From nobody Sun May 5 10:09:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1490313976818584.613237683368; Thu, 23 Mar 2017 17:06:16 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F21CFC04B926; Fri, 24 Mar 2017 00:06:15 +0000 (UTC) Received: from colo-mx.corp.redhat.com (unknown [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BEDAAA5699; Fri, 24 Mar 2017 00:06:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C6A475ED7D; Fri, 24 Mar 2017 00:06:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2NN2H5G021892 for ; Thu, 23 Mar 2017 19:02:17 -0400 Received: by smtp.corp.redhat.com (Postfix) id BFB4E868A6; Thu, 23 Mar 2017 23:02:17 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com [10.3.116.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7F3B68689D for ; Thu, 23 Mar 2017 23:02:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com F21CFC04B926 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com F21CFC04B926 From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Mar 2017 19:02:02 -0400 Message-Id: <20170323230211.20641-2-jferlan@redhat.com> In-Reply-To: <20170323230211.20641-1-jferlan@redhat.com> References: <20170323230211.20641-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 01/10] qemu: Create #define for TLS configuration setup. X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Fri, 24 Mar 2017 00:06:16 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Create GET_CONFIG_TLS_CERT to set up the TLS for 'chardev' TLS setting. Soon to be reused. Signed-off-by: John Ferlan --- src/qemu/qemu_conf.c | 39 +++++++++++++++++++++++++-------------- 1 file changed, 25 insertions(+), 14 deletions(-) diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 0a338d7..d3f318d 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -530,22 +530,33 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPt= r cfg, if (virConfGetValueBool(conf, "spice_auto_unix_socket", &cfg->spiceAut= oUnixSocket) < 0) goto cleanup; =20 +#define GET_CONFIG_TLS_CERTINFO(val) = \ + do { = \ + if ((rv =3D virConfGetValueBool(conf, #val "_tls_x509_verify", = \ + &cfg->val## TLSx509verify)) < 0) = \ + goto cleanup; = \ + if (rv =3D=3D 0) = \ + cfg->val## TLSx509verify =3D cfg->defaultTLSx509verify; = \ + if (virConfGetValueString(conf, #val "_tls_x509_cert_dir", = \ + &cfg->val## TLSx509certdir) < 0) = \ + goto cleanup; = \ + if (virConfGetValueString(conf, = \ + #val "_tls_x509_secret_uuid", = \ + &cfg->val## TLSx509secretUUID) < 0) = \ + goto cleanup; = \ + if (!cfg->val## TLSx509secretUUID && = \ + cfg->defaultTLSx509secretUUID) { = \ + if (VIR_STRDUP(cfg->val## TLSx509secretUUID, = \ + cfg->defaultTLSx509secretUUID) < 0) = \ + goto cleanup; = \ + } = \ + } while (0) + if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0) goto cleanup; - if (virConfGetValueString(conf, "chardev_tls_x509_cert_dir", &cfg->cha= rdevTLSx509certdir) < 0) - goto cleanup; - if ((rv =3D virConfGetValueBool(conf, "chardev_tls_x509_verify", &cfg-= >chardevTLSx509verify)) < 0) - goto cleanup; - if (rv =3D=3D 0) - cfg->chardevTLSx509verify =3D cfg->defaultTLSx509verify; - if (virConfGetValueString(conf, "chardev_tls_x509_secret_uuid", - &cfg->chardevTLSx509secretUUID) < 0) - goto cleanup; - if (!cfg->chardevTLSx509secretUUID && cfg->defaultTLSx509secretUUID) { - if (VIR_STRDUP(cfg->chardevTLSx509secretUUID, - cfg->defaultTLSx509secretUUID) < 0) - goto cleanup; - } + GET_CONFIG_TLS_CERTINFO(chardev); + +#undef GET_CONFIG_TLS_CERTINFO =20 if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSo= cketPortMin) < 0) goto cleanup; --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 10:09:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 149031397670047.14681744539223; Thu, 23 Mar 2017 17:06:16 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EDE4C8A4B2; Fri, 24 Mar 2017 00:06:15 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BDA4DA5698; Fri, 24 Mar 2017 00:06:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id ACE9718523C3; Fri, 24 Mar 2017 00:06:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2NN2IML021897 for ; Thu, 23 Mar 2017 19:02:18 -0400 Received: by smtp.corp.redhat.com (Postfix) id ABB5788E2D; Thu, 23 Mar 2017 23:02:18 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com [10.3.116.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6C1AF868B7 for ; Thu, 23 Mar 2017 23:02:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com EDE4C8A4B2 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com EDE4C8A4B2 From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Mar 2017 19:02:03 -0400 Message-Id: <20170323230211.20641-3-jferlan@redhat.com> In-Reply-To: <20170323230211.20641-1-jferlan@redhat.com> References: <20170323230211.20641-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 02/10] qemu: Replace macro usage of (false); with just (0) X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Fri, 24 Mar 2017 00:06:16 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Signed-off-by: John Ferlan --- src/qemu/qemu_conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index d3f318d..34646bd 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -275,7 +275,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool priv= ileged) cfg->defaultTLSx509certdir) < 0) \ goto error; \ } \ - } while (false); + } while (0) =20 SET_TLS_X509_CERT_DEFAULT(vnc); SET_TLS_X509_CERT_DEFAULT(spice); --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 10:09:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1490314000816554.2155779111489; Thu, 23 Mar 2017 17:06:40 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DD13481F01; Fri, 24 Mar 2017 00:06:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (unknown [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AAD3382582; Fri, 24 Mar 2017 00:06:36 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 57B8D5ED69; Fri, 24 Mar 2017 00:06:36 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2NN2JnH021907 for ; Thu, 23 Mar 2017 19:02:19 -0400 Received: by smtp.corp.redhat.com (Postfix) id 3413088E3F; Thu, 23 Mar 2017 23:02:19 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com [10.3.116.