ATTRIBUTE_NONNULL(1);
+
 void qemuDomainSecretDiskDestroy(virDomainDiskDefPtr disk)
     ATTRIBUTE_NONNULL(1);
=20
@@ -739,6 +750,12 @@ bool qemuDomainSecretDiskCapable(virStorageSourcePtr s=
rc)
 bool qemuDomainDiskHasEncryptionSecret(virStorageSourcePtr src)
     ATTRIBUTE_NONNULL(1);
=20
+qemuDomainSecretInfoPtr
+qemuDomainSecretInfoTLSNew(virConnectPtr conn,
+                           qemuDomainObjPrivatePtr priv,
+                           const char *srcAlias,
+                           const char *secretUUID);
+
 int qemuDomainSecretDiskPrepare(virConnectPtr conn,
                                 qemuDomainObjPrivatePtr priv,
                                 virDomainDiskDefPtr disk)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 66a5062..42074f0 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -85,6 +85,8 @@ VIR_ENUM_IMPL(qemuMigrationCompressMethod, QEMU_MIGRATION=
_COMPRESS_LAST,
               "mt",
 );
=20
+#define QEMU_MIGRATION_TLS_ALIAS_BASE "libvirt_migrate"
+
 enum qemuMigrationCookieFlags {
     QEMU_MIGRATION_COOKIE_FLAG_GRAPHICS,
     QEMU_MIGRATION_COOKIE_FLAG_LOCKSTATE,
@@ -1488,6 +1490,164 @@ qemuMigrationEatCookie(virQEMUDriverPtr driver,
     return NULL;
 }
=20
+/* qemuMigrationCheckTLSCreds
+ * @driver: pointer to qemu driver
+ * @vm: domain object
+ * @asyncJob: migration job to join
+ *
+ * Query the migration parameters looking for the 'tls-creds' parameter.
+ * The parameter was initially supported in QEMU 2.7; however, there was
+ * no mechanism provided to clear the parameter. For QEMU 2.9, a change
+ * was made to allow setting the parameter to an empty string in order
+ * to clear. An additional change was made to initialize the parameter
+ * to the empty string. Although still not perfect since it's possible
+ * that a pre-2.9 release set the string to something and we should not
+ * set it to the empty string, at least it's better than nothing. So let's
+ * check if the parameter has been set to something to detect the whether
+ * the parameter exists. If it's been set to something, then save the
+ * value in our private domain structures so that future decision makers
+ * can decide how they should proceed based upon the setting.
+ *
+ * Returns 0 if we were able to successfully fetch the params and
+ * additionally if the tls-creds parameter exists, saves it in the
+ * private domain structure. Returns -1 on failure.
+ */
+static int
+qemuMigrationCheckTLSCreds(virQEMUDriverPtr driver,
+                           virDomainObjPtr vm,
+                           qemuDomainAsyncJob asyncJob)
+{
+    int ret =3D -1;
+    qemuDomainObjPrivatePtr priv =3D vm->privateData;
+    qemuMonitorMigrationParams migParams =3D { 0 };
+
+    if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
+        goto cleanup;
+
+    if (qemuMonitorGetMigrationParams(priv->mon, &migParams) < 0)
+        goto cleanup;
+
+    /* NB: Could steal NULL pointer too! Let caller decide what to do. */
+    VIR_STEAL_PTR(priv->migTLSAlias, migParams.migrateTLSAlias);
+
+    ret =3D 0;
+
+ cleanup:
+    if (qemuDomainObjExitMonitor(driver, vm) < 0)
+        ret =3D -1;
+
+    qemuMigrationParamsClear(&migParams);
+
+    return ret;
+}
+
+
+/* qemuMigrationCheckSetupTLS
+ * @conn: Connection pointer
+ * @driver: pointer to qemu driver
+ * @vm: domain object
+ * @cfg: configuration pointer
+ * @asyncJob: migration job to join
+ *
+ * Check if TLS is possible and set up the environment. Assumes the caller
+ * desires to use TLS (e.g. caller found VIR_MIGRATE_TLS flag).
