From nobody Tue May 21 00:13:32 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com ARC-Seal: i=1; a=rsa-sha256; t=1620271948; cv=none; d=zohomail.com; s=zohoarc; b=KROpenzMvuWEF4Vfo8jadYMVZsaDFTD38BmerMJLe1oqXsNQP38Gejcg7rNcf7XMrNSrrbPQlrRts3vuc82r6mEYWs1VQPQ1tnzxtmw1hONAA4QJg04D5XYTYa4uMRDG/HspISJ5s3dXx5GFhwLqAlMa/LpmxYu64C8a8RP2wlc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620271948; h=Content-Type:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=zivPGXJYo/c11JNlk4ERJ61hcOwQLjSkdOxAXgUKfdM=; b=Jc1G32kHmP2JnZwSOw2f/H98hhAF3rahsmRF+nv5AbIPwd1KsPC3gLT6NvGHYseatcsOyzb2buy10Yl3WUhe2zvGULNqUvgqvn8D0SJhF2m0hQaf4fhvLWH5I8gI/d38gMsYY4UosUNF51SZz57ZCWHrGAX7nStb0FEljqyvIIk= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1620271948284688.1900341808896; Wed, 5 May 2021 20:32:28 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-175-3Hl0ddr0NqmaO6VRWat23g-1; Wed, 05 May 2021 23:32:23 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 05A06801B16; Thu, 6 May 2021 03:32:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8CCB95D9C0; Thu, 6 May 2021 03:32:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 70CBF55346; Thu, 6 May 2021 03:32:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1463W5h3027124 for ; Wed, 5 May 2021 23:32:06 -0400 Received: by smtp.corp.redhat.com (Postfix) id 99C78208AB6F; Thu, 6 May 2021 03:32:05 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9474A208AB6A for ; Thu, 6 May 2021 03:32:03 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EE3701857F29 for ; Thu, 6 May 2021 03:32:02 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-297-ONPYDpDDNPeanP8uPNqq9w-1; Wed, 05 May 2021 23:31:59 -0400 Received: from dggeml754-chm.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4FbJwW3lNBzYgd0; Thu, 6 May 2021 11:29:31 +0800 (CST) Received: from dggema723-chm.china.huawei.com (10.3.20.87) by dggeml754-chm.china.huawei.com (10.1.199.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Thu, 6 May 2021 11:31:54 +0800 Received: from dggema769-chm.china.huawei.com (10.1.198.211) by dggema723-chm.china.huawei.com (10.3.20.87) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Thu, 6 May 2021 11:31:54 +0800 Received: from dggema769-chm.china.huawei.com ([10.9.128.71]) by dggema769-chm.china.huawei.com ([10.9.128.71]) with mapi id 15.01.2176.012; Thu, 6 May 2021 11:31:53 +0800 X-MC-Unique: 3Hl0ddr0NqmaO6VRWat23g-1 X-MC-Unique: ONPYDpDDNPeanP8uPNqq9w-1 From: "Yanzheng (A)" To: "libvir-list@redhat.com" Subject: [PATCH v1] Introduce virDomainReloadTLSCertificates API Thread-Topic: [PATCH v1] Introduce virDomainReloadTLSCertificates API Thread-Index: AddCIrRwX98gt1zjQoORaHYvAvEsDw== Date: Thu, 6 May 2021 03:31:53 +0000 Message-ID: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.174.149.15] MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: libvir-list@redhat.com Cc: "mprivozn@redhat.com" , "Wangxin \(Alexander\)" , changzihao , "hexiaoyu \(A\)" , "Zhangbo \(Oscar\)" X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: zh-CN Content-Type: multipart/alternative; boundary="_000_f80520a91e064d979f809ab570f5b554huaweicom_" --_000_f80520a91e064d979f809ab570f5b554huaweicom_ Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Introduce a new virDomainReloadTLSCertificates API for notify domain reload its certificates without restart, and avoid service interruption. Take reload QEMU VNC TLS certificates as an example, we can call: virDomainReloadTLSCertificates(dom, VIR_DOMAIN_TLS_CERT_GRAPHICS_VNC) Then the specified QMP message would be send to QEMU: {"execute": "display-reload", "arguments":{"type": "vnc", "tls-certs": true= }} Refers: https://gitlab.com/qemu-project/qemu/-/commit/9cc07651655ee86eca41059f5ead8= c4e5607c734 --- include/libvirt/libvirt-domain.h | 17 ++++++++++++++++ src/driver-hypervisor.h | 5 +++++ src/libvirt-domain.c | 33 ++++++++++++++++++++++++++++++++ src/qemu/qemu_driver.c | 11 +++++++++++ src/qemu/qemu_hotplug.c | 21 ++++++++++++++++++++ src/qemu/qemu_hotplug.h | 4 ++++ src/qemu/qemu_monitor.c | 10 ++++++++++ src/qemu/qemu_monitor.h | 3 +++ src/qemu/qemu_monitor_json.c | 22 +++++++++++++++++++++ src/qemu/qemu_monitor_json.h | 3 +++ 10 files changed, 129 insertions(+) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index e99bfb7654..aeb33d69d9 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -5152,4 +5152,21 @@ int virDomainStartDirtyRateCalc(virDomainPtr domain, int seconds, unsigned int flags); +/** + * virDomainTLSCertificaType: + * + * the used scene of TLS certificates for doamin. + */ +typedef enum { + VIR_DOMAIN_TLS_CERT_GRAPHICS_VNC =3D 0, + VIR_DOMAIN_TLS_CERT_GRAPHICS_SPICE =3D 1, + + VIR_DOMAIN_TLS_CERT_LAST +} virDomainTLSCertificaType; + +int +virDomainReloadTLSCertificates(virDomainPtr domain, + unsigned int type); + + #endif /* LIBVIRT_DOMAIN_H */ diff --git a/src/driver-hypervisor.h b/src/driver-hypervisor.h index d642af8a37..8de2bc4137 100644 --- a/src/driver-hypervisor.h +++ b/src/driver-hypervisor.h @@ -1410,6 +1410,10 @@ typedef int int seconds, unsigned int flags); +typedef int +(*virDrvDomainReloadTLSCertificates)(virDomainPtr domain, + unsigned int type); + typedef struct _virHypervisorDriver virHypervisorDriver; /** @@ -1676,4 +1680,5 @@ struct _virHypervisorDriver { virDrvDomainAuthorizedSSHKeysSet domainAuthorizedSSHKeysSet; virDrvDomainGetMessages domainGetMessages; virDrvDomainStartDirtyRateCalc domainStartDirtyRateCalc; + virDrvDomainReloadTLSCertificates domainiReloadTLSCertificates; }; diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index 42c75f6cc5..fb9e5ec2d1 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -13218,3 +13218,36 @@ virDomainStartDirtyRateCalc(virDomainPtr domain, virDispatchError(conn); return -1; } + +/** + * virDomainReloadTLSCertificates: + * @domain: a domain object. + * @type: a value of virDomainTLSCertificaType + * + * Notify domain reload its certificates with specified 'type'. + * + * Returns 0 in case of success, -1 otherwise . + */ +int +virDomainReloadTLSCertificates(virDomainPtr domain, + unsigned int type) +{ + virConnectPtr conn; + VIR_DOMAIN_DEBUG(domain, "certificate type=3D%d", type); + virResetLastError(); + virCheckDomainReturn(domain, -1); + conn =3D domain->conn; + if (type >=3D VIR_DOMAIN_TLS_CERT_LAST) + goto error; + if (conn->driver->domainiReloadTLSCertificates) { + int ret; + ret =3D conn->driver->domainiReloadTLSCertificates(domain, type); + if (ret < 0) + goto error; + return ret; + } + virReportUnsupportedError(); + error: + virDispatchError(domain->conn); + return -1; +} diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index c90d52edc0..61cd8cfa24 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -20449,6 +20449,16 @@ qemuDomainStartDirtyRateCalc(virDomainPtr dom, return ret; } +static int +qemuDomainReloadTLSCertificates(virDomainPtr domain, + unsigned int type) +{ + virQEMUDriver *driver =3D domain->conn->privateData; + virDomainObj *vm =3D qemuDomainObjFromDomain(domain); + if (!driver || !vm) + return -1; + return qemuDomainReloadTLSCerts(driver, vm, type); +} static virHypervisorDriver qemuHypervisorDriver =3D { .name =3D QEMU_DRIVER_NAME, @@ -20693,6 +20703,7 @@ static virHypervisorDriver qemuHypervisorDriver =3D= { .domainAuthorizedSSHKeysSet =3D qemuDomainAuthorizedSSHKeysSet, /* 6.1= 0.0 */ .domainGetMessages =3D qemuDomainGetMessages, /* 7.1.0 */ .domainStartDirtyRateCalc =3D qemuDomainStartDirtyRateCalc, /* 7.2.0 */ + .domainiReloadTLSCertificates =3D qemuDomainReloadTLSCertificates, /* = 7.2.0 */ }; diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 444d89d64a..013d8728a0 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -6704,3 +6704,24 @@ qemuDomainSetVcpuInternal(virQEMUDriver *driver, virBitmapFree(livevcpus); return ret; } + +int qemuDomainReloadTLSCerts(virQEMUDriverPtr driver, + virDomainObjPtr vm, + int type) +{ + int ret =3D -1; + qemuDomainObjPrivate *priv =3D vm->privateData; + /* for now, only VNC is supported */ + if (type !=3D VIR_DOMAIN_TLS_CERT_GRAPHICS_VNC) + virReportError(VIR_ERR_INVALID_ARG, + _("invalid certificate type=3D%d, only support VNC"= ), + type); + return ret; + } + if (qemuDomainObjEnterMonitorAsync(driver, vm, QEMU_ASYNC_JOB_NONE) < = 0) + return ret; + ret =3D qemuMonitorReloadTLSCerts(priv->mon, type); + if (qemuDomainObjExitMonitor(driver, vm) < 0) + ret =3D -1; + return ret; +} diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index df8f76f8d6..44afe23f0a 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -160,3 +160,7 @@ int qemuHotplugAttachDBusVMState(virQEMUDriver *driver, int qemuHotplugRemoveDBusVMState(virQEMUDriver *driver, virDomainObj *vm, qemuDomainAsyncJob asyncJob); + +int qemuDomainReloadTLSCerts(virQEMUDriverPtr driver, + virDomainObjPtr vm, + int type); diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index 3a7f231ce0..952ef87a6b 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -4746,3 +4746,13 @@ qemuMonitorQueryDirtyRate(qemuMonitor *mon, return qemuMonitorJSONQueryDirtyRate(mon, info); } + +int +qemuMonitorReloadTLSCerts(qemuMonitorPtr mon, int type) +{ + const char *protocol =3D qemuMonitorTypeToProtocol(type); + if (!protocol) + return -1; + VIR_DEBUG("protocol=3D%s", protocol); + return qemuMonitorJSONReloadTLSCerts(mon, protocol); +} diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h index 6a25def78b..a5b702b023 100644 --- a/src/qemu/qemu_monitor.h +++ b/src/qemu/qemu_monitor.h @@ -1496,3 +1496,6 @@ struct _qemuMonitorDirtyRateInfo { int qemuMonitorQueryDirtyRate(qemuMonitor *mon, qemuMonitorDirtyRateInfo *info); + +int qemuMonitorReloadTLSCerts(qemuMonitorPtr mon, + int type); diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index 46aa3330a8..d2b06c4703 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -9446,3 +9446,25 @@ qemuMonitorJSONQueryDirtyRate(qemuMonitor *mon, return qemuMonitorJSONExtractDirtyRateInfo(data, info); } + +int qemuMonitorJSONReloadTLSCerts(qemuMonitorPtr mon, + const char *protocol) +{ + int ret =3D -1; + virJSONValuePtr reply =3D NULL; + virJSONValuePtr cmd =3D qemuMonitorJSONMakeCommand("display-reload", + "s:type", protocol, + "b:tls-certs", 1, + NULL); + if (!cmd) + return -1; + if (qemuMonitorJSONCommand(mon, cmd, &reply) < 0) + goto cleanup; + if (qemuMonitorJSONCheckError(cmd, reply) < 0) + goto cleanup; + ret =3D 0; + cleanup: + virJSONValueFree(cmd); + virJSONValueFree(reply); + return ret; +} diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h index 01a3ba25f1..d9ad77e873 100644 --- a/src/qemu/qemu_monitor_json.h +++ b/src/qemu/qemu_monitor_json.h @@ -706,3 +706,6 @@ qemuMonitorJSONStartDirtyRateCalc(qemuMonitor *mon, int qemuMonitorJSONQueryDirtyRate(qemuMonitor *mon, qemuMonitorDirtyRateInfo *info); + +int qemuMonitorJSONReloadTLSCerts(qemuMonitorPtr mon, + const char *protocol); -- 2.25.1 --_000_f80520a91e064d979f809ab570f5b554huaweicom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Introduce a new virDomainReload= TLSCertificates API for notify domain