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id E1DFE88E2D for ; Thu, 23 Mar 2017 23:02:18 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com DD13481F01 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com DD13481F01 From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Mar 2017 19:02:04 -0400 Message-Id: <20170323230211.20641-4-jferlan@redhat.com> In-Reply-To: <20170323230211.20641-1-jferlan@redhat.com> References: <20170323230211.20641-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 03/10] conf: Introduce migrate_tls_x509_cert_dir X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Fri, 24 Mar 2017 00:06:40 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add a new TLS X.509 certificate type - "migrate". This will handle the creation of a TLS certificate capability (and possibly repository) to be used for migrations. Similar to chardev's, credentials will be handled via a libvirt secrets; however, unlike chardev's enablement and usage will be via a CLI flag instead of a conf flag and a domain XML attribute. The migrations using the *x509_verify flag require the client-cert.pem and client-key.pem files to be present in the TLS directory - so let's also be sure to note that in the qemu.conf file. Signed-off-by: John Ferlan --- src/qemu/libvirtd_qemu.aug | 5 +++++ src/qemu/qemu.conf | 44 ++++++++++++++++++++++++++++++++++= +++- src/qemu/qemu_conf.c | 6 ++++++ src/qemu/qemu_conf.h | 4 ++++ src/qemu/test_libvirtd_qemu.aug.in | 3 +++ 5 files changed, 61 insertions(+), 1 deletion(-) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index 82bae9e..e1983d1 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -54,6 +54,10 @@ module Libvirtd_qemu =3D | bool_entry "chardev_tls_x509_verify" | str_entry "chardev_tls_x509_secret_uuid" =20 + let migrate_entry =3D str_entry "migrate_tls_x509_cert_dir" + | bool_entry "migrate_tls_x509_verify" + | str_entry "migrate_tls_x509_secret_uuid" + let nogfx_entry =3D bool_entry "nographics_allow_host_audio" =20 let remote_display_entry =3D int_entry "remote_display_port_min" @@ -116,6 +120,7 @@ module Libvirtd_qemu =3D | vnc_entry | spice_entry | chardev_entry + | migrate_entry | nogfx_entry | remote_display_entry | security_entry diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 9925ac9..a609aa4 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -21,11 +21,16 @@ # an encrypted channel. # # It is possible to use x509 certificates for authentication too, by -# issuing a x509 certificate to every client who needs to connect. +# issuing an x509 certificate to every client who needs to connect. # # Enabling this option will reject any client who does not have a # certificate signed by the CA in /etc/pki/qemu/ca-cert.pem # +# The default_tls_x509_cert_dir directory must also contain +# +# client-cert.pem - the client certificate signed with the ca-cert.pem +# client-key.pem - the client private key +# #default_tls_x509_verify =3D 1 =20 # @@ -238,6 +243,43 @@ #chardev_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000" =20 =20 +# In order to override the default TLS certificate location for migration +# certificates, supply a valid path to the certificate directory. If the +# provided path does not exist then the default_tls_x509_cert_dir path +# will be used. Once/if a default certificate is enabled/defined, migration +# will then be able to use the certificate via migration API flags. +# +#migrate_tls_x509_cert_dir =3D "/etc/pki/libvirt-migrate" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing an x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client that does not have a +# ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir +# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem +# files described in default_tls_x509_cert_dir. +# +# If this option is not supplied, it will be set to the value of +# "default_tls_x509_verify". +# +#migrate_tls_x509_verify =3D 1 + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +#migrate_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000" + + # By default, if no graphical front end is configured, libvirt will disable # QEMU audio output since directly talking to alsa/pulseaudio may not work # with various security settings. If you know what you're doing, enable diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 34646bd..35869d4 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -280,6 +280,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool priv= ileged) SET_TLS_X509_CERT_DEFAULT(vnc); SET_TLS_X509_CERT_DEFAULT(spice); SET_TLS_X509_CERT_DEFAULT(chardev); + SET_TLS_X509_CERT_DEFAULT(migrate); =20 #undef SET_TLS_X509_CERT_DEFAULT =20 @@ -395,6 +396,9 @@ static void virQEMUDriverConfigDispose(void *obj) VIR_FREE(cfg->chardevTLSx509certdir); VIR_FREE(cfg->chardevTLSx509secretUUID); =20 + VIR_FREE(cfg->migrateTLSx509certdir); + VIR_FREE(cfg->migrateTLSx509secretUUID); + while (cfg->nhugetlbfs) { cfg->nhugetlbfs--; VIR_FREE(cfg->hugetlbfs[cfg->nhugetlbfs].mnt_dir); @@ -556,6 +560,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr = cfg, goto cleanup; GET_CONFIG_TLS_CERTINFO(chardev); =20 + GET_CONFIG_TLS_CERTINFO(migrate); + #undef GET_CONFIG_TLS_CERTINFO =20 if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSo= cketPortMin) < 0) diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index e585f81..1407eef 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -137,6 +137,10 @@ struct _virQEMUDriverConfig { bool chardevTLSx509verify; char *chardevTLSx509secretUUID; =20 + char *migrateTLSx509certdir; + bool migrateTLSx509verify; + char *migrateTLSx509secretUUID; + unsigned int remotePortMin; unsigned int remotePortMax; =20 diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index 6f03898..3e317bc 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -25,6 +25,9 @@ module Test_libvirtd_qemu =3D { "chardev_tls_x509_cert_dir" =3D "/etc/pki/libvirt-chardev" } { "chardev_tls_x509_verify" =3D "1" } { "chardev_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } +{ "migrate_tls_x509_cert_dir" =3D "/etc/pki/libvirt-migrate" } +{ "migrate_tls_x509_verify" =3D "1" } +{ "migrate_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } { "nographics_allow_host_audio" =3D "1" } { "remote_display_port_min" =3D "5900" } { "remote_display_port_max" =3D "65535" } --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 10:09:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 14903140015601007.9637458789693; Thu, 23 Mar 2017 17:06:41 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E38413DBF6; Fri, 24 Mar 2017 00:06:40 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B35FB1811E; Fri, 24 Mar 2017 00:06:40 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 66BC718523C5; Fri, 24 Mar 2017 00:06:40 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2NN2K6B021927 for ; Thu, 23 Mar 2017 19:02:20 -0400 Received: by smtp.corp.redhat.com (Postfix) id CC594892C5; Thu, 23 Mar 2017 23:02:20 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com [10.3.116.