+ *
+ * Ensure the qemu.conf has been properly configured to add an entry for
+ * "migrate_tls_x509_cert_dir". Also check if the "tls-creds" parameter
+ * was present from a query of migration parameters
+ *
+ * Returns 0 on success, -1 on error/failure
+ */
+static int
+qemuMigrationCheckSetupTLS(virConnectPtr conn,
+                           virQEMUDriverPtr driver,
+                           virQEMUDriverConfigPtr cfg,
+                           virDomainObjPtr vm,
+                           qemuDomainAsyncJob asyncJob)
+{
+    qemuDomainObjPrivatePtr priv =3D vm->privateData;
+
+    if (!cfg->migrateTLSx509certdir) {
+        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
+                       _("host migration TLS directory not configured"));
+        return -1;
+    }
+
+    if (qemuMigrationCheckTLSCreds(driver, vm, asyncJob) < 0)
+        return -1;
+
+    if (!priv->migTLSAlias) {
+        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
+                       _("get/set empty migration parameter 'tls-creds' is=
 "
+                         "not supported"));
+        return -1;
+    }
+
+    /* If there's a secret, then grab/store it now using the connection */
+    if (cfg->migrateTLSx509secretUUID &&
+        !(priv->migSecinfo =3D
+          qemuDomainSecretInfoTLSNew(conn, priv, QEMU_MIGRATION_TLS_ALIAS_=
BASE,
+                                     cfg->migrateTLSx509secretUUID)))
+        return -1;
+
+    return 0;
+}
+
+
+/* qemuMigrationAddTLSObjects
+ * @driver: pointer to qemu driver
+ * @vm: domain object
+ * @cfg: configuration pointer
+ * @tlsListen: server or client
+ * @asyncJob: Migration job to join
+ * @tlsAlias: alias to be generated for TLS object
+ * @secAlias: alias to be generated for a secinfo object
+ * @migParams: migration parameters to set
+ *
+ * Create the TLS objects for the migration and set the migParams value
+ *
+ * Returns 0 on success, -1 on failure
+ */
+static int
+qemuMigrationAddTLSObjects(virQEMUDriverPtr driver,
+                           virDomainObjPtr vm,
+                           virQEMUDriverConfigPtr cfg,
+                           bool tlsListen,
+                           qemuDomainAsyncJob asyncJob,
+                           char **tlsAlias,
+                           char **secAlias,
+                           qemuMonitorMigrationParamsPtr migParams)
+{
+    qemuDomainObjPrivatePtr priv =3D vm->privateData;
+    virJSONValuePtr tlsProps =3D NULL;
+    virJSONValuePtr secProps =3D NULL;
+
+    if (qemuDomainGetTLSObjects(priv->qemuCaps, priv->migSecinfo,
+                                cfg->migrateTLSx509certdir, tlsListen,
+                                cfg->migrateTLSx509verify,
+                                QEMU_MIGRATION_TLS_ALIAS_BASE,
+                                &tlsProps, tlsAlias, &secProps, secAlias) =
< 0)
+        return -1;
+
+    /* Ensure the domain doesn't already have the TLS objects defined...
+     * This should prevent any issues just in case some cleanup wasn't
+     * properly completed (both src and dst use the same alias) or
+     * some other error path between now and perform . */
+    qemuDomainDelTLSObjects(driver, vm, asyncJob, *secAlias, *tlsAlias);
+
+    /* Add the migrate TLS objects to the domain */
+    if (qemuDomainAddTLSObjects(driver, vm, asyncJob, *secAlias, &secProps,
+                                *tlsAlias, &tlsProps) < 0)
+        return -1;
+
+    /* Set the param used for 'tls-creds' */
+    if (VIR_STRDUP(migParams->migrateTLSAlias, *tlsAlias) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static void
 qemuMigrationStoreDomainState(virDomainObjPtr vm)
 {
@@ -3530,6 +3690,47 @@ qemuMigrationParamsFree(qemuMonitorMigrationParamsPt=
r *migParams)
 }
=20
=20
+/* qemuMigrationSetEmptyTLSParams
+ * @priv: Pointer to private domain data
+ * @migParams: Pointer to a migration parameters block
+ *
+ * If the qemuMigrationCheckTLSCreds query finds a non empty alias and it
+ * is set to the alias that libvirt set, then we need to set the migration
+ * parameters to "" in order to force clearing the TLS values from our
+ * previous migration that may not have been cleared properly if libvirtd
+ * restarted during the finish phase before the ResetTLSParams was run.
