https://bugzilla.redhat.com/show_bug.cgi?id=1300769

If the migration flags indicate this migration will be using TLS,
then while we have connection in the Begin phase check and setup the
TLS environment that will be used by virMigrationRun during the Perform
phase for the source to configure TLS.

Processing adds an "-object tls-creds-x509,endpoint=client,..." and
possibly an "-object secret,..." to handle the passphrase response.

Then it sets the 'tls-creds' and possibly 'tls-hostname' migration
parameters.

The qemuMigrateCancel will clean up and reset the environment as it
was originally found.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_migration.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 29621c7..93cd04a 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -3448,6 +3448,7 @@ qemuMigrationBegin(virConnectPtr conn,
                    unsigned long flags)
 {
     virQEMUDriverPtr driver = conn->privateData;
+    virQEMUDriverConfigPtr cfg = NULL;
     char *xml = NULL;
     qemuDomainAsyncJob asyncJob;
 
@@ -3481,6 +3482,12 @@ qemuMigrationBegin(virConnectPtr conn,
                                         nmigrate_disks, migrate_disks, flags)))
         goto endjob;
 
+    if (flags & VIR_MIGRATE_TLS) {
+        cfg = virQEMUDriverGetConfig(driver);
+        if (qemuMigrationCheckSetupTLS(conn, driver, cfg, vm, asyncJob) < 0)
+            goto endjob;
+    }
+
     if ((flags & VIR_MIGRATE_CHANGE_PROTECTION)) {
         /* We keep the job active across API calls until the confirm() call.
          * This prevents any other APIs being invoked while migration is taking
@@ -3497,6 +3504,7 @@ qemuMigrationBegin(virConnectPtr conn,
     }
 
  cleanup:
+    virObjectUnref(cfg);
     virDomainObjEndAPI(&vm);
     return xml;
 
@@ -4957,8 +4965,11 @@ qemuMigrationRun(virQEMUDriverPtr driver,
 {
     int ret = -1;
     unsigned int migrate_flags = QEMU_MONITOR_MIGRATE_BACKGROUND;
+    virQEMUDriverConfigPtr cfg = NULL;
     qemuDomainObjPrivatePtr priv = vm->privateData;
     qemuMigrationCookiePtr mig = NULL;
+    char *tlsAlias = NULL;
+    char *secAlias = NULL;
     qemuMigrationIOThreadPtr iothread = NULL;
     int fd = -1;
     unsigned long migrate_speed = resource ? resource : priv->migMaxBandwidth;
@@ -5022,6 +5033,35 @@ qemuMigrationRun(virQEMUDriverPtr driver,
     if (qemuDomainMigrateGraphicsRelocate(driver, vm, mig, graphicsuri) < 0)
         VIR_WARN("unable to provide data for graphics client relocation");
 
+    if (flags & VIR_MIGRATE_TLS) {
+        cfg = virQEMUDriverGetConfig(driver);
+
+        /* Begin/CheckSetupTLS already set up migTLSAlias, the following
+         * assumes that and adds the TLS objects to the domain. */
+        if (qemuMigrationAddTLSObjects(driver, vm, cfg, false,
+                                       QEMU_ASYNC_JOB_MIGRATION_OUT,
+                                       &tlsAlias, &secAlias, migParams) < 0)
+            goto cleanup;
+
+        /* We need to add tls-hostname whenever QEMU itself does not
+         * connect directly to the destination. */
+        if (spec->destType == MIGRATION_DEST_CONNECT_HOST ||
+            spec->destType == MIGRATION_DEST_FD) {
+            if (VIR_STRDUP(migParams->migrateTLSHostname,
+                           spec->dest.host.name) < 0)
+                goto cleanup;
+        } else {
+            /* Be sure there's nothing from a previous migration */
+            if (VIR_STRDUP(migParams->migrateTLSHostname, "") < 0)
+                goto cleanup;
+        }
+    } else {
+        if (qemuMigrationSetEmptyTLSParams(driver, vm,
+                                           QEMU_ASYNC_JOB_MIGRATION_OUT,
+                                           migParams) < 0)
+            goto cleanup;
+    }
+
     if (migrate_flags & (QEMU_MONITOR_MIGRATE_NON_SHARED_DISK |
                          QEMU_MONITOR_MIGRATE_NON_SHARED_INC)) {
         if (mig->nbd) {
@@ -5202,6 +5242,14 @@ qemuMigrationRun(virQEMUDriverPtr driver,
             ret = -1;
     }
 
+    if (qemuMigrationResetTLS(driver, vm, QEMU_ASYNC_JOB_MIGRATION_OUT,
+                              tlsAlias, secAlias) < 0)
+        ret = -1;
+
+    VIR_FREE(tlsAlias);
+    VIR_FREE(secAlias);
+    virObjectUnref(cfg);
+
     if (spec->fwdType != MIGRATION_FWD_DIRECT) {
         if (iothread && qemuMigrationStopTunnel(iothread, ret < 0) < 0)
             ret = -1;
@@ -6906,6 +6954,9 @@ qemuMigrationCancel(virQEMUDriverPtr driver,
     if (qemuDomainObjExitMonitor(driver, vm) < 0 || (storage && !blockJobs))
         goto endsyncjob;
 
+    ignore_value(qemuMigrationResetTLS(driver, vm, QEMU_ASYNC_JOB_NONE,
+                                       NULL, NULL));
+
     if (!storage) {
         ret = 0;
         goto cleanup;
-- 
2.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

On Thu, Mar 23, 2017 at 19:02:10 -0400, John Ferlan wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1300769
> 
> If the migration flags indicate this migration will be using TLS,
> then while we have connection in the Begin phase check and setup the
> TLS environment that will be used by virMigrationRun during the Perform
> phase for the source to configure TLS.
> 
> Processing adds an "-object tls-creds-x509,endpoint=client,..." and
> possibly an "-object secret,..." to handle the passphrase response.
> 
> Then it sets the 'tls-creds' and possibly 'tls-hostname' migration
> parameters.
> 
> The qemuMigrateCancel will clean up and reset the environment as it
> was originally found.
> 
> Signed-off-by: John Ferlan <jferlan@redhat.com>
> ---
>  src/qemu/qemu_migration.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 51 insertions(+)

ACK

Jirka

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list