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id 80DA3892C8 for ; Thu, 23 Mar 2017 23:02:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E38413DBF6 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com E38413DBF6 From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Mar 2017 19:02:05 -0400 Message-Id: <20170323230211.20641-5-jferlan@redhat.com> In-Reply-To: <20170323230211.20641-1-jferlan@redhat.com> References: <20170323230211.20641-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 04/10] qemu: Update the TLS client verify descriptions for vnc and chardev X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Fri, 24 Mar 2017 00:06:41 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Update the descriptions to match the migrate option. Signed-off-by: John Ferlan --- src/qemu/qemu.conf | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index a609aa4..e6c0832 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -90,10 +90,12 @@ # an encrypted channel. # # It is possible to use x509 certificates for authentication too, by -# issuing a x509 certificate to every client who needs to connect. +# issuing an x509 certificate to every client who needs to connect. # -# Enabling this option will reject any client who does not have a -# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem +# Enabling this option will reject any client that does not have a +# ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir +# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem +# files described in default_tls_x509_cert_dir. # # If this option is not supplied, it will be set to the value of # "default_tls_x509_verify". @@ -225,10 +227,15 @@ # an encrypted channel. # # It is possible to use x509 certificates for authentication too, by -# issuing a x509 certificate to every client who needs to connect. +# issuing an x509 certificate to every client who needs to connect. # -# Enabling this option will reject any client who does not have a -# certificate signed by the CA in /etc/pki/libvirt-chardev/ca-cert.pem +# Enabling this option will reject any client that does not have a +# ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir +# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem +# files described in default_tls_x509_cert_dir. +# +# If this option is not supplied, it will be set to the value of +# "default_tls_x509_verify". # #chardev_tls_x509_verify =3D 1 =20 --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 10:09:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1490313997853138.6278525714904; Thu, 23 Mar 2017 17:06:37 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EE4B6624AB; Fri, 24 Mar 2017 00:06:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C0CF01915A; Fri, 24 Mar 2017 00:06:36 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6DC6718523C8; Fri, 24 Mar 2017 00:06:36 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2NN2LiH021946 for ; Thu, 23 Mar 2017 19:02:21 -0400 Received: by smtp.corp.redhat.com (Postfix) id 1F45A892C8; Thu, 23 Mar 2017 23:02:21 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com [10.3.116.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id D075D892CB for ; Thu, 23 Mar 2017 23:02:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com EE4B6624AB Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com EE4B6624AB From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Mar 2017 19:02:06 -0400 Message-Id: <20170323230211.20641-6-jferlan@redhat.com> In-Reply-To: <20170323230211.20641-1-jferlan@redhat.com> References: <20170323230211.20641-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 05/10] Add new migration flag VIR_MIGRATE_TLS X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 24 Mar 2017 00:06:37 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Signed-off-by: John Ferlan --- include/libvirt/libvirt-domain.h | 8 ++++++++ src/qemu/qemu_migration.h | 3 ++- tools/virsh-domain.c | 7 +++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index c490d71..620606c 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -815,6 +815,14 @@ typedef enum { * post-copy mode. See virDomainMigrateStartPostCopy for more details. */ VIR_MIGRATE_POSTCOPY =3D (1 << 15), + + /* Setting the VIR_MIGRATE_TLS flag will cause the migration to attempt + * to use the TLS environment configured by the hypervisor in order to + * perform the migration. If incorrectly configured on either source or + * destination, the migration will fail. + */ + VIR_MIGRATE_TLS =3D (1 << 16), + } virDomainMigrateFlags; =20 =20 diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index 14c6178..bcebf06 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -45,7 +45,8 @@ typedef qemuMigrationCompression *qemuMigrationCompressio= nPtr; VIR_MIGRATE_ABORT_ON_ERROR | \ VIR_MIGRATE_AUTO_CONVERGE | \ VIR_MIGRATE_RDMA_PIN_ALL | \ - VIR_MIGRATE_POSTCOPY) + VIR_MIGRATE_POSTCOPY | \ + VIR_MIGRATE_TLS) =20 /* All supported migration parameters and their types. */ # define QEMU_MIGRATION_PARAMETERS \ diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 09a9f82..ebd4b33 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -10222,6 +10222,10 @@ static const vshCmdOptDef opts_migrate[] =3D { .type =3D VSH_OT_STRING, .help =3D N_("filename containing updated persistent XML