+ *
+ * Returns 0 on success, -1 on failure
+ */
+static int
+qemuMigrationSetEmptyTLSParams(qemuDomainObjPrivatePtr priv,
+                               qemuMonitorMigrationParamsPtr migParams)
+{
+    char *tlsAlias =3D NULL;
+
+    if (priv->migTLSAlias) {
+        if (*priv->migTLSAlias =3D=3D '\0')
+            return 0;
+
+        if (!(tlsAlias =3D
+              qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE)))
+            return -1;
+
+        if (STRNEQ(priv->migTLSAlias, tlsAlias)) {
+            VIR_FREE(tlsAlias);
+            return 0;
+        }
+        VIR_FREE(tlsAlias);
+
+        if (VIR_STRDUP(migParams->migrateTLSAlias, "") < 0 ||
+            VIR_STRDUP(migParams->migrateTLSHostname, "") < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
 qemuMonitorMigrationParamsPtr
 qemuMigrationParams(virTypedParameterPtr params,
                     int nparams,
@@ -3601,6 +3802,110 @@ qemuMigrationSetParams(virQEMUDriverPtr driver,
 }
=20
=20
+/* qemuMigrationResetTLSParams
+ * @driver: pointer to qemu driver
+ * @vm: domain object
+ * @asyncJob: migration job to join
+ * @tlsAlias: alias used for TLS object
+ *
+ * If we configured the migration TLS params, then let's clear the setting
+ * of the tls-creds and tls-hostname.
+ *
+ * Returns 0 on success, -1 on failure with error message set
+ */
+static int
+qemuMigrationResetTLSParams(virQEMUDriverPtr driver,
+                            virDomainObjPtr vm,
+                            qemuDomainAsyncJob asyncJob,
+                            const char *tlsAlias)
+{
+    int ret =3D -1;
+    qemuDomainObjPrivatePtr priv =3D vm->privateData;
+    qemuMonitorMigrationParams migParams =3D { 0 };
+
+    if (!priv->migTLSAlias)
+        return 0;
+
+    if (STREQ_NULLABLE(priv->migTLSAlias, tlsAlias)) {
+        if (VIR_STRDUP(migParams.migrateTLSAlias, "") < 0 ||
+            VIR_STRDUP(migParams.migrateTLSHostname, "") < 0)
+            goto cleanup;
+
+        if (qemuMigrationSetParams(driver, vm, asyncJob, &migParams) < 0)
+            goto cleanup;
+    }
+
+    ret =3D 0;
+
+ cleanup:
+    qemuMigrationParamsClear(&migParams);
+    return ret;
+}
+
+
+/* qemuMigrationDeconstructTLS
+ * @driver: pointer to qemu driver
+ * @vm: domain object
+ * @asyncJob: migration job to join
+ * @tlsAlias: alias generated for TLS object
+ * @secAlias: alias generated for a secinfo object
+ *
+ * Deconstruct all the setup possibly done for TLS - various objects, seci=
nfo,
+ * and migration parameters.
+ *
+ * Returns 0 on success, -1 on failure
+ */
+static int
+qemuMigrationDeconstructTLS(virQEMUDriverPtr driver,
+                            virDomainObjPtr vm,
+                            qemuDomainAsyncJob asyncJob,
+                            const char *tlsAlias,
+                            const char *secAlias)
+{
+    qemuDomainObjPrivatePtr priv =3D vm->privateData;
+
+    qemuDomainDelTLSObjects(driver, vm, asyncJob, secAlias, tlsAlias);
+    qemuDomainSecretInfoFree(&priv->migSecinfo);
+
+    return qemuMigrationResetTLSParams(driver, vm, asyncJob, tlsAlias);
+}
+
+
+/* qemuMigrationResetTLS
+ * @driver: pointer to qemu driver
+ * @vm: domain object
+ * @asyncJob: migration job to join
+ *
+ * Wrapper to qemuMigrationDeconstructTLS that generates the expected
+ * tlsAlias and secAlias for migration paths without them set (e.g. Finish)
+ *
+ * Returns 0 on success, -1 on failure
+ */
+static int
+qemuMigrationResetTLS(virQEMUDriverPtr driver,
+                      virDomainObjPtr vm,
+                      qemuDomainAsyncJob asyncJob)
+{
+    char *tlsAlias =3D NULL;
+    char *secAlias =3D NULL;
+    int ret;
+
+    /* NB: If either or both fail to allocate memory we can still proceed
+     *     since the next time we migrate another deletion attempt will be
+     *     made after successfully generating the aliases. */
+    tlsAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE=
);
+    secAlias =3D qemuDomainGetSecretAESAlias(QEMU_MIGRATION_TLS_ALIAS_BASE,
+                                           false);
+
+    ret =3D qemuMigrationDeconstructTLS(driver, vm, asyncJob, tlsAlias, se=
cAlias);
+
+    VIR_FREE(tlsAlias);
+    VIR_FREE(secAlias);
+
+    return ret;
+}
+
+
 static int
 qemuMigrationPrepareAny(virQEMUDriverPtr driver,
                         virConnectPtr dconn,
@@ -3623,6 +3928,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
 {
     virDomainObjPtr vm =3D NULL;
     virObjectEventPtr event =3D NULL;
+    virQEMUDriverConfigPtr cfg =3D NULL;
     int ret =3D -1;
     int dataFD[2] =3D { -1, -1 };
     qemuDomainObjPrivatePtr priv =3D NULL;
@@ -3636,6 +3942,8 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
