From nobody Wed May 8 18:33:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1577499541; cv=none; d=zohomail.com; s=zohoarc; b=nzB2t9j9U0G1NlTqfy+BgPxeLWNzM2NBe804oQTHxueeS/12vj4BY8uLWTSbjOYasHgPMIyCJ/j8cJT7qRMWHkVLhB0zOgH4S70iMuXVYZ4D6uwSK+dQshSVsjdzi2tgXpaO3paBB7gYf2SPSBS+KiE6QCrYSy5JT+GJepEHunA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1577499541; h=Content-Type:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=ryAxtCykQ4nNo5WS04dFD4mBCcVBM9N35CHKqnRsUxU=; b=JaOCFxuVlo0T+N1NyGZGooigdDfo5BO0RlxvdemF8i7DRQDCuyHcXCxnBpo9KoVXm2Y8urAzLTe3e+z/dbj8B9Ai6usi4i6jYuAmDMwFdn3cOoTt5ULIwOQVYJxU4KB8hZLOJhRkERxiwex13ZPT9i0cejEQ/mN3If64ackxX10= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1577499541542166.99125252647764; Fri, 27 Dec 2019 18:19:01 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-427-2tOkuCBqPCyBJGK4eiOsgw-1; Fri, 27 Dec 2019 21:18:56 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 23D1F10054E3; Sat, 28 Dec 2019 02:18:50 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AF0856A85C; Sat, 28 Dec 2019 02:18:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 233051809567; Sat, 28 Dec 2019 02:18:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id xBS2IctB022592 for ; Fri, 27 Dec 2019 21:18:39 -0500 Received: by smtp.corp.redhat.com (Postfix) id 647B32166B28; Sat, 28 Dec 2019 02:18:38 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5E0DB2166B27 for ; Sat, 28 Dec 2019 02:18:36 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 072278ED1F7 for ; Sat, 28 Dec 2019 02:18:36 +0000 (UTC) Received: from huawei.com (szxga01-in.huawei.com [45.249.212.187]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-387-B_qHG7byPI-LgZLVjUHUkQ-1; Fri, 27 Dec 2019 21:18:31 -0500 Received: from DGGEML402-HUB.china.huawei.com (unknown [172.30.72.53]) by Forcepoint Email with ESMTP id 800DF5A57F5C2C207B73 for ; Sat, 28 Dec 2019 10:18:27 +0800 (CST) Received: from DGGEML509-MBX.china.huawei.com ([169.254.1.180]) by DGGEML402-HUB.china.huawei.com ([fe80::fca6:7568:4ee3:c776%31]) with mapi id 14.03.0439.000; Sat, 28 Dec 2019 10:18:20 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1577499540; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=ryAxtCykQ4nNo5WS04dFD4mBCcVBM9N35CHKqnRsUxU=; b=VNzDvu0DOsYze05572AdCgWHkroUq9dmGmaEG9OMyntaVpi/Vr77MSBWDXcK2iVOO76Qei THrAeQk6QcWGRpdgm5SMGZRPjuZvL9B8YS/Tom/DSo6Y9mBYT8jDPjESATTbpJ3Cmx8xwT syP4MwB1l1m4HgEp2S2OL0OSgA3chUc= From: "Zhangbo (Oscar)" To: "libvir-list@redhat.com" Thread-Topic: [libvirt] [PATCH RFC] update cacrl without restarting libvirtd via virt-admin Thread-Index: AdW9JAZlfZSdI2ysShq3qgv3wmOXzQ== Date: Sat, 28 Dec 2019 02:18:20 +0000 Message-ID: <0259E1C966E8C54AA93AA2B1240828E672F7B7CB@dggeml509-mbx.china.huawei.com> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.133.210.227] MIME-Version: 1.0 X-CFilter-Loop: Reflected X-MC-Unique: B_qHG7byPI-LgZLVjUHUkQ-1 X-MC-Unique: 2tOkuCBqPCyBJGK4eiOsgw-1 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: libvir-list@redhat.com Cc: "Yanzheng \(A\)" , "dengkai \(A\)" , "wujing \(O\)" , wuqingliang Subject: [libvirt] [PATCH RFC] update cacrl without restarting libvirtd via virt-admin X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Mimecast-Spam-Score: 0 Content-Type: multipart/mixed; boundary="===============2801584726872533202==" X-ZohoMail-DKIM: pass (identity @redhat.com) --===============2801584726872533202== Content-Language: zh-CN Content-Type: multipart/alternative; boundary="_000_0259E1C966E8C54AA93AA2B1240828E672F7B7CBdggeml509mbxchi_" --_000_0259E1C966E8C54AA93AA2B1240828E672F7B7CBdggeml509mbxchi_ Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable This is an RFC request for supporting virt-admin to update cacrl without re= starting