for the targ= et") }, + {.name =3D "tls", + .type =3D VSH_OT_BOOL, + .help =3D N_("use TLS for migration") + }, {.name =3D NULL} }; =20 @@ -10463,6 +10467,9 @@ doMigrate(void *opaque) if (vshCommandOptBool(cmd, "postcopy")) flags |=3D VIR_MIGRATE_POSTCOPY; =20 + if (vshCommandOptBool(cmd, "tls")) + flags |=3D VIR_MIGRATE_TLS; + if (flags & VIR_MIGRATE_PEER2PEER || vshCommandOptBool(cmd, "direct"))= { if (virDomainMigrateToURI3(dom, desturi, params, nparams, flags) = =3D=3D 0) ret =3D '0'; --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 10:09:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1490314095581484.3999098002147; Thu, 23 Mar 2017 17:08:15 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E419F7AEAC; Fri, 24 Mar 2017 00:08:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B5A6DA569B; Fri, 24 Mar 2017 00:08:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6A27418523C3; Fri, 24 Mar 2017 00:08:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2NN2MlI021962 for ; Thu, 23 Mar 2017 19:02:22 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9B9D7892C5; Thu, 23 Mar 2017 23:02:22 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com [10.3.116.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5B19C892CC for ; Thu, 23 Mar 2017 23:02:21 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E419F7AEAC Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com E419F7AEAC From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Mar 2017 19:02:07 -0400 Message-Id: <20170323230211.20641-7-jferlan@redhat.com> In-Reply-To: <20170323230211.20641-1-jferlan@redhat.com> References: <20170323230211.20641-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 06/10] qemu: Add TLS params to _qemuMonitorMigrationParams X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Fri, 24 Mar 2017 00:08:15 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add the fields to support setting tls-creds and tls-hostname during a migration (either source or target). Modify the query migration function to check for the presence and set the field for future consumers to determine which of 3 conditions is being met (NULL, present and set to "", or present and sent to something). These correspond to qemu commit id '4af245dc3' which added support to default the value to "" and allow setting (or resetting) to "" in order to disable. This reset option allows libvirt to properly use the tls-creds and tls-hostname parameters. Modify code paths that either allocate or use stack space in order to call qemuMigrationParamsClear or qemuMigrationParamsFree for cleanup. Signed-off-by: John Ferlan --- src/qemu/qemu_driver.c | 4 +++- src/qemu/qemu_migration.c | 26 +++++++++++++++++++++++++- src/qemu/qemu_migration.h | 6 ++++++ src/qemu/qemu_monitor.c | 11 ++++++++--- src/qemu/qemu_monitor.h | 5 +++++ src/qemu/qemu_monitor_json.c | 21 +++++++++++++++++++++ tests/qemumonitorjsontest.c | 25 ++++++++++++++++++++++++- 7 files changed, 92 insertions(+), 6 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 6762952..8f896f5 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -11845,6 +11845,7 @@ qemuDomainMigratePerform(virDomainPtr dom, flags, dname, resource, false); =20 cleanup: + qemuMigrationParamsClear(&migParams); VIR_FREE(compression); return ret; } @@ -12253,6 +12254,7 @@ qemuDomainMigratePerform3(virDomainPtr dom, flags, dname, resource, true); =20 cleanup: + qemuMigrationParamsClear(&migParams); VIR_FREE(compression); return ret; } @@ -12343,7 +12345,7 @@ qemuDomainMigratePerform3Params(virDomainPtr dom, flags, dname, bandwidth, true); cleanup: VIR_FREE(compression); - VIR_FREE(migParams); + qemuMigrationParamsFree(&migParams); VIR_FREE(migrate_disks); return ret; } diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 15ed830..d0603f8 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3514,6 +3514,28 @@ qemuMigrationSetCompression(virQEMUDriverPtr driver, } =20 =20 +void +qemuMigrationParamsClear(qemuMonitorMigrationParamsPtr migParams) +{ + if (!migParams) + return; + + VIR_FREE(migParams->migrateTLSAlias); + VIR_FREE(migParams->migrateTLSHostname); +} + + +void +qemuMigrationParamsFree(qemuMonitorMigrationParamsPtr *migParams) +{ + if (!*migParams) + return; + + qemuMigrationParamsClear(*migParams); + VIR_FREE(*migParams); +} + + qemuMonitorMigrationParamsPtr qemuMigrationParams(virTypedParameterPtr params, int nparams, @@ -3555,7 +3577,7 @@ qemuMigrationParams(virTypedParameterPtr params, return migParams; =20 error: - VIR_FREE(migParams); + qemuMigrationParamsFree(&migParams); return NULL; } =20 @@ -3915,6 +3937,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, virDomainObjRemoveTransientDef(vm); qemuDomainRemoveInactive(driver, vm); } + qemuMigrationParamsClear(&migParams); virDomainObjEndAPI(&vm); qemuDomainEventQueue(driver, event); qemuMigrationCookieFree(mig); @@ -5250,6 +5273,7 @@ static int doPeer2PeerMigrate2(virQEMUDriverPtr drive= r, virSetError(orig_err); virFreeError(orig_err); } + qemuMigrationParamsClear(&migParams); VIR_FREE(uri_out); VIR_FREE(cookie); VIR_FREE(compression); diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index bcebf06..4c8f2c9 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -121,6 +121,12 @@ int qemuMigrationCompressionDump(qemuMigrationCompress= ionPtr compression, int *maxparams, unsigned long *flags); =20 +void +qemuMigrationParamsClear(qemuMonitorMigrationParamsPtr migParams); + +void +qemuMigrationParamsFree(qemuMonitorMigrationParamsPtr *migParams); + qemuMonitorMigrationParamsPtr qemuMigrationParams(virTypedParameterPtr params, int nparams, diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index 8218029..8889eae 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -2529,12 +2529,15 @@ qemuMonitorSetMigrationParams(qemuMonitorPtr mon, { VIR_DEBUG("compressLevel=3D%d:%d compressThreads=3D%d:%d " "decompressThreads=3D%d:%d cpuThrottleInitial=3D%d:%d " - "cpuThrottleIncrement=3D%d:%d", + "cpuThrottleIncrement=3D%d:%d tlsAlias=3D%s " + "tlsHostname=3D%s", params->compressLevel_set, params->compressLevel, params->compressThreads_set, params->compressThreads, params->decompressThreads_set, params->decompressThreads, params->cpuThrottleInitial_set, params->cpuThrottleInitial, - params->cpuThrottleIncrement_set, params->cpuThrottleIncreme= nt); + params->cpuThrottleIncrement_set, params->cpuThrottleIncreme= nt, + NULLSTR(params->migrateTLSAlias), + NULLSTR(params->migrateTLSHostname)); =20 QEMU_CHECK_MONITOR_JSON(mon); =20 @@ -2542,7 +2545,9 @@ qemuMonitorSetMigrationParams(qemuMonitorPtr mon, !params->compressThreads_set && !params->decompressThreads_set && !params->cpuThrottleInitial_set && - !params->cpuThrottleIncrement_set) + !params->cpuThrottleIncrement_set && + !params->migrateTLSAlias && + !params->migrateTLSHostname) return 0; =20 return qemuMonitorJSONSetMigrationParams(mon, params); diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h index 888a03d..b23a98b 100644 --- a/src/qemu/qemu_monitor.h +++ b/src/qemu/qemu_monitor.h @@ -571,6 +571,11 @@ struct _qemuMonitorMigrationParams { =20 bool cpuThrottleIncrement_set; int cpuThrottleIncrement; + + /* Value is either NULL, "", or some string. NULL indicates no support; + * whereas, some string value indicates we can support setting/clearin= g */ + char *migrateTLSAlias; + char *migrateTLSHostname; }; =20 int qemuMonitorGetMigrationParams(qemuMonitorPtr mon, diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index 553544a..e45d5fb 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -2566,6 +2566,7 @@ qemuMonitorJSONGetMigrationParams(qemuMonitorPtr mon, virJSONValuePtr result; virJSONValuePtr cmd =3D NULL; virJSONValuePtr reply =3D NULL; + const char *tlsStr =3D NULL; =20 memset(params, 0, sizeof(*params)); =20 @@ -2595,6 +2596,16 @@ qemuMonitorJSONGetMigrationParams(qemuMonitorPtr mon, =20 #undef PARSE =20 + if ((tlsStr =3D virJSONValueObjectGetString(result, "tls-creds"))) { + if (VIR_STRDUP(params->migrateTLSAlias, tlsStr) < 0) + goto cleanup; + } + + if ((tlsStr =3D virJSONValueObjectGetString(result, "tls-hostname"))) { + if (VIR_STRDUP(params->migrateTLSHostname, tlsStr) < 0) + goto cleanup; + } + ret =3D 0; cleanup: virJSONValueFree(cmd); @@ -2637,6 +2648,16 @@ qemuMonitorJSONSetMigrationParams(qemuMonitorPtr mon, =20 #undef APPEND =20 + if (params->migrateTLSAlias && + virJSONValueObjectAppendString(args, "tls-creds", + params->migrateTLSAlias) < 0) + goto cleanup; + + if (params->migrateTLSHostname && + virJSONValueObjectAppendString(args, "tls-hostname", + params->migrateTLSHostname) < 0) + goto cleanup; + if (virJSONValueObjectAppend(cmd, "arguments", args) < 0) goto cleanup; args =3D NULL; diff --git a/tests/qemumonitorjsontest.c b/tests/qemumonitorjsontest.c index d0f9381..0f802eb 100644 --- a/tests/qemumonitorjsontest.c +++ b/tests/qemumonitorjsontest.c @@ -1789,7 +1789,9 @@ testQemuMonitorJSONqemuMonitorJSONGetMigrationParams(= const void *data) " \"cpu-throttle-increment\": 10," " \"compress-threads\": 8," " \"compress-level\": 1," - " \"cpu-throttle-initial\": 20" + " \"cpu-throttle-initial\": 20," + " \"tls-creds\": \"tls0\"," + " \"tls-hostname\": \"\"" " }" "}") < 0) { goto cleanup; @@ -1821,9 +1823,30 @@ testQemuMonitorJSONqemuMonitorJSONGetMigrationParams= (const void *data) =20 #undef CHECK =20 +#define CHECK(VAR, FIELD, VALUE) = \ + do { = \ + if (!params.VAR) { = \ + virReportError(VIR_ERR_INTERNAL_ERROR, "%s is not set", FIELD)= ; \ + goto cleanup; = \ + } = \ + if (STRNEQ(params.VAR, VALUE)) { = \ + virReportError(VIR_ERR_INTERNAL_ERROR, = \ + "Invalid %s:'%s', expected '%s'", = \ + FIELD, params.VAR, VALUE); = \ + goto cleanup; = \ + } = \ + } while (0) + + CHECK(migrateTLSAlias, "tls-creds", "tls0"); + CHECK(migrateTLSHostname, "tls-hostname", ""); + +#undef CHECK + ret =3D 0; =20 cleanup: + VIR_FREE(params.migrateTLSAlias); + VIR_FREE(params.migrateTLSHostname); qemuMonitorTestFree(test); return ret; } --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 10:09:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1490314214628980.7394519016482; Thu, 23 Mar 2017 17:10:14 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2FA7A4E4D0; Fri, 24 Mar 2017 00:10:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 05DEC18A40; Fri, 24 Mar 2017 00:10:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B457118523C5; Fri, 24 Mar 2017 00:10:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2NN2NPW021982 for ; Thu, 23 Mar 2017 19:02:23 -0400 Received: by smtp.corp.redhat.com (Postfix) id 6A72D892C8; Thu, 23 Mar 2017 23:02:23 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com [10.3.116.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2A54B892C5 for ; Thu, 23 Mar 2017 23:02:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 2FA7A4E4D0 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 2FA7A4E4D0 From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Mar 2017 19:02:08 -0400 Message-Id: <20170323230211.20641-8-jferlan@redhat.com> In-Reply-To: <20170323230211.20641-1-jferlan@redhat.com> References: <20170323230211.20641-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 07/10] qemu: Add job for qemuDomain{Add|Del}TLSObjects X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Fri, 24 Mar 2017 00:10:14 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add an asyncJob argument for add/delete TLS Objects. A future patch will add/delete TLS objects from a migration which may have a job to join. Signed-off-by: John Ferlan --- src/qemu/qemu_hotplug.c | 24 ++++++++++++++++-------- src/qemu/qemu_hotplug.h | 2 ++ 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index ddcbc5e..9adb04a 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1531,6 +1531,7 @@ qemuDomainAttachHostPCIDevice(virQEMUDriverPtr driver, void qemuDomainDelTLSObjects(virQEMUDriverPtr driver, virDomainObjPtr vm, + qemuDomainAsyncJob asyncJob, const char *secAlias, const char *tlsAlias) { @@ -1542,7 +1543,8 @@ qemuDomainDelTLSObjects(virQEMUDriverPtr driver, =20 orig_err =3D virSaveLastError(); =20 - qemuDomainObjEnterMonitor(driver, vm); + if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0) + goto cleanup; =20 if (tlsAlias) ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias)); @@ -1552,6 +1554,7 @@ qemuDomainDelTLSObjects(virQEMUDriverPtr driver, =20 