     bool stopProcess =3D false;
     bool relabel =3D false;
     int rv;
+    char *tlsAlias =3D NULL;
+    char *secAlias =3D NULL;
     qemuMonitorMigrationParams migParams =3D { 0 };
=20
     virNWFilterReadLockFilterUpdates();
@@ -3829,6 +4137,32 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
                                     compression, &migParams) < 0)
         goto stopjob;
=20
+    /* Migrations using TLS need to add the "tls-creds-x509" object and
+     * set the migration TLS parameters */
+    if (flags & VIR_MIGRATE_TLS) {
+        cfg =3D virQEMUDriverGetConfig(driver);
+        if (qemuMigrationCheckSetupTLS(dconn, driver, cfg, vm,
+                                       QEMU_ASYNC_JOB_MIGRATION_IN) < 0)
+            goto stopjob;
+
+        if (qemuMigrationAddTLSObjects(driver, vm, cfg, true,
+                                       QEMU_ASYNC_JOB_MIGRATION_IN,
+                                       &tlsAlias, &secAlias, &migParams) <=
 0)
+            goto stopjob;
+
+        /* Force reset of 'tls-hostname', just in case */
+        if (VIR_STRDUP(migParams.migrateTLSHostname, "") < 0)
+            goto stopjob;
+
+    } else {
+        /* If we support setting the tls-creds, be sure to always reset
+         * the migration parameters when this migration isn't using TLS */
+        if ((qemuMigrationCheckTLSCreds(driver, vm,
+                                        QEMU_ASYNC_JOB_MIGRATION_IN) < 0) =
||
+            (qemuMigrationSetEmptyTLSParams(priv, &migParams) < 0))
+            goto stopjob;
+    }
+
     if (STREQ_NULLABLE(protocol, "rdma") &&
         virProcessSetMaxMemLock(vm->pid, vm->def->mem.hard_limit << 10) < =
0) {
         goto stopjob;
@@ -3914,6 +4248,9 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
     ret =3D 0;
=20
  cleanup:
+    VIR_FREE(tlsAlias);
+    VIR_FREE(secAlias);
+    virObjectUnref(cfg);
     qemuProcessIncomingDefFree(incoming);
     VIR_FREE(xmlout);
     VIR_FORCE_CLOSE(dataFD[0]);
@@ -3940,6 +4277,10 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
     return ret;
=20
  stopjob:
+    ignore_value(qemuMigrationDeconstructTLS(driver, vm,
+                                             QEMU_ASYNC_JOB_MIGRATION_IN,
+                                             tlsAlias, secAlias));
+
     if (stopProcess) {
         unsigned int stopFlags =3D VIR_QEMU_PROCESS_STOP_MIGRATED;
         if (!relabel)
@@ -6415,6 +6756,9 @@ qemuMigrationFinish(virQEMUDriverPtr driver,
                                  QEMU_ASYNC_JOB_MIGRATION_IN);
     }
=20
+    if (qemuMigrationResetTLS(driver, vm, QEMU_ASYNC_JOB_MIGRATION_IN) < 0)
+        goto endjob;
+
     qemuMigrationJobFinish(driver, vm);
     if (!virDomainObjIsActive(vm))
         qemuDomainRemoveInactive(driver, vm);
--=20
2.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Sat Apr 27 15:07:57 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1489775986813968.5332956748018;
 Fri, 17 Mar 2017 11:39:46 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 57F43804E2;
	Fri, 17 Mar 2017 18:39:46 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (unknown [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 2BD5FBFA6E;
	Fri, 17 Mar 2017 18:39:46 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id D8FFBB3484;
	Fri, 17 Mar 2017 18:39:45 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v2HIdAgA025211 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 17 Mar 2017 14:39:10 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 4C6F6BFA6B; Fri, 17 Mar 2017 18:39:10 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com
	[10.3.116.76])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 0A213BFA67
	for <libvir-list@redhat.com>; Fri, 17 Mar 2017 18:39:09 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 57F43804E2
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 57F43804E2
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Fri, 17 Mar 2017 14:39:01 -0400
Message-Id: <20170317183901.5267-8-jferlan@redhat.com>
In-Reply-To: <20170317183901.5267-1-jferlan@redhat.com>
References: <20170317183901.5267-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v3 7/7] qemu: Set up the migration TLS objects for
	source
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]);
 Fri, 17 Mar 2017 18:39:47 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

https://bugzilla.redhat.com/show_bug.cgi?id=3D1300769

If the migration flags indicate this migration will be using TLS,
then while we have connection in the Begin phase check and setup the
TLS environment that will be used by virMigrationRun during the Perform
phase for the source to configure TLS.