libvirtd. When a client wants to establish a TLS connection with libvirtd, a CRL file= is used by libvirtd to verify the client's certificate. Right now, if the = CRL file is changed, you must restart libvirtd to make it take effect. The = restart behavior of libvirtd will cause clients connecting with libvirtd to= fail. In a server cluster, the CRL file may be updated quite frequently due to th= e large amount of certificates. If the new CRL does not take effect in tim= e, there are security risks. So you may need to restart libvirtd frequently= to make the CRL take effect in time. However, frequent restarts will affec= t the reliability of cluster virtual machine management(such as openstack) = services. This RFC patch adds a virt-admin command to update the server's CRL *online= *. This patch is not elegant enough, if this feature makes sense, I'd do more = improvements. --- include/libvirt/libvirt-admin.h | 4 ++ src/admin/admin_protocol.x | 13 +++++- src/admin/admin_server.c | 13 ++++++ src/admin/admin_server.h | 4 ++ src/admin/libvirt-admin.c | 33 ++++++++++++++++ src/admin/libvirt_admin_private.syms | 1 + src/admin/libvirt_admin_public.syms | 1 + src/rpc/virnetserver.c | 58 +++++++++++++++++++++++++++ src/rpc/virnetserver.h | 3 ++ src/rpc/virnettlscontext.c | 33 ++++++++++++++++ src/rpc/virnettlscontext.h | 3 ++ tools/virt-admin.c | 59 ++++++++++++++++++++++++++++ 12 files changed, 224 insertions(+), 1 deletion(-) diff --git a/include/libvirt/libvirt-admin.h b/include/libvirt/libvirt-admi= n.h index abf2792926..2df43db567 100644 --- a/include/libvirt/libvirt-admin.h +++ b/include/libvirt/libvirt-admin.h @@ -402,6 +402,10 @@ int virAdmServerSetClientLimits(virAdmServerPtr srv, int nparams, unsigned int flags); +int virAdmServerUpdateTlsFile(virAdmServerPtr srv, + unsigned int filetype, + unsigned int flags); + int virAdmConnectGetLoggingOutputs(virAdmConnectPtr conn, char **outputs, unsigned int flags); diff --git a/src/admin/admin_protocol.x b/src/admin/admin_protocol.x index 42e215d23a..c74c0d777b 100644 --- a/src/admin/admin_protocol.x +++ b/src/admin/admin_protocol.x @@ -181,6 +181,12 @@ struct admin_server_set_client_limits_args { unsigned int flags; }; +struct admin_server_update_tls_file_args { + admin_nonnull_server srv; + unsigned int filetype; + unsigned int flags; +}; + struct admin_connect_get_logging_outputs_args { unsigned int flags; }; @@ -314,5 +320,10 @@ enum admin_procedure { /** * @generate: both */ - ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS =3D 17 + ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS =3D 17, + + /** + * @generate: both + */ + ADMIN_PROC_SERVER_UPDATE_TLS_FILE =3D 18 }; diff --git a/src/admin/admin_server.c b/src/admin/admin_server.c index ba87f701c3..2f695eea4f 100644 --- a/src/admin/admin_server.c +++ b/src/admin/admin_server.c @@ -367,3 +367,16 @@ adminServerSetClientLimits(virNetServerPtr srv, return 0; } + +int +adminServerUpdateTlsFile(virNetServerPtr srv, + unsigned int filetype, + unsigned int flags) +{ + virCheckFlags(0, -1); + + if (virNetServerUpdateTlsFile(srv, filetype) < 0) + return -1; + + return 0; +} diff --git a/src/admin/admin_server.h b/src/admin/admin_server.h index 1d5cbec55f..748235811a 100644 --- a/src/admin/admin_server.h +++ b/src/admin/admin_server.h @@ -67,3 +67,7 @@ int adminServerSetClientLimits(virNetServerPtr srv, virTypedParameterPtr params, int nparams, unsigned int flags); + +int adminServerUpdateTlsFile(virNetServerPtr srv, + unsigned int filetype, + unsigned int flags); diff --git a/src/admin/libvirt-admin.c b/src/admin/libvirt-admin.c index 4099a54854..13c8db016d 100644 --- a/src/admin/libvirt-admin.c +++ b/src/admin/libvirt-admin.c @@ -1082,6 +1082,39 @@ virAdmServerSetClientLimits(virAdmServerPtr