From nobody Mon Feb 9 02:28:51 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) client-ip=209.132.183.37; envelope-from=libvir-list-bounces@redhat.com; helo=mx5-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) by mx.zohomail.com with SMTPS id 148787567940776.51705005037309; Thu, 23 Feb 2017 10:47:59 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1NIiXKd040850; Thu, 23 Feb 2017 13:44:33 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1NIgeni028585 for ; Thu, 23 Feb 2017 13:42:40 -0500 Received: from localhost.localdomain.com (ovpn-117-109.phx2.redhat.com [10.3.117.109]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1NIgXiK029831 for ; Thu, 23 Feb 2017 13:42:40 -0500 From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Feb 2017 13:42:16 -0500 Message-Id: <20170223184216.5158-15-jferlan@redhat.com> In-Reply-To: <20170223184216.5158-1-jferlan@redhat.com> References: <20170223184216.5158-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 14/14] qemu: Set up the migration TLS objects for source X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.redhat.com/show_bug.cgi?id=3D1300769 Modify the Begin phase to add the checks to determine whether a migration wishes to use TLS and whether it's configured including adding the secret into the priv->migSecinfo for the source domain. Modify the Perform phase in qemuMigrationRun in order to generate the TLS objects to be used for the migration and set the migration channel parameters 'tls-creds' and possibly 'tls-hostname' in order to enable TLS. Signed-off-by: John Ferlan --- src/qemu/qemu_migration.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 0e95fd9..4779d23 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3452,6 +3452,9 @@ qemuMigrationBegin(virConnectPtr conn, goto endjob; } =20 + if (qemuMigrationCheckSetupTLS(driver, conn, vm, flags) < 0) + goto endjob; + /* Check if there is any ejected media. * We don't want to require them on the destination. */ @@ -4802,8 +4805,12 @@ qemuMigrationRun(virQEMUDriverPtr driver, { int ret =3D -1; unsigned int migrate_flags =3D QEMU_MONITOR_MIGRATE_BACKGROUND; + virQEMUDriverConfigPtr cfg =3D NULL; qemuDomainObjPrivatePtr priv =3D vm->privateData; qemuMigrationCookiePtr mig =3D NULL; + char *tlsAlias =3D NULL; + char *tlsHostname =3D NULL; + char *secAlias =3D NULL; qemuMigrationIOThreadPtr iothread =3D NULL; int fd =3D -1; unsigned long migrate_speed =3D resource ? resource : priv->migMaxBand= width; @@ -4867,6 +4874,29 @@ qemuMigrationRun(virQEMUDriverPtr driver, if (qemuDomainMigrateGraphicsRelocate(driver, vm, mig, graphicsuri) < = 0) VIR_WARN("unable to provide data for graphics client relocation"); =20 + /* If we're using TLS attempt to add the objects */ + if (priv->migrateTLS) { + cfg =3D virQEMUDriverGetConfig(driver); + if (qemuMigrationAddTLSObjects(driver, vm, "migrate", + cfg->migrateTLSx509certdir, false, + cfg->migrateTLSx509verify, + &tlsAlias, &secAlias, migParams) < = 0) + goto cleanup; + + /* We need to add the tls-hostname only for special circumstances. + * When using "fd:" or "exec:", qemu needs to know the hostname of + * the target qemu to correctly validate the x509 certificate + * it receives. */ + if (STREQ(spec->dest.host.protocol, "fd") || + STREQ(spec->dest.host.protocol, "exec")) { + if (VIR_STRDUP(tlsHostname, spec->dest.host.name) < 0) { + qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); + return -1; + } + migParams->migrateTLSHostname =3D tlsHostname; + } + } + if (migrate_flags & (QEMU_MONITOR_MIGRATE_NON_SHARED_DISK | QEMU_MONITOR_MIGRATE_NON_SHARED_INC)) { if (mig->nbd) { @@ -5047,6 +5077,10 @@ qemuMigrationRun(virQEMUDriverPtr driver, ret =3D -1; } =20 + qemuMigrationDelTLSObjects(driver, cfg, vm, &secAlias, &tlsAlias); + VIR_FREE(tlsHostname); + virObjectUnref(cfg); + if (spec->fwdType !=3D MIGRATION_FWD_DIRECT) { if (iothread && qemuMigrationStopTunnel(iothread, ret < 0) < 0) ret =3D -1; --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list