ignore_value(qemuDomainObjExitMonitor(driver, vm)); =20 + cleanup: if (orig_err) { virSetError(orig_err); virFreeError(orig_err); @@ -1562,6 +1565,7 @@ qemuDomainDelTLSObjects(virQEMUDriverPtr driver, int qemuDomainAddTLSObjects(virQEMUDriverPtr driver, virDomainObjPtr vm, + qemuDomainAsyncJob asyncJob, const char *secAlias, virJSONValuePtr *secProps, const char *tlsAlias, @@ -1574,7 +1578,8 @@ qemuDomainAddTLSObjects(virQEMUDriverPtr driver, if (!tlsAlias && !secAlias) return 0; =20 - qemuDomainObjEnterMonitor(driver, vm); + if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0) + return -1; =20 if (secAlias) { rc =3D qemuMonitorAddObject(priv->mon, "secret", @@ -1601,7 +1606,7 @@ qemuDomainAddTLSObjects(virQEMUDriverPtr driver, virSetError(orig_err); virFreeError(orig_err); } - qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); + qemuDomainDelTLSObjects(driver, vm, asyncJob, secAlias, tlsAlias); =20 return -1; } @@ -1682,8 +1687,8 @@ qemuDomainAddChardevTLSObjects(virConnectPtr conn, goto cleanup; dev->data.tcp.tlscreds =3D true; =20 - if (qemuDomainAddTLSObjects(driver, vm, *secAlias, &secProps, - *tlsAlias, &tlsProps) < 0) + if (qemuDomainAddTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, + *secAlias, &secProps, *tlsAlias, &tlsProps= ) < 0) goto cleanup; =20 ret =3D 0; @@ -1773,7 +1778,8 @@ int qemuDomainAttachRedirdevDevice(virConnectPtr conn, virSetError(orig_err); virFreeError(orig_err); } - qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); + qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, + secAlias, tlsAlias); goto audit; } =20 @@ -2034,7 +2040,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, virFreeError(orig_err); } =20 - qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); + qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, + secAlias, tlsAlias); goto audit; } =20 @@ -2186,7 +2193,8 @@ qemuDomainAttachRNGDevice(virConnectPtr conn, virFreeError(orig_err); } =20 - qemuDomainDelTLSObjects(driver, vm, secAlias, tlsAlias); + qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, + secAlias, tlsAlias); goto audit; } =20 diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 73f2b1f..f06f232 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -36,11 +36,13 @@ int qemuDomainChangeEjectableMedia(virQEMUDriverPtr dri= ver, =20 void qemuDomainDelTLSObjects(virQEMUDriverPtr driver, virDomainObjPtr vm, + qemuDomainAsyncJob asyncJob, const char *secAlias, const char *tlsAlias); =20 int qemuDomainAddTLSObjects(virQEMUDriverPtr driver, virDomainObjPtr vm, + qemuDomainAsyncJob asyncJob, const char *secAlias, virJSONValuePtr *secProps, const char *tlsAlias, --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 10:09:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1490314221442336.82978796850296; Thu, 23 Mar 2017 17:10:21 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E6B92624A9; Fri, 24 Mar 2017 00:10:20 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BCE5A82580; Fri, 24 Mar 2017 00:10:20 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5A59918523C3; Fri, 24 Mar 2017 00:10:20 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2NN2OMl021992 for ; Thu, 23 Mar 2017 19:02:24 -0400 Received: by smtp.corp.redhat.com (Postfix) id F2A85892C8; Thu, 23 Mar 2017 23:02:23 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com [10.3.116.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9DCAF892C5 for ; Thu, 23 Mar 2017 23:02:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E6B92624A9 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com E6B92624A9 From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Mar 2017 19:02:09 -0400 Message-Id: <20170323230211.20641-9-jferlan@redhat.com> In-Reply-To: <20170323230211.20641-1-jferlan@redhat.com> References: <20170323230211.20641-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 08/10] qemu: Set up the migration TLS objects for target X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 24 Mar 2017 00:10:21 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" If the migration flags indicate this migration will be using TLS, then set up the destination during the prepare phase once the target domain has been started to add the TLS objects to perform the migration. This will create at least an "-object tls-creds-x509,endpoint=3Dserver,..." for TLS credentials and potentially an "-object secret,..." to handle the passphrase response to access the TLS credentials. The alias/id used for the TLS objects will contain "libvirt_migrate". Once the objects are created, the code will set the "tls-creds" and "tls-hostname" migration parameters to signify usage of TLS. During the Finish phase we'll be sure to attempt to clear the migration parameters and delete those objects (whether or not they were created). We'll also perform the same reset during recovery if we've reached FINISH3. If the migration isn't using TLS, then be sure to check if the migration parameters exist and clear them if so. Signed-off-by: John Ferlan --- src/qemu/qemu_domain.c | 7 +- src/qemu/qemu_domain.h | 91 +++++++++------ src/qemu/qemu_migration.c | 286 ++++++++++++++++++++++++++++++++++++++++++= ++++ src/qemu/qemu_migration.h | 7 ++ src/qemu/qemu_process.c | 3 + 5 files changed, 355 insertions(+), 39 deletions(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index c239a06..f4636ed 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -782,7 +782,7 @@ qemuDomainSecretAESClear(qemuDomainSecretAES secret) } =20 =20 -static void +void qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr *secinfo) { if (!