This creates at least an "-object tls-creds-x509,endpoint=3Dclient,..."
and potentially an "-object secret,..." to handle the passphrase response
to access the TLS credentials. The alias/id used for the TLS objects
will contain "libvirt_migrate" as a mechanism to signify that libvirt
started the migration on the source (reaping benefits possibly).

Once the objects are created, the code will set the "tls-creds" and
"tls-hostname" migration parameters to signify usage of TLS.

Since qemuProcessRecoverMigrationOut will cancel outgoing migrations
that are still in the QEMU_MIGRATION_PHASE_PERFORM{2|3} stages, there's
no need to do anything special as the Perform cleanup and Cancel phases
will reset the environment.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_migration.c | 53 +++++++++++++++++++++++++++++++++++++++++++=
++++
 1 file changed, 53 insertions(+)

diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 42074f0..5acae6e 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -3453,6 +3453,7 @@ qemuMigrationBegin(virConnectPtr conn,
                    unsigned long flags)
 {
     virQEMUDriverPtr driver =3D conn->privateData;
+    virQEMUDriverConfigPtr cfg =3D NULL;
     char *xml =3D NULL;
     qemuDomainAsyncJob asyncJob;
=20
@@ -3486,6 +3487,12 @@ qemuMigrationBegin(virConnectPtr conn,
                                         nmigrate_disks, migrate_disks, fla=
gs)))
         goto endjob;
=20
+    if (flags & VIR_MIGRATE_TLS) {
+        cfg =3D virQEMUDriverGetConfig(driver);
+        if (qemuMigrationCheckSetupTLS(conn, driver, cfg, vm, asyncJob) < =
0)
+            goto endjob;
+    }
+
     if ((flags & VIR_MIGRATE_CHANGE_PROTECTION)) {
         /* We keep the job active across API calls until the confirm() cal=
l.
          * This prevents any other APIs being invoked while migration is t=
aking
@@ -3502,6 +3509,7 @@ qemuMigrationBegin(virConnectPtr conn,
     }
=20
  cleanup:
+    virObjectUnref(cfg);
     virDomainObjEndAPI(&vm);
     return xml;
=20
@@ -5010,8 +5018,11 @@ qemuMigrationRun(virQEMUDriverPtr driver,
 {
     int ret =3D -1;
     unsigned int migrate_flags =3D QEMU_MONITOR_MIGRATE_BACKGROUND;
+    virQEMUDriverConfigPtr cfg =3D NULL;
     qemuDomainObjPrivatePtr priv =3D vm->privateData;
     qemuMigrationCookiePtr mig =3D NULL;
+    char *tlsAlias =3D NULL;
+    char *secAlias =3D NULL;
     qemuMigrationIOThreadPtr iothread =3D NULL;
     int fd =3D -1;
     unsigned long migrate_speed =3D resource ? resource : priv->migMaxBand=
width;
@@ -5075,6 +5086,38 @@ qemuMigrationRun(virQEMUDriverPtr driver,
     if (qemuDomainMigrateGraphicsRelocate(driver, vm, mig, graphicsuri) < =
0)
         VIR_WARN("unable to provide data for graphics client relocation");
=20
+    if (flags & VIR_MIGRATE_TLS) {
+        cfg =3D virQEMUDriverGetConfig(driver);
+
+        /* Begin/CheckSetupTLS already set up migTLSAlias, the following
+         * assumes that and adds the TLS objects to the domain. */
+        if (qemuMigrationAddTLSObjects(driver, vm, cfg, false,
+                                       QEMU_ASYNC_JOB_MIGRATION_OUT,
+                                       &tlsAlias, &secAlias, migParams) < =
0)
+            goto cleanup;
+
+        /* We need to add the tls-hostname only for special circumstances,
+         * e.g. for a fd: or exec: based migration. As it turns out the
+         * CONNECT_HOST turns into an FD migration (see below). */
+        if (spec->destType =3D=3D MIGRATION_DEST_CONNECT_HOST ||
+            spec->destType =3D=3D MIGRATION_DEST_FD) {
+            if (VIR_STRDUP(migParams->migrateTLSHostname,
+                           spec->dest.host.name) < 0)
+                goto cleanup;
+        } else {
+            /* Be sure there's nothing from a previous migration */