reload its certificates without= restart, and avoid service interruption.

 

Take reload QEMU VNC TLS certif= icates as an example, we can call:

 

  virDomainReloadTLSCertif= icates(dom, VIR_DOMAIN_TLS_CERT_GRAPHICS_VNC)

 

Then the specified QMP message = would be send to QEMU:

{"execute": "dis= play-reload", "arguments":{"type": "vnc"= , "tls-certs": true}}

 

Refers:

https://gitlab.com/qemu-project= /qemu/-/commit/9cc07651655ee86eca41059f5ead8c4e5607c734

---

include/libvirt/libvirt-domain.= h | 17 +++++++++++++= 3;++

src/driver-hypervisor.h &n= bsp;        |  5 +++= 3;+

src/libvirt-domain.c  = ;           | 33 += 3;++++++++++++++= 3;++++++++++++++= 3;

src/qemu/qemu_driver.c &nb= sp;         | 11 +++= 3;+++++++

src/qemu/qemu_hotplug.c &n= bsp;        | 21 ++++= 3;++++++++++++++= 3;

src/qemu/qemu_hotplug.h &n= bsp;        |  4 +++= 3;

src/qemu/qemu_monitor.c &n= bsp;        | 10 ++++= 3;+++++

src/qemu/qemu_monitor.h &n= bsp;        |  3 +++

src/qemu/qemu_monitor_json.c&nb= sp;    | 22 +++++++++= 3;+++++++++++=

src/qemu/qemu_monitor_json.h&nb= sp;    |  3 +++

10 files changed, 129 insertion= s(+)

 

diff --git a/include/libvirt/li= bvirt-domain.h b/include/libvirt/libvirt-domain.h

index e99bfb7654..aeb33d69d9 10= 0644

--- a/include/libvirt/libvirt-d= omain.h

+++ b/include/libvi= rt/libvirt-domain.h

@@ -5152,4 +5152,21 @@ int = virDomainStartDirtyRateCalc(virDomainPtr domain,

     &= nbsp;           &nbs= p;            &= nbsp;  int seconds,

     &= nbsp;           &nbs= p;            &= nbsp;  unsigned int flags);

+/**

+ * virDomainTLSCertificaTy= pe:

+ *

+ * the used scene of TLS c= ertificates for doamin.