*secinfo) @@ -1186,7 +1186,7 @@ qemuDomainSecretInfoNew(virConnectPtr conn, * * Returns qemuDomainSecretInfoPtr or NULL on error. */ -static qemuDomainSecretInfoPtr +qemuDomainSecretInfoPtr qemuDomainSecretInfoTLSNew(virConnectPtr conn, qemuDomainObjPrivatePtr priv, const char *srcAlias, @@ -1677,6 +1677,9 @@ qemuDomainObjPrivateFree(void *data) =20 VIR_FREE(priv->libDir); VIR_FREE(priv->channelTargetDir); + + qemuDomainSecretInfoFree(&priv->migSecinfo); + VIR_FREE(priv->migTLSAlias); qemuDomainMasterKeyFree(priv); =20 VIR_FREE(priv); diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index 1f266bf..1dd3b1c 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -175,6 +175,43 @@ VIR_ENUM_DECL(qemuDomainNamespace) bool qemuDomainNamespaceEnabled(virDomainObjPtr vm, qemuDomainNamespace ns); =20 +/* Type of domain secret */ +typedef enum { + VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN =3D 0, + VIR_DOMAIN_SECRET_INFO_TYPE_AES, /* utilize GNUTLS_CIPHER_AES_256_CBC= */ + + VIR_DOMAIN_SECRET_INFO_TYPE_LAST +} qemuDomainSecretInfoType; + +typedef struct _qemuDomainSecretPlain qemuDomainSecretPlain; +typedef struct _qemuDomainSecretPlain *qemuDomainSecretPlainPtr; +struct _qemuDomainSecretPlain { + char *username; + uint8_t *secret; + size_t secretlen; +}; + +# define QEMU_DOMAIN_AES_IV_LEN 16 /* 16 bytes for 128 bit random */ + /* initialization vector */ +typedef struct _qemuDomainSecretAES qemuDomainSecretAES; +typedef struct _qemuDomainSecretAES *qemuDomainSecretAESPtr; +struct _qemuDomainSecretAES { + char *username; + char *alias; /* generated alias for secret */ + char *iv; /* base64 encoded initialization vector */ + char *ciphertext; /* encoded/encrypted secret */ +}; + +typedef struct _qemuDomainSecretInfo qemuDomainSecretInfo; +typedef qemuDomainSecretInfo *qemuDomainSecretInfoPtr; +struct _qemuDomainSecretInfo { + qemuDomainSecretInfoType type; + union { + qemuDomainSecretPlain plain; + qemuDomainSecretAES aes; + } s; +}; + typedef struct _qemuDomainObjPrivate qemuDomainObjPrivate; typedef qemuDomainObjPrivate *qemuDomainObjPrivatePtr; struct _qemuDomainObjPrivate { @@ -246,47 +283,18 @@ struct _qemuDomainObjPrivate { =20 /* note whether memory device alias does not correspond to slot number= */ bool memAliasOrderMismatch; -}; =20 -# define QEMU_DOMAIN_PRIVATE(vm) \ - ((qemuDomainObjPrivatePtr) (vm)->privateData) + /* for migrations using TLS with a secret (not to be saved in our */ + /* private XML). */ + qemuDomainSecretInfoPtr migSecinfo; =20 -/* Type of domain secret */ -typedef enum { - VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN =3D 0, - VIR_DOMAIN_SECRET_INFO_TYPE_AES, /* utilize GNUTLS_CIPHER_AES_256_CBC= */ - - VIR_DOMAIN_SECRET_INFO_TYPE_LAST -} qemuDomainSecretInfoType; - -typedef struct _qemuDomainSecretPlain qemuDomainSecretPlain; -typedef struct _qemuDomainSecretPlain *qemuDomainSecretPlainPtr; -struct _qemuDomainSecretPlain { - char *username; - uint8_t *secret; - size_t secretlen; + /* Used when fetching/storing the current 'tls-creds' migration settin= g */ + /* (not to be saved in our private XML). */ + char *migTLSAlias; }; =20 -# define QEMU_DOMAIN_AES_IV_LEN 16 /* 16 bytes for 128 bit random */ - /* initialization vector */ -typedef struct _qemuDomainSecretAES qemuDomainSecretAES; -typedef struct _qemuDomainSecretAES *qemuDomainSecretAESPtr; -struct _qemuDomainSecretAES { - char *username; - char *alias; /* generated alias for secret */ - char *iv; /* base64 encoded initialization vector */ - char *ciphertext; /* encoded/encrypted secret */ -}; - -typedef struct _qemuDomainSecretInfo qemuDomainSecretInfo; -typedef qemuDomainSecretInfo *qemuDomainSecretInfoPtr; -struct _qemuDomainSecretInfo { - qemuDomainSecretInfoType type; - union { - qemuDomainSecretPlain plain; - qemuDomainSecretAES aes; - } s; -}; +# define QEMU_DOMAIN_PRIVATE(vm) \ + ((qemuDomainObjPrivatePtr) (vm)->privateData) =20 # define QEMU_DOMAIN_DISK_PRIVATE(disk) \ ((qemuDomainDiskPrivatePtr) (disk)->privateData) @@ -730,6 +738,9 @@ int qemuDomainMasterKeyCreate(virDomainObjPtr vm); =20 void qemuDomainMasterKeyRemove(qemuDomainObjPrivatePtr priv); =20 +void qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr *secinfo) + ATTRIBUTE_NONNULL(1); + void qemuDomainSecretDiskDestroy(virDomainDiskDefPtr disk) ATTRIBUTE_NONNULL(1); =20 @@ -739,6 +750,12 @@ bool qemuDomainSecretDiskCapable(virStorageSourcePtr s= rc) bool qemuDomainDiskHasEncryptionSecret(virStorageSourcePtr src) ATTRIBUTE_NONNULL(1); =20 +qemuDomainSecretInfoPtr +qemuDomainSecretInfoTLSNew(virConnectPtr conn, + qemuDomainObjPrivatePtr priv, + const char *srcAlias, + const char *secretUUID); + int qemuDomainSecretDiskPrepare(virConnectPtr conn, qemuDomainObjPrivatePtr priv, virDomainDiskDefPtr disk) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index d0603f8..29621c7 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -85,6 +85,8 @@ VIR_ENUM_IMPL(qemuMigrationCompressMethod, QEMU_MIGRATION= _COMPRESS_LAST, "mt", ); =20 +#define QEMU_MIGRATION_TLS_ALIAS_BASE "libvirt_migrate" + enum qemuMigrationCookieFlags { QEMU_MIGRATION_COOKIE_FLAG_GRAPHICS, QEMU_MIGRATION_COOKIE_FLAG_LOCKSTATE, @@ -1488,6 +1490,153 @@ qemuMigrationEatCookie(virQEMUDriverPtr driver, return NULL; } =20 +/* qemuMigrationCheckTLSCreds + * @driver: pointer to qemu driver + * @vm: domain object + * @asyncJob: migration job to join + * + * Query the migration parameters looking for the 'tls-creds' parameter. + * If found, then we can support setting or clearing the parameters and th= us + * can support TLS for migration. + * + * Returns 0 if we were able to successfully fetch the params and + * additionally if the tls-creds parameter exists, saves it in the + * private domain structure. Returns -1 on failure. + */ +static int +qemuMigrationCheckTLSCreds(virQEMUDriverPtr driver, + virDomainObjPtr vm, + qemuDomainAsyncJob asyncJob) +{ + int ret =3D -1; + qemuDomainObjPrivatePtr priv =3D vm->privateData; + qemuMonitorMigrationParams migParams =3D { 0 }; + + if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0) + goto cleanup; + + if (qemuMonitorGetMigrationParams(priv->mon, &migParams) < 0) + goto cleanup; + + /* NB: Could steal NULL pointer too! Let caller decide what to do. */ + VIR_STEAL_PTR(priv->migTLSAlias, migParams.migrateTLSAlias); + + ret =3D 0; + + cleanup: + if (qemuDomainObjExitMonitor(driver, vm) < 0) + ret =3D -1; + + qemuMigrationParamsClear(&migParams); + + return ret; +} + + +/* qemuMigrationCheckSetupTLS + * @conn: Connection pointer + * @driver: pointer to qemu driver + * @vm: domain object + * @cfg: configuration pointer + * @asyncJob: migration job to join + * + * Check if TLS is possible and set up the environment. Assumes the caller + * desires