+            if (VIR_STRDUP(migParams->migrateTLSHostname, "") < 0)
+                goto cleanup;
+        }
+    } else {
+        /* If we support setting the tls-creds, be sure to always reset
+         * the migration parameters when this migration isn't using TLS */
+        if ((qemuMigrationCheckTLSCreds(driver, vm,
+                                        QEMU_ASYNC_JOB_MIGRATION_OUT) < 0)=
 ||
+            (qemuMigrationSetEmptyTLSParams(priv, migParams) < 0))
+            goto cleanup;
+    }
+
     if (migrate_flags & (QEMU_MONITOR_MIGRATE_NON_SHARED_DISK |
                          QEMU_MONITOR_MIGRATE_NON_SHARED_INC)) {
         if (mig->nbd) {
@@ -5255,6 +5298,14 @@ qemuMigrationRun(virQEMUDriverPtr driver,
             ret =3D -1;
     }
=20
+    if (qemuMigrationDeconstructTLS(driver, vm, QEMU_ASYNC_JOB_MIGRATION_O=
UT,
+                                    tlsAlias, secAlias) < 0)
+        ret =3D -1;
+
+    VIR_FREE(tlsAlias);
+    VIR_FREE(secAlias);
+    virObjectUnref(cfg);
+
     if (spec->fwdType !=3D MIGRATION_FWD_DIRECT) {
         if (iothread && qemuMigrationStopTunnel(iothread, ret < 0) < 0)
             ret =3D -1;
@@ -6958,6 +7009,8 @@ qemuMigrationCancel(virQEMUDriverPtr driver,
     if (qemuDomainObjExitMonitor(driver, vm) < 0 || (storage && !blockJobs=
))
         goto endsyncjob;
=20
+    ignore_value(qemuMigrationResetTLS(driver, vm, QEMU_ASYNC_JOB_NONE));
+
     if (!storage) {
         ret =3D 0;
         goto cleanup;
--=20
2.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Sat Apr 27 15:07:57 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1489844831216239.93552555466783;
 Sat, 18 Mar 2017 06:47:11 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 860F53DBD8;
	Sat, 18 Mar 2017 13:47:10 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 5AD935DD62;
	Sat, 18 Mar 2017 13:47:10 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3F8371853D02;
	Sat, 18 Mar 2017 13:47:09 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
	[10.5.11.12])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v2IDl8lW002422 for <libvir-list@listman.util.phx.redhat.com>;
	Sat, 18 Mar 2017 09:47:08 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 9E0DC60F8B; Sat, 18 Mar 2017 13:47:08 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com
	[10.3.116.76])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 5DB75183DB
	for <libvir-list@redhat.com>; Sat, 18 Mar 2017 13:47:06 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 860F53DBD8
Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 860F53DBD8
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Sat, 18 Mar 2017 09:47:04 -0400
Message-Id: <20170318134704.13025-1-jferlan@redhat.com>
In-Reply-To: <20170317183901.5267-1-jferlan@redhat.com>
References: <20170317183901.5267-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v3 8/7] docs: Add news entry for Migration using
	TLS
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]);
 Sat, 18 Mar 2017 13:47:11 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 docs/news.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/news.xml b/docs/news.xml
index 3501f89..25d920c 100644
--- a/docs/news.xml
+++ b/docs/news.xml
@@ -39,6 +39,16 @@
           the QEMU binary supports it.
         </description>
       </change>
+      <change>
+        <summary>
+          qemu: Add support to migrate using TLS
+        </summary>
+        <description>
+          Add the ability to migrate QEMU guests using TLS via a new flag
+          VIR_MIGRATE_TLS or virsh '--tls' option. Requires using at least
+          QEMU 2.9.0 in order to work properly.
+        </description>
+      </change>
     </section>
     <section title=3D"Improvements">
       <change>
--=20
2.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list