srv, return ret; } +/** + * virAdmServerUpdateTlsFile: + * @srv: a valid server object reference + * @filetype: TLS file type, such as crl, cert, key + * @flags: extra flags; not used yet, so callers should always pass 0 + * + * update TLS Context in TLS service. + * + * Returns 0 if the TLS files have been updated successfully or -1 in case= of an + * error. + */ +int +virAdmServerUpdateTlsFile(virAdmServerPtr srv, + unsigned int filetype, + unsigned int flags) +{ + int ret =3D -1; + + VIR_DEBUG("srv=3D%p, filetype=3D%u flags=3D%x", srv, filetype, flags); + virResetLastError(); + + virCheckAdmServerGoto(srv, error); + + /* rpc call to update tls file */ + if ((ret =3D remoteAdminServerUpdateTlsFile(srv, filetype, flags)) < 0= ) + goto error; + + return ret; + error: + virDispatchError(NULL); + return ret; +} + /** * virAdmConnectGetLoggingOutputs: * @conn: pointer to an active admin connection diff --git a/src/admin/libvirt_admin_private.syms b/src/admin/libvirt_admin= _private.syms index 9526412de8..d563757482 100644 --- a/src/admin/libvirt_admin_private.syms +++ b/src/admin/libvirt_admin_private.syms @@ -31,6 +31,7 @@ xdr_admin_server_lookup_client_args; xdr_admin_server_lookup_client_ret; xdr_admin_server_set_client_limits_args; xdr_admin_server_set_threadpool_parameters_args; +xdr_admin_server_update_tls_file_args; # datatypes.h virAdmClientClass; diff --git a/src/admin/libvirt_admin_public.syms b/src/admin/libvirt_admin_= public.syms index 9a3f843780..97b223bfba 100644 --- a/src/admin/libvirt_admin_public.syms +++ b/src/admin/libvirt_admin_public.syms @@ -38,6 +38,7 @@ LIBVIRT_ADMIN_2.0.0 { virAdmClientClose; virAdmServerGetClientLimits; virAdmServerSetClientLimits; + virAdmServerUpdateTlsFile; }; LIBVIRT_ADMIN_3.0.0 { diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c index 4122636805..fc18b2a224 100644 --- a/src/rpc/virnetserver.c +++ b/src/rpc/virnetserver.c @@ -1209,3 +1209,61 @@ virNetServerSetClientLimits(virNetServerPtr srv, virObjectUnlock(srv); return ret; } + +int +virNetServerUpdateTlsFile(virNetServerPtr srv, + unsigned int filetype) +{ + int ret =3D -1; +#if WITH_GNUTLS + size_t i; + int cnt =3D 0; + virNetTLSContextPtr ctxt =3D NULL; + virNetServerServicePtr svc =3D NULL; + + if (filetype !=3D TYPE_CACRL_LIBVIRT) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Don't support CRL filetype: %d"), + filetype); + return ret; + } + + virObjectLock(srv); + + /* find svcTLS from srv */ + for (i =3D 0; i < srv->nservices; i++) { + svc =3D srv->services[i]; + /* find tls from svc */ + ctxt =3D virNetServerServiceGetTLSContext(svc); + if (ctxt =3D=3D NULL) + continue; + + ret =3D virNetTLSContextUpdateCRL(ctxt); + if (ret < 0) { + VIR_ERROR(_("update tls file fail, " + "filetype: %d, svcID: %zu"), filetype, i); + ret =3D -1; + goto cleanup; + } + VIR_INFO("update success, filetype: %d, svcID: %zu", filetype, i); + cnt++; + } + + if (cnt =3D=3D 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("no tls server found, don't need update %d"), + filetype); + } else { + VIR_INFO("update tls file complete, filetype: %d", + filetype); + } + + cleanup: + virObjectUnlock(srv); +#else + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Don't support GNUTLS: %d"), + filetype); +#endif + return ret; +} diff --git a/src/rpc/virnetserver.h b/src/rpc/virnetserver.h index 260c99b22d..d0138d250f 100644 --- a/src/rpc/virnetserver.h +++ b/src/rpc/virnetserver.h @@ -133,3 +133,6 @@ size_t virNetServerGetCurrentUnauthClients(virNetServer= Ptr srv); int virNetServerSetClientLimits(virNetServerPtr srv, long long int maxClients, long long int maxClientsUnauth); + +int virNetServerUpdateTlsFile(virNetServerPtr srv, + unsigned int filetype); diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 