to use TLS (e.g. caller found VIR_MIGRATE_TLS flag). + * + * Ensure the qemu.conf has been properly configured to add an entry for + * "migrate_tls_x509_cert_dir". Also check if the "tls-creds" parameter + * was present from a query of migration parameters + * + * Returns 0 on success, -1 on error/failure + */ +static int +qemuMigrationCheckSetupTLS(virConnectPtr conn, + virQEMUDriverPtr driver, + virQEMUDriverConfigPtr cfg, + virDomainObjPtr vm, + qemuDomainAsyncJob asyncJob) +{ + qemuDomainObjPrivatePtr priv =3D vm->privateData; + + if (!cfg->migrateTLSx509certdir) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("host migration TLS directory not configured")); + return -1; + } + + if (qemuMigrationCheckTLSCreds(driver, vm, asyncJob) < 0) + return -1; + + if (!priv->migTLSAlias) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("TLS migration is not supported with this " + "QEMU binary")); + return -1; + } + + /* If there's a secret, then grab/store it now using the connection */ + if (cfg->migrateTLSx509secretUUID && + !(priv->migSecinfo =3D + qemuDomainSecretInfoTLSNew(conn, priv, QEMU_MIGRATION_TLS_ALIAS_= BASE, + cfg->migrateTLSx509secretUUID))) + return -1; + + return 0; +} + + +/* qemuMigrationAddTLSObjects + * @driver: pointer to qemu driver + * @vm: domain object + * @cfg: configuration pointer + * @tlsListen: server or client + * @asyncJob: Migration job to join + * @tlsAlias: alias to be generated for TLS object + * @secAlias: alias to be generated for a secinfo object + * @migParams: migration parameters to set + * + * Create the TLS objects for the migration and set the migParams value + * + * Returns 0 on success, -1 on failure + */ +static int +qemuMigrationAddTLSObjects(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virQEMUDriverConfigPtr cfg, + bool tlsListen, + qemuDomainAsyncJob asyncJob, + char **tlsAlias, + char **secAlias, + qemuMonitorMigrationParamsPtr migParams) +{ + qemuDomainObjPrivatePtr priv =3D vm->privateData; + virJSONValuePtr tlsProps =3D NULL; + virJSONValuePtr secProps =3D NULL; + + if (qemuDomainGetTLSObjects(priv->qemuCaps, priv->migSecinfo, + cfg->migrateTLSx509certdir, tlsListen, + cfg->migrateTLSx509verify, + QEMU_MIGRATION_TLS_ALIAS_BASE, + &tlsProps, tlsAlias, &secProps, secAlias) = < 0) + return -1; + + /* Ensure the domain doesn't already have the TLS objects defined... + * This should prevent any issues just in case some cleanup wasn't + * properly completed (both src and dst use the same alias) or + * some other error path between now and perform . */ + qemuDomainDelTLSObjects(driver, vm, asyncJob, *secAlias, *tlsAlias); + + if (qemuDomainAddTLSObjects(driver, vm, asyncJob, *secAlias, &secProps, + *tlsAlias, &tlsProps) < 0) + return -1; + + if (VIR_STRDUP(migParams->migrateTLSAlias, *tlsAlias) < 0) + return -1; + + return 0; +} + + static void qemuMigrationStoreDomainState(virDomainObjPtr vm) { @@ -3536,6 +3685,40 @@ qemuMigrationParamsFree(qemuMonitorMigrationParamsPt= r *migParams) } =20 =20 +/* qemuMigrationSetEmptyTLSParams + * @driver: pointer to qemu driver + * @vm: domain object + * @asyncJob: migration job to join + * @migParams: Pointer to a migration parameters block + * + * If we support setting the tls-creds, then set both tls-creds and + * tls-hostname to the empty string ("") which indicates to not use + * TLS on this migration. + * + * Returns 0 on success, -1 on failure + */ +static int +qemuMigrationSetEmptyTLSParams(virQEMUDriverPtr driver, + virDomainObjPtr vm, + qemuDomainAsyncJob asyncJob, + qemuMonitorMigrationParamsPtr migParams) +{ + qemuDomainObjPrivatePtr priv =3D vm->privateData; + + if (qemuMigrationCheckTLSCreds(driver, vm, asyncJob) < 0) + return -1; + + if (!priv->migTLSAlias) + return 0; + + if (VIR_STRDUP(migParams->migrateTLSAlias, "") < 0 || + VIR_STRDUP(migParams->migrateTLSHostname, "") < 0) + return -1; + + return 0; +} + + qemuMonitorMigrationParamsPtr qemuMigrationParams(virTypedParameterPtr params, int nparams, @@ -3607,6 +3790,71 @@ qemuMigrationSetParams(virQEMUDriverPtr driver, } =20 =20 +/* qemuMigrationResetTLS + * @driver: pointer to qemu driver + * @vm: domain object + * @asyncJob: migration job to join + * @tlsAlias: alias generated for TLS object (may be NULL) + * @secAlias: alias generated for a secinfo object (may be NULL) + * + * Deconstruct all the setup possibly done for TLS - delete the TLS and + * security objects, fre the secinfo, and reset the migration params to "". + * + * Returns 0 on success, -1 on failure + */ +int +qemuMigrationResetTLS(virQEMUDriverPtr driver, + virDomainObjPtr vm, + qemuDomainAsyncJob asyncJob, + char *in_tlsAlias, + char *in_secAlias) +{ + qemuDomainObjPrivatePtr priv =3D vm->privateData; + char *tlsAlias =3D in_tlsAlias; + char *secAlias =3D in_secAlias; + qemuMonitorMigrationParams migParams =3D { 0 }; + int ret; + + /* If coming from a path that doesn't know whether it's been used or n= ot, + * let's first check we need to do this. If the tls-creds doesn't exist + * or if they're set to "" then there's nothing to do since we never s= et + * anything up */ + if (!in_tlsAlias && qemuMigrationCheckTLSCreds(driver, vm, asyncJob) <= 0) + return -1; + + if (!priv->migTLSAlias || !*priv->migTLSAlias) + return 0; + + /* NB: If either or both fail to allocate memory we can still proceed + * since the next time we migrate another deletion attempt will be + * made after successfully generating the aliases. */ + if (!tlsAlias) + tlsAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_= BASE); + if (!secAlias) + secAlias =3D qemuDomainGetSecretAESAlias(QEMU_MIGRATION_TLS_ALIAS_= BASE, + false); + + qemuDomainDelTLSObjects(driver, vm, asyncJob, secAlias, tlsAlias); + qemuDomainSecretInfoFree(&priv->migSecinfo); + + if (VIR_STRDUP(migParams.migrateTLSAlias, "") < 0 || + VIR_STRDUP(migParams.migrateTLSHostname, "") < 0 || + qemuMigrationSetParams(driver, vm, asyncJob, &migParams) < 0) + goto cleanup; + + ret =3D 0; + + cleanup: + if (!in_tlsAlias) + VIR_FREE(tlsAlias); + if (!in_secAlias) + VIR_FREE(secAlias); + qemuMigrationParamsClear(&migParams); + + return ret; +} + + static int qemuMigrationPrepareAny(virQEMUