From nobody Tue Feb 10 02:44:13 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com ARC-Seal: i=1; a=rsa-sha256; t=1620741965; cv=none; d=zohomail.com; s=zohoarc; b=AaQD4SGgw7JN4Kcb7jppCJG6Ekd/QlscYFBToaFUkcWRB9bQezox2ujCKplSNPqFAlffWZFjj23Z8TKDVWSQ0oX7+41+b6peXGzm0Fv3Z6cHbGVgWJ/m6Yb5whNfl4V4DPGQ5oPfppg0umnrT+wtVYzxYSt+05zdZ7YdG7dcinY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620741965; h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=wVdQq288lenuqtbFza+Xgk88MsWgPPmUSoMhxCcDn8s=; b=jAasioy5eUpIIIPOGMQq5h8/n7WjHIGXnc1+L14QeTUJzCWEaqcYN7eSOLI1/rWOJ40IAICBGHyRiVCo+iAQwrN4jK2VCMAZWGEkWAATfVurqwyL0ta/Jeo2ujKZRbkXYV0bZBm8umjJ8egROHBrxS9pm0QBJT0ulHiPmKAkr0Q= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1620741965969515.9617398586192; Tue, 11 May 2021 07:06:05 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-531-7xXXcTM6PmuxGYC_bjjXFA-1; Tue, 11 May 2021 10:05:57 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0129B8015DB; Tue, 11 May 2021 14:05:49 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D83176A033; Tue, 11 May 2021 14:05:48 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9EF5955340; Tue, 11 May 2021 14:05:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 14BE5hmL032730 for ; Tue, 11 May 2021 10:05:43 -0400 Received: by smtp.corp.redhat.com (Postfix) id 8F8ACF8945; Tue, 11 May 2021 14:05:43 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8ABD1F8964 for ; Tue, 11 May 2021 14:05:40 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 495E1802C15 for ; Tue, 11 May 2021 14:05:40 +0000 (UTC) Received: from szxga05-in.huawei.com (szxga05-in.huawei.com [45.249.212.191]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-391-2zVPoVuIOPurJ0T4BN8MxQ-1; Tue, 11 May 2021 10:05:35 -0400 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.58]) by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4Fffkz564tzwSPS; Tue, 11 May 2021 22:02:51 +0800 (CST) Received: from localhost (10.174.149.15) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.498.0; Tue, 11 May 2021 22:05:23 +0800 X-MC-Unique: 7xXXcTM6PmuxGYC_bjjXFA-1 X-MC-Unique: 2zVPoVuIOPurJ0T4BN8MxQ-1 From: Zheng Yan To: Subject: [PATCH 3/4] libvirt: Introduce virDomainReloadTlsCertificates API Date: Tue, 11 May 2021 22:05:20 +0800 Message-ID: <1620741921-22056-4-git-send-email-yanzheng759@huawei.com> In-Reply-To: <1620741921-22056-1-git-send-email-yanzheng759@huawei.com> References: <1620741921-22056-1-git-send-email-yanzheng759@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.174.149.15] X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: libvir-list@redhat.com Cc: mprivozn@redhat.com, wangxinxin.wang@huawei.com, changzihao1@huawei.com, hhan@redhat.com, oscar.zhangbo@huawei.com, hexiaoyu3@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The new virDomainReloadTlsCertificates API is used to notify domain reload its certificates without restart, and avoid service interruption. And add remote qemu driver impl for virDrvDomainReloadTlsCertificates. Currently, only QEMU VNC TLS certificates are supported, but parameters and flags are also reserved for subsequent scenarios. Take reload QEMU VNC TLS certificates as an example, we can call: virDomainReloadTlsCertificates(domain, VIR_DOMAIN_TLS_CERT_GRAPHICS_VNC, NULL, 0, 0); Then the specified QMP message would be send to QEMU: {"execute": "display-relo "arguments":{"type": "vnc", "tls-certs": true}} Signed-off-by: Zheng Yan --- include/libvirt/libvirt-domain.h | 20 +++++++++++ src/libvirt-domain.c | 57 ++++++++++++++++++++++++++++++++ src/libvirt_public.syms | 5 +++ src/remote/remote_driver.c | 1 + src/remote/remote_protocol.x | 15 ++++++++- src/remote_protocol-structs | 10 ++++++ 6 files changed, 107 insertions(+), 1 deletion(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index e99bfb7654..357d3598a6 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -5152,4 +5152,24 @@ int virDomainStartDirtyRateCalc(virDomainPtr domain, int seconds, unsigned int flags); =20 +/** + * virDomainTlsCertificateType: + * the used scene of TLS certificates for doamin + */ +typedef enum { + VIR_DOMAIN_TLS_CERT_GRAPHICS_VNC =3D 0, + VIR_DOMAIN_TLS_CERT_GRAPHICS_SPICE =3D 1, + +# ifdef VIR_ENUM_SENTINELS + VIR_DOMAIN_TLS_CERT_LAST +# endif +} virDomainTlsCertificateType; + +int +virDomainReloadTlsCertificates(virDomainPtr domain, + unsigned int type, + virTypedParameterPtr params, + int nparams, + unsigned int flags); + #endif /* LIBVIRT_DOMAIN_H */ diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index 42c75f6cc5..f2a8949971 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -13218,3 +13218,60 @@ virDomainStartDirtyRateCalc(virDomainPtr domain, virDispatchError(conn); return -1; } + +/** + * virDomainReloadTlsCertificates: + * @domain: a domain object. + * @type: a value of virDomainTlsCertificateType + * @params: pointer to TLS Certs parameter objects, must be NULL if not us= ed + * @nparams: number of TLS Certs parameter objects, must be 0 if not used + * @flags: extra flags; not used yet, so callers should always pass 0 + * + * Notify domain reload its certificates with specified 'type' + * + * Returns 0 in case of success, -1 otherwise. + */ +int +virDomainReloadTlsCertificates(virDomainPtr domain, + unsigned int type, + virTypedParameterPtr params, + int nparams, + unsigned int flags) +{ + virConnectPtr conn; + + VIR_DOMAIN_DEBUG(domain, "certificate type=3D%u, params=3D%p, nparams= =3D%d, flags=3D%x", + type, params, nparams, flags); + + virResetLastError(); + + virCheckDomainReturn(domain, -1); + conn =3D domain->conn; + virCheckReadOnlyGoto(conn->flags, error); + virCheckNonNegativeArgGoto(nparams, error); + + if (type >=3D VIR_DOMAIN_TLS_CERT_LAST) { + virReportInvalidArg(type, + _("type must be less than %d"), + VIR_DOMAIN_TLS_CERT_LAST); + goto error; + } + + if (conn->driver->domainReloadTlsCertificates) { + int ret; + ret =3D conn->driver->domainReloadTlsCertificates(domain, + type, + params, + nparams, + flags); + if (ret < 0) + goto error; + return ret; + } + + virReportUnsupportedError(); + + error: + virDispatchError(domain->conn); + return -1; +} diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms index 5678a13cda..30ff012958 100644 --- a/src/libvirt_public.syms +++ b/src/libvirt_public.syms @@ -896,4 +896,9 @@ LIBVIRT_7.3.0 { virNodeDeviceCreate; } LIBVIRT_7.2.0; =20 +LIBVIRT_7.4.0 { + global: + virDomainReloadTlsCertificates; +} LIBVIRT_7.3.0; + # .... define new API here using predicted next version number .... diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 0c72d69933..0e6e4e3007 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -8566,6 +8566,7 @@ static virHypervisorDriver hypervisor_driver =3D { .domainAuthorizedSSHKeysSet =3D remoteDomainAuthorizedSSHKeysSet, /* 6= .10.0 */ .domainGetMessages =3D remoteDomainGetMessages, /* 7.1.0 */ .domainStartDirtyRateCalc =3D remoteDomainStartDirtyRateCalc, /* 7.2.0= */ + .domainReloadTlsCertificates =3D remoteDomainReloadTlsCertificates, /*= 7.4.0 */ }; =20 static virNetworkDriver network_driver =3D { diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index de69704b68..96cc7dd9ea 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -286,6 +286,8 @@ const REMOTE_DOMAIN_AUTHORIZED_SSH_KEYS_MAX =3D 2048; /* Upper limit on number of messages */ const REMOTE_DOMAIN_MESSAGES_MAX =3D 2048; =20 +/* Upper limit on list of TLS certificate parameters */ +const REMOTE_DOMAIN_RELOAD_TLS_CERT_PARAMETERS_MAX =3D 16; =20 /* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */ typedef opaque remote_uuid[VIR_UUID_BUFLEN]; @@ -3836,6 +3838,12 @@ struct remote_domain_start_dirty_rate_calc_args { unsigned int flags; }; =20 +struct remote_domain_reload_tls_certificates_args { + remote_nonnull_domain dom; + unsigned int type; + remote_typed_param params; + unsigned int flags; +}; =20 /*----- Protocol. -----*/ =20 @@ -6784,6 +6792,11 @@ enum remote_procedure { * @priority: high * @acl: node_device:start */ - REMOTE_PROC_NODE_DEVICE_CREATE =3D 430 + REMOTE_PROC_NODE_DEVICE_CREATE =3D 430, =20 + /** + * @generate: both + * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_RELOAD_TLS_CERTIFICATES =3D 431 }; diff --git a/src/remote_protocol-structs b/src/remote_protocol-structs index 6b46328adc..799a8596ea 100644 --- a/src/remote_protocol-structs +++ b/src/remote_protocol-structs @@ -3192,6 +3192,15 @@ struct remote_domain_start_dirty_rate_calc_args { int seconds; u_int flags; }; +struct remote_domain_reload_tls_certificates_args { + remote_nonnull_domain dom; + u_int type; + struct { + u_int params_len; + remote_typed_param * params_val; + } params; + u_int flags; +}; enum remote_procedure { REMOTE_PROC_CONNECT_OPEN =3D 1, REMOTE_PROC_CONNECT_CLOSE =3D 2, @@ -3623,4 +3632,5 @@ enum remote_procedure { REMOTE_PROC_NODE_DEVICE_DEFINE_XML =3D 428, REMOTE_PROC_NODE_DEVICE_UNDEFINE =3D 429, REMOTE_PROC_NODE_DEVICE_CREATE =3D 430, + REMOTE_PROC_DOMAIN_RELOAD_TLS_CERTIFICATES =3D 431, }; --=20 2.25.1