08944f6771..1cc3cb8620 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -1106,6 +1106,39 @@ int virNetTLSContextCheckCertificate(virNetTLSContex= tPtr ctxt, return ret; } +int virNetTLSContextUpdateCRL(virNetTLSContextPtr ctxt) +{ + int ret =3D -1; + char *cacrl =3D NULL; + + if (VIR_STRDUP(cacrl, LIBVIRT_CACRL) < 0) + return -1; + + if (!virFileExists(cacrl)) { + virReportSystemError(errno, _("%s not exist"), cacrl); + goto cleanup; + } + + virObjectLock(ctxt); + + ret =3D gnutls_certificate_set_x509_crl_file(ctxt->x509cred, + cacrl, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to update x509 CRL %s: %s"), + cacrl, gnutls_strerror(ret)); + } else { + VIR_INFO("Load %d CRL from %s", ret, cacrl); + ret =3D 0; + } + + virObjectUnlock(ctxt); + cleanup: + VIR_FREE(cacrl); + return ret; +} + void virNetTLSContextDispose(void *obj) { virNetTLSContextPtr ctxt =3D obj; diff --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h index f3273bc26a..b823ab2c3f 100644 --- a/src/rpc/virnettlscontext.h +++ b/src/rpc/virnettlscontext.h @@ -23,6 +23,8 @@ #include "internal.h" #include "virobject.h" +#define TYPE_CACRL_LIBVIRT 13 + typedef struct _virNetTLSContext virNetTLSContext; typedef virNetTLSContext *virNetTLSContextPtr; @@ -65,6 +67,7 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char = *cacert, int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt, virNetTLSSessionPtr sess); +int virNetTLSContextUpdateCRL(virNetTLSContextPtr ctxt); typedef ssize_t (*virNetTLSSessionWriteFunc)(const char *buf, size_t len, void *opaque); diff --git a/tools/virt-admin.c b/tools/virt-admin.c index 30106d1971..25971dbf27 100644 --- a/tools/virt-admin.c +++ b/tools/virt-admin.c @@ -50,6 +50,8 @@ /* we don't need precision to milliseconds in this module */ #define VIRT_ADMIN_TIME_BUFLEN VIR_TIME_STRING_BUFLEN - 3 +#define LIBVIRT_CACRL_TYPE 13 + static char *progname; static const vshCmdGrp cmdGroups[]; @@ -1103,6 +1105,57 @@ cmdDaemonLogOutputs(vshControl *ctl, const vshCmd *c= md) return true; } +/* ------------------------ + * Command update-crl-file + * ------------------------ + */ +static const vshCmdInfo info_srv_update_tls_file[] =3D { + {.name =3D "help", + .data =3D N_("notify tls file type, current only support libvirt cacr= l(13)") + }, + {.name =3D "desc", + .data =3D N_("notify libvirtd TLS server hot update CACRL.") + }, + {.name =3D NULL} +}; + +static const vshCmdOptDef opts_srv_update_tls_file[] =3D { + {.name =3D "server", + .type =3D VSH_OT_DATA, + .flags =3D VSH_OFLAG_REQ, + .help =3D N_("Server to reload the CRL file."), + }, + {.name =3D NULL} +}; + +static bool +cmdSrvUpdateTlsFile(vshControl *ctl, const vshCmd *cmd) +{ + bool ret =3D false; + const char *srvname =3D NULL; + unsigned int filetype =3D LIBVIRT_CACRL_TYPE; + + virAdmServerPtr srv =3D NULL; + vshAdmControlPtr priv =3D ctl->privData; + + if (vshCommandOptStringReq(ctl, cmd, "server", &srvname) < 0) + return false; + + if (!(srv =3D virAdmConnectLookupServer(priv->conn, srvname, 0))) + goto cleanup; + + if (virAdmServerUpdateTlsFile(srv, filetype, 0) < 0) { + vshError(ctl, "%s", _("Unable to update server's tls file.")); + goto cleanup; + } + + ret =3D true; + + cleanup: + virAdmServerFree(srv); + return ret; +} + static void * vshAdmConnectionHandler(vshControl *ctl) { @@ -1486,6 +1539,12 @@ static const vshCmdDef managementCmds[] =3D { .info =3D info_daemon_log_outputs, .flags =3D 0 }, + {.name =3D "update-crl-file", + .handler =3D cmdSrvUpdateTlsFile, + .opts =3D opts_srv_update_tls_file, + .info =3D info_srv_update_tls_file, + .flags =3D 0 + }, {.name =3D NULL} }; --_000_0259E1C966E8C54AA93AA2B1240828E672F7B7CBdggeml509mbxchi_ Content-Type: text/html; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable

This= is an RFC request for supporting virt-admin to update cacrl without restar= ting libvirtd.

 

When= a client wants to establish a TLS connection with libvirtd, a CRL file is = used by libvirtd to verify the client’s certificate. Right now, if th= e CRL file is changed, you must restart libvirtd to make it take effect. The restart behavior of libvirtd will cause client= s connecting with libvirtd to fail.

 

In a= server cluster, the CRL file may be updated quite frequently due to the la= rge amount of certificates.  If the new CRL does not take effect in time, there are security risks. So you may= need to restart libvirtd frequently to make the CRL take effect in time. However, frequent re= starts will affect the reliability of cluster virtual machine management(su= ch as openstack) services.

 

This= RFC patch adds a virt-admin command to update the server's CRL *online<= /b>*.

 

This= patch is not elegant enough, if this feature makes sense, I’d do mor= e improvements.

 

---<= o:p>

incl= ude/libvirt/libvirt-admin.h         = ; |  4 ++

src/= admin/admin_protocol.x         = ;  | 13 +++++-

src/= admin/admin_server.c         &= nbsp;   | 13 ++++++

src/= admin/admin_server.h         &= nbsp;   |  4 ++

src/= admin/libvirt-admin.c         =      | 33 +++++++++= +++++++

src/= admin/libvirt_admin_private.syms   |  1 +

src/= admin/libvirt_admin_public.syms    |  1 +

src/= rpc/virnetserver.c         &nb= sp;       | 58 ++++++= +++++++++++++++= ++++++

src/= rpc/virnetserver.h         &nb= sp;       |  3 ++

src/= rpc/virnettlscontext.c         = ;     | 33 +++++++++= ;+++++++

src/= rpc/virnettlscontext.h         = ;     |  3 ++

tool= s/virt-admin.c          &= nbsp;         | 59 +++&= #43;++++++++++++++&= #43;+++++++++

12 f= iles changed, 224 insertions(+), 1 deletion(-)

 

diff= --git a/include/libvirt/libvirt-admin.h b/include/libvirt/libvirt-admin.h<= o:p>

inde= x abf2792926..2df43db567 100644

--- = a/include/libvirt/libvirt-admin.h

+= ;++ b/include/libvirt/libvirt-admin.h

@@ -= 402,6 +402,10 @@ int virAdmServerSetClientLimits(virAdmServerPtr srv,

&nbs= p;             =             &nb= sp;      int nparams,

&nbs= p;            &= nbsp;           &nbs= p;       unsigned int flags);

 

+= ;int virAdmServerUpdateTlsFile(virAdmServerPtr srv,

+= ;            &n= bsp;            = ;     unsigned int filetype,

+= ;            &n= bsp;            = ;     unsigned int flags);

+= ;

int = virAdmConnectGetLoggingOutputs(virAdmConnectPtr conn,

&nbs= p;            &= nbsp;           &nbs= p;          char **outputs,

&nbs= p;            &= nbsp;           &nbs= p;          unsigned int flags= );

diff= --git a/src/admin/admin_protocol.x b/src/admin/admin_protocol.x=

inde= x 42e215d23a..c74c0d777b 100644

--- = a/src/admin/admin_protocol.x

+= ;++ b/src/admin/admin_protocol.x

@@ -= 181,6 +181,12 @@ struct admin_server_set_client_limits_args {

&nbs= p;    unsigned int flags;

};

 

+= ;struct admin_server_update_tls_file_args {

+= ;    admin_nonnull_server srv;

+= ;    unsigned int filetype;

+= ;    unsigned int flags;

+= ;};

+= ;

stru= ct admin_connect_get_logging_outputs_args {

&nbs= p;    unsigned int flags;

};

@@ -= 314,5 +320,10 @@ enum admin_procedure {

&nbs= p;    /**

&nbs= p;     * @generate: both

&nbs= p;     */

-&nb= sp;   ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS =3D 17

+= ;    ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS =3D 17,

+= ;

+= ;    /**

+= ;     * @generate: both

+= ;     */

+= ;    ADMIN_PROC_SERVER_UPDATE_TLS_FILE =3D 18

};

diff= --git a/src/admin/admin_server.c b/src/admin/admin_server.c

inde= x ba87f701c3..2f695eea4f 100644

--- = a/src/admin/admin_server.c

+= ;++ b/src/admin/admin_server.c

@@ -= 367,3 +367,16 @@ adminServerSetClientLimits(virNetServerPtr srv,

 

&nbs= p;    return 0;

}

+= ;

+= ;int

+= ;adminServerUpdateTlsFile(virNetServerPtr srv,

+= ;            &n= bsp;            unsi= gned int filetype,

+= ;            &n= bsp;            unsi= gned int flags)

+= ;{

+= ;    virCheckFlags(0, -1);

+= ;

+= ;    if (virNetServerUpdateTlsFile(srv, filetype) < 0)

+= ;        return -1;

+= ;

+= ;    return 0;

+= ;}

diff= --git a/src/admin/admin_server.h b/src/admin/admin_server.h

inde= x 1d5cbec55f..748235811a 100644

--- = a/src/admin/admin_server.h

+= ;++ b/src/admin/admin_server.h

@@ -= 67,3 +67,7 @@ int adminServerSetClientLimits(virNetServerPtr srv,<= /o:p>

&nbs= p;            &= nbsp;           &nbs= p;      virTypedParameterPtr params,

&nbs= p;             =             &nb= sp;     int nparams,

&nbs= p;            &= nbsp;           &nbs= p;      unsigned int flags);