+ */

+typedef enum {<= /span>

+    VIR_DOM= AIN_TLS_CERT_GRAPHICS_VNC      =3D 0,

+    VIR_DOM= AIN_TLS_CERT_GRAPHICS_SPICE    =3D 1,

+

+    VIR_DOM= AIN_TLS_CERT_LAST

+} virDomainTLSCertificaTyp= e;

+

+int

+virDomainReloadTLSCertific= ates(virDomainPtr domain,

+    &n= bsp;            = ;            &n= bsp; unsigned int type);

+

+

#endif /* LIBVIRT_DOMAIN_H */

diff --git a/src/driver-hypervi= sor.h b/src/driver-hypervisor.h

index d642af8a37..8de2bc4137 10= 0644

--- a/src/driver-hypervisor.h

+++ b/src/driver-hy= pervisor.h

@@ -1410,6 +1410,10 @@ type= def int

     &= nbsp;           &nbs= p;            &= nbsp;    int seconds,

     &= nbsp;           &nbs= p;            &= nbsp;    unsigned int flags);

+typedef int

+(*virDrvDomainReloadTLSCer= tificates)(virDomainPtr domain,

+    &n= bsp;            = ;            &n= bsp;       unsigned int type);

+

typedef struct _virHypervisorDr= iver virHypervisorDriver;

 /**

@@ -1676,4 +1680,5 @@ struc= t _virHypervisorDriver {

     virDrv= DomainAuthorizedSSHKeysSet domainAuthorizedSSHKeysSet;

     virDrv= DomainGetMessages domainGetMessages;

     virDrv= DomainStartDirtyRateCalc domainStartDirtyRateCalc;

+    virDrvD= omainReloadTLSCertificates domainiReloadTLSCertificates;<= /p>

};

diff --git a/src/libvirt-domain= .c b/src/libvirt-domain.c

index 42c75f6cc5..fb9e5ec2d1 10= 0644

--- a/src/libvirt-domain.c=

+++ b/src/libvirt-d= omain.c

@@ -13218,3 +13218,36 @@ vi= rDomainStartDirtyRateCalc(virDomainPtr domain,

     virDis= patchError(conn);

     return= -1;

}

+

+/**

+ * virDomainReloadTLSCerti= ficates:

+ * @domain: a domain objec= t.

+ * @type: a value of virDo= mainTLSCertificaType

+ *

+ * Notify domain reload it= s certificates with specified 'type'.

+ *

+ * Returns 0 in case of su= ccess, -1 otherwise .

+ */

+int

+virDomainReloadTLSCertific= ates(virDomainPtr domain,

+    &n= bsp;            = ;            &n= bsp; unsigned int type)

+{

+    virConn= ectPtr conn;

+    VIR_DOM= AIN_DEBUG(domain, "certificate type=3D%d", type);

+    virRese= tLastError();

+    virChec= kDomainReturn(domain, -1);

+    conn = =3D domain->conn;

+    if (typ= e >=3D VIR_DOMAIN_TLS_CERT_LAST)

+    &n= bsp;   goto error;

+    if (con= n->driver->domainiReloadTLSCertificates) {

+    &n= bsp;   int ret;

+    &n= bsp;   ret =3D conn->driver->domainiReloadTLSCertificates(d= omain, type);

+    &n= bsp;   if (ret < 0)

+    &n= bsp;       goto error;

+    &n= bsp;   return ret;

+    }<= /o:p>

+    virRepo= rtUnsupportedError();

+ error:<= /p>

+    virDisp= atchError(domain->conn);

+    return = -1;

+}

diff --git a/src/qemu/qemu_driv= er.c b/src/qemu/qemu_driver.c

index c90d52edc0..61cd8cfa24 10= 0644

--- a/src/qemu/qemu_driver.c

+++ b/src/qemu/qemu= _driver.c

@@ -20449,6 +20449,16 @@ qe= muDomainStartDirtyRateCalc(virDomainPtr dom,

     return= ret;

}

+static int

+qemuDomainReloadTLSCertifi= cates(virDomainPtr domain,

+    &n= bsp;            = ;            &n= bsp;  unsigned int type)