+= ;

+= ;int adminServerUpdateTlsFile(virNetServerPtr srv,

+= ;            &n= bsp;            = ;    unsigned int filetype,

+= ;            &n= bsp;            = ;    unsigned int flags);

diff= --git a/src/admin/libvirt-admin.c b/src/admin/libvirt-admin.c

inde= x 4099a54854..13c8db016d 100644

--- = a/src/admin/libvirt-admin.c

+= ;++ b/src/admin/libvirt-admin.c

@@ -= 1082,6 +1082,39 @@ virAdmServerSetClientLimits(virAdmServerPtr srv,

&nbs= p;    return ret;

}

 

+= ;/**

+= ; * virAdmServerUpdateTlsFile:

+= ; * @srv: a valid server object reference

+= ; * @filetype: TLS file type, such as crl, cert, key

+= ; * @flags: extra flags; not used yet, so callers should always pass 0=

+= ; *

+= ; * update TLS Context in TLS service.

+= ; *

+= ; * Returns 0 if the TLS files have been updated successfully or -1 in case= of an

+= ; * error.

+= ; */

+= ;int

+= ;virAdmServerUpdateTlsFile(virAdmServerPtr srv,

+= ;            &n= bsp;            = ; unsigned int filetype,

+= ;            &n= bsp;            = ; unsigned int flags)

+= ;{

+= ;    int ret =3D -1;

+= ;

+= ;    VIR_DEBUG("srv=3D%p, filetype=3D%u flags=3D%x"= ;, srv, filetype, flags);

+= ;    virResetLastError();

+= ;

+= ;    virCheckAdmServerGoto(srv, error);

+= ;

+= ;    /* rpc call to update tls file */

+= ;    if ((ret =3D remoteAdminServerUpdateTlsFile(srv, filety= pe, flags)) < 0)

+= ;        goto error;

+= ;

+= ;    return ret;

+= ; error:

+= ;    virDispatchError(NULL);

+= ;    return ret;

+= ;}

+= ;

/**<= o:p>

&nbs= p; * virAdmConnectGetLoggingOutputs:

&nbs= p; * @conn: pointer to an active admin connection

diff= --git a/src/admin/libvirt_admin_private.syms b/src/admin/libvirt_admin_pri= vate.syms

inde= x 9526412de8..d563757482 100644

--- = a/src/admin/libvirt_admin_private.syms

+= ;++ b/src/admin/libvirt_admin_private.syms

@@ -= 31,6 +31,7 @@ xdr_admin_server_lookup_client_args;

xdr_= admin_server_lookup_client_ret;

xdr_= admin_server_set_client_limits_args;

xdr_= admin_server_set_threadpool_parameters_args;

+= ;xdr_admin_server_update_tls_file_args;

 

&nbs= p;# datatypes.h

virA= dmClientClass;

diff= --git a/src/admin/libvirt_admin_public.syms b/src/admin/libvirt_admin_publ= ic.syms

inde= x 9a3f843780..97b223bfba 100644

--- = a/src/admin/libvirt_admin_public.syms

+= ;++ b/src/admin/libvirt_admin_public.syms

@@ -= 38,6 +38,7 @@ LIBVIRT_ADMIN_2.0.0 {

&nbs= p;        virAdmClientClose;<= /span>

&nbs= p;        virAdmServerGetClientLimits;

&nbs= p;        virAdmServerSetClientLimits;

+= ;        virAdmServerUpdateTlsFile;=

};

 

&nbs= p;LIBVIRT_ADMIN_3.0.0 {

diff= --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c<= /p>

inde= x 4122636805..fc18b2a224 100644

--- = a/src/rpc/virnetserver.c

+= ;++ b/src/rpc/virnetserver.c

@@ -= 1209,3 +1209,61 @@ virNetServerSetClientLimits(virNetServerPtr srv,

&nbs= p;    virObjectUnlock(srv);

&nbs= p;    return ret;

}

+= ;

+= ;int

+= ;virNetServerUpdateTlsFile(virNetServerPtr srv,

+= ;            &n= bsp;            &nbs= p;unsigned int filetype)

+= ;{

+= ;    int ret =3D -1;

+= ;#if WITH_GNUTLS

+= ;    size_t i;

+= ;    int cnt =3D 0;

+= ;    virNetTLSContextPtr ctxt =3D NULL;

+= ;    virNetServerServicePtr svc =3D NULL;<= /p>

+= ;

+= ;    if (filetype !=3D TYPE_CACRL_LIBVIRT) {

+= ;        virReportError(VIR_ERR_SYSTEM_E= RROR,

+= ;            &n= bsp;          _("Don't su= pport CRL filetype: %d"),

+= ;            &n= bsp;          filetype);<= /o:p>

+= ;        return ret;

+= ;    }

+= ;

+= ;    virObjectLock(srv);

+= ;

+= ;    /* find svcTLS from srv */

+= ;    for (i =3D 0; i < srv->nservices; i++) {<= o:p>

+= ;        svc =3D srv->services[i];

+= ;        /* find tls from svc */

+= ;        ctxt =3D virNetServerServiceGet= TLSContext(svc);

+= ;        if (ctxt =3D=3D NULL)

+= ;            continu= e;

+= ;

+= ;        ret =3D virNetTLSContextUpdateC= RL(ctxt);

+= ;        if (ret < 0) {

+= ;            VIR_ERR= OR(_("update tls file fail, "

+= ;            &n= bsp;           "file= type: %d, svcID: %zu"), filetype, i);

+= ;            ret =3D= -1;

+= ;            goto cl= eanup;

+= ;        }

+= ;        VIR_INFO("update success, = filetype: %d, svcID: %zu", filetype, i);

+= ;        cnt++;

+= ;    }

+= ;

+= ;    if (cnt =3D=3D 0) {

+= ;        virReportError(VIR_ERR_SYSTEM_E= RROR,

+= ;            &n= bsp;          _("no tls s= erver found, don't need update %d"),

+= ;            &n= bsp;          filetype);<= /o:p>

+= ;    } else {

+= ;        VIR_INFO("update tls file = complete, filetype: %d",

+= ;            &n= bsp;    filetype);

+= ;    }

+= ;

+= ; cleanup:

+= ;    virObjectUnlock(srv);

+= ;#else

+= ;    virReportError(VIR_ERR_SYSTEM_ERROR,<= /p>

+= ;            &n= bsp;      _("Don't support GNUTLS: %d"),=

+= ;            &n= bsp;      filetype);

+= ;#endif

+= ;    return ret;

+= ;}

diff= --git a/src/rpc/virnetserver.h b/src/rpc/virnetserver.h<= /p>

inde= x 260c99b22d..d0138d250f 100644

--- = a/src/rpc/virnetserver.h

+= ;++ b/src/rpc/virnetserver.h

@@ -= 133,3 +133,6 @@ size_t virNetServerGetCurrentUnauthClients(virNetServer= Ptr srv);

int = virNetServerSetClientLimits(virNetServerPtr srv,

&nbs= p;            &= nbsp;           &nbs= p;       long long int maxClients,=

&nbs= p;            &= nbsp;           &nbs= p;       long long int maxClientsUnauth);

+= ;

+= ;int virNetServerUpdateTlsFile(virNetServerPtr srv,

+= ;            &n= bsp;            = ;     unsigned int filetype);

diff= --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c=

inde= x 08944f6771..1cc3cb8620 100644

--- = a/src/rpc/virnettlscontext.c

+= ;++ b/src/rpc/virnettlscontext.c

@@ -= 1106,6 +1106,39 @@ int virNetTLSContextCheckCertificate(virNetTLSContex= tPtr ctxt,

&nbs= p;    return ret;

}

 

+= ;int virNetTLSContextUpdateCRL(virNetTLSContextPtr ctxt)<= /p>

+= ;{

+= ;    int ret =3D -1;

+= ;    char *cacrl =3D NULL;

+= ;

+= ;    if (VIR_STRDUP(cacrl, LIBVIRT_CACRL) < 0)=

+= ;        return -1;

+= ;

+= ;    if (!virFileExists(cacrl)) {

+= ;        virReportSystemError(errno, _(&= quot;%s not exist"), cacrl);

+= ;        goto cleanup;=

+= ;    }

+= ;

+= ;    virObjectLock(ctxt);

+= ;

+= ;    ret =3D gnutls_certificate_set_x509_crl_file(ctxt->x= 509cred,

+= ;            &n= bsp;            = ;             &= nbsp;        cacrl,

+= ;            &n= bsp;            = ;            &n= bsp;         GNUTLS_X509_FMT_PEM);<= o:p>

+= ;    if (ret < 0) {

+= ;        virReportError(VIR_ERR_SYSTEM_E= RROR,

+= ;            &n= bsp;          _("Unable t= o update x509 CRL %s: %s"),

+= ;            &n= bsp;          cacrl, gnutls_st= rerror(ret));

+= ;    } else {

+= ;        VIR_INFO("Load %d CRL from= %s", ret, cacrl);

+= ;        ret =3D 0;

+= ;    }

+= ;

+= ;    virObjectUnlock(ctxt);

+= ; cleanup:

+= ;    VIR_FREE(cacrl);

+= ;    return ret;

+= ;}

+= ;

void= virNetTLSContextDispose(void *obj)