+{

+    virQEMU= Driver *driver =3D domain->conn->privateData;

+    virDoma= inObj *vm =3D qemuDomainObjFromDomain(domain);

+    if (!dr= iver || !vm)

+    &n= bsp;   return -1;

+    return = qemuDomainReloadTLSCerts(driver, vm, type);

+}

 static virHypervisorDrive= r qemuHypervisorDriver =3D {

     .name = =3D QEMU_DRIVER_NAME,

@@ -20693,6 +20703,7 @@ sta= tic virHypervisorDriver qemuHypervisorDriver =3D {

     .domai= nAuthorizedSSHKeysSet =3D qemuDomainAuthorizedSSHKeysSet, /* 6.10.0 */=

     .domai= nGetMessages =3D qemuDomainGetMessages, /* 7.1.0 */

     .domai= nStartDirtyRateCalc =3D qemuDomainStartDirtyRateCalc, /* 7.2.0 */

+    .domain= iReloadTLSCertificates =3D qemuDomainReloadTLSCertificates, /* 7.2.0 */

};

 

diff --git a/src/qemu/qemu_hotp= lug.c b/src/qemu/qemu_hotplug.c

index 444d89d64a..013d8728a0 10= 0644

--- a/src/qemu/qemu_hotplug.c

+++ b/src/qemu/qemu= _hotplug.c

@@ -6704,3 +6704,24 @@ qemu= DomainSetVcpuInternal(virQEMUDriver *driver,

     virBit= mapFree(livevcpus);

     return= ret;

}

+

+int qemuDomainReloadTLSCer= ts(virQEMUDriverPtr driver,

+    &n= bsp;            = ;            virDoma= inObjPtr vm,

+    &n= bsp;            = ;            int typ= e)

+{

+    int ret= =3D -1;

+    qemuDom= ainObjPrivate *priv =3D vm->privateData;

+    /* for = now, only VNC is supported */

+    if (typ= e !=3D VIR_DOMAIN_TLS_CERT_GRAPHICS_VNC)

+    &n= bsp;   virReportError(VIR_ERR_INVALID_ARG,

+    &n= bsp;            = ;      _("invalid certificate type=3D%d, only= support VNC"),

+    &n= bsp;            = ;      type);

+    &n= bsp;   return ret;

+    }<= /o:p>

+    if (qem= uDomainObjEnterMonitorAsync(driver, vm, QEMU_ASYNC_JOB_NONE) < 0)

+    &n= bsp;   return ret;

+    ret =3D= qemuMonitorReloadTLSCerts(priv->mon, type);

+    if (qem= uDomainObjExitMonitor(driver, vm) < 0)

+    &n= bsp;   ret =3D -1;

+    return = ret;

+}

diff --git a/src/qemu/qemu_hotp= lug.h b/src/qemu/qemu_hotplug.h

index df8f76f8d6..44afe23f0a 10= 0644

--- a/src/qemu/qemu_hotplug.h

+++ b/src/qemu/qemu= _hotplug.h

@@ -160,3 +160,7 @@ int qem= uHotplugAttachDBusVMState(virQEMUDriver *driver,

int qemuHotplugRemoveDBusVMStat= e(virQEMUDriver *driver,

     &= nbsp;           &nbs= p;            &= nbsp;   virDomainObj *vm,

     &= nbsp;           &nbs= p;            &= nbsp;   qemuDomainAsyncJob asyncJob);

+

+int qemuDomainReloadTLSCer= ts(virQEMUDriverPtr driver,

+    &n= bsp;            = ;            virDoma= inObjPtr vm,

+    &n= bsp;            = ;            int typ= e);

diff --git a/src/qemu/qemu_moni= tor.c b/src/qemu/qemu_monitor.c

index 3a7f231ce0..952ef87a6b 10= 0644

--- a/src/qemu/qemu_monitor.c

+++ b/src/qemu/qemu= _monitor.c

@@ -4746,3 +4746,13 @@ qemu= MonitorQueryDirtyRate(qemuMonitor *mon,

     r= eturn qemuMonitorJSONQueryDirtyRate(mon, info);

}

+

+int

+qemuMonitorReloadTLSCerts(= qemuMonitorPtr mon, int type)

+{

+    const c= har *protocol =3D qemuMonitorTypeToProtocol(type);

+    if (!pr= otocol)

+    &n= bsp;   return -1;

+    VIR_DEB= UG("protocol=3D%s", protocol);

+    return = qemuMonitorJSONReloadTLSCerts(mon, protocol);

+}

diff --git a/src/qemu/qemu_moni= tor.h b/src/qemu/qemu_monitor.h

index 6a25def78b..a5b702b023 10= 0644

--- a/src/qemu/qemu_monitor.h

+++ b/src/qemu/qemu= _monitor.h

@@ -1496,3 +1496,6 @@ struc= t _qemuMonitorDirtyRateInfo {

int

qemuMonitorQueryDirtyRate(qemuM= onitor *mon,

     &= nbsp;           &nbs= p;         qemuMonitorDirtyRateInfo= *info);

+

+int qemuMonitorReloadTLSCe= rts(qemuMonitorPtr mon,

+    &n= bsp;            = ;             i= nt type);

diff --git a/src/qemu/qemu_moni= tor_json.c b/src/qemu/qemu_monitor_json.c

index 46aa3330a8..d2b06c4703 10= 0644

--- a/src/qemu/qemu_monitor_jso= n.c

+++ b/src/qemu/qemu= _monitor_json.c

@@ -9446,3 +9446,25 @@ qemu= MonitorJSONQueryDirtyRate(qemuMonitor *mon,

     r= eturn qemuMonitorJSONExtractDirtyRateInfo(data, info);

}

+

+int qemuMonitorJSONReloadT= LSCerts(qemuMonitorPtr mon,

+    &n= bsp;            = ;            &n= bsp;    const char *protocol)

+{

+    int ret= =3D -1;

+    virJSON= ValuePtr reply =3D NULL;

+    virJSON= ValuePtr cmd =3D qemuMonitorJSONMakeCommand("display-reload",

+    &n= bsp;            = ;            &n= bsp;            = ;           "s:type&= quot;, protocol,

+    &n= bsp;            = ;            &n= bsp;            = ;           "b:tls-c= erts", 1,

+    &n= bsp;            = ;            &n= bsp;            = ;           NULL);

+    if (!cm= d)

+    &n= bsp;   return -1;

+    if (qem= uMonitorJSONCommand(mon, cmd, &reply) < 0)

+    &n= bsp;   goto cleanup;

+    if (qem= uMonitorJSONCheckError(cmd, reply) < 0)

+    &n= bsp;   goto cleanup;

+    ret =3D= 0;

+ cleanup:

+    virJSON= ValueFree(cmd);

+    virJSON= ValueFree(reply);

+    return = ret;

+}

diff --git a/src/qemu/qemu_moni= tor_json.h b/src/qemu/qemu_monitor_json.h

index 01a3ba25f1..d9ad77e873 10= 0644

--- a/src/qemu/qemu_monitor_jso= n.h

+++ b/src/qemu/qemu= _monitor_json.h

@@ -706,3 +706,6 @@ qemuMon= itorJSONStartDirtyRateCalc(qemuMonitor *mon,

int

qemuMonitorJSONQueryDirtyRate(q= emuMonitor *mon,

     &= nbsp;           &nbs= p;             = qemuMonitorDirtyRateInfo *info);

+

+int qemuMonitorJSONReloadT= LSCerts(qemuMonitorPtr mon,

+    &n= bsp;            = ;            &n= bsp;    const char *protocol);

--

2.25.1

 

--_000_f80520a91e064d979f809ab570f5b554huaweicom_--