{

&nbs= p;    virNetTLSContextPtr ctxt =3D obj;

diff= --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h=

inde= x f3273bc26a..b823ab2c3f 100644

--- = a/src/rpc/virnettlscontext.h

+= ;++ b/src/rpc/virnettlscontext.h

@@ -= 23,6 +23,8 @@

#inc= lude "internal.h"

#inc= lude "virobject.h"

 

+= ;#define TYPE_CACRL_LIBVIRT    13

+= ;

type= def struct _virNetTLSContext virNetTLSContext;

type= def virNetTLSContext *virNetTLSContextPtr;

 

@@ -= 65,6 +67,7 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char = *cacert,

int = virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt,

&nbs= p;            &= nbsp;           &nbs= p;            virNet= TLSSessionPtr sess);

 

+= ;int virNetTLSContextUpdateCRL(virNetTLSContextPtr ctxt);=

 

&nbs= p;typedef ssize_t (*virNetTLSSessionWriteFunc)(const char *buf, size_t len,=

&nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;       void *opaque);<= /p>

diff= --git a/tools/virt-admin.c b/tools/virt-admin.c

inde= x 30106d1971..25971dbf27 100644

--- = a/tools/virt-admin.c

+= ;++ b/tools/virt-admin.c

@@ -= 50,6 +50,8 @@

/* w= e don't need precision to milliseconds in this module */<= /p>

#def= ine VIRT_ADMIN_TIME_BUFLEN VIR_TIME_STRING_BUFLEN - 3

 

+= ;#define LIBVIRT_CACRL_TYPE    13

+= ;

stat= ic char *progname;

 

&nbs= p;static const vshCmdGrp cmdGroups[];

@@ -= 1103,6 +1105,57 @@ cmdDaemonLogOutputs(vshControl *ctl, const vshCmd *c= md)

&nbs= p;    return true;

}

 

+= ;/* ------------------------

+= ; *  Command update-crl-file

+= ; * ------------------------

+= ; */

+= ;static const vshCmdInfo info_srv_update_tls_file[] =3D {=

+= ;    {.name =3D "help",

+= ;     .data =3D N_("notify tls file type, current = only support libvirt cacrl(13)")

+= ;    },

+= ;    {.name =3D "desc",

+= ;     .data =3D N_("notify libvirtd TLS server hot= update CACRL.")

+= ;    },

+= ;    {.name =3D NULL}

+= ;};

+= ;

+= ;static const vshCmdOptDef opts_srv_update_tls_file[] =3D {

+= ;    {.name =3D "server",

+= ;     .type =3D VSH_OT_DATA,

+= ;     .flags =3D VSH_OFLAG_REQ,

+= ;     .help =3D N_("Server to reload the CRL file.= "),

+= ;    },

+= ;    {.name =3D NULL}

+= ;};

+= ;

+= ;static bool

+= ;cmdSrvUpdateTlsFile(vshControl *ctl, const vshCmd *cmd)<= /p>

+= ;{

+= ;    bool ret =3D false;

+= ;    const char *srvname =3D NULL;

+= ;    unsigned int filetype =3D LIBVIRT_CACRL_TYPE;

+= ;

+= ;    virAdmServerPtr srv =3D NULL;

+= ;    vshAdmControlPtr priv =3D ctl->privData;<= /span>

+= ;

+= ;    if (vshCommandOptStringReq(ctl, cmd, "server"= , &srvname) < 0)

+= ;        return false;=

+= ;

+= ;    if (!(srv =3D virAdmConnectLookupServer(priv->conn, = srvname, 0)))

+= ;        goto cleanup;=

+= ;

+= ;    if (virAdmServerUpdateTlsFile(srv, filetype, 0) < 0)= {

+= ;        vshError(ctl, "%s", _= ("Unable to update server's tls file."));

+= ;        goto cleanup;=

+= ;    }

+= ;

+= ;    ret =3D true;

+= ;

+= ; cleanup:

+= ;    virAdmServerFree(srv);

+= ;    return ret;

+= ;}

+= ;

stat= ic void *

vshA= dmConnectionHandler(vshControl *ctl)

{

@@ -= 1486,6 +1539,12 @@ static const vshCmdDef managementCmds[] =3D {

&nbs= p;     .info =3D info_daemon_log_outputs,

&nbs= p;     .flags =3D 0

&nbs= p;    },

+= ;    {.name =3D "update-crl-file",

+= ;     .handler =3D cmdSrvUpdateTlsFile,

+= ;     .opts =3D opts_srv_update_tls_file,

+= ;     .info =3D info_srv_update_tls_file,

+= ;     .flags =3D 0

+= ;    },

&nbs= p;    {.name =3D NULL}

};

 

 

--_000_0259E1C966E8C54AA93AA2B1240828E672F7B7CBdggeml509mbxchi_-- --===============2801584726872533202== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list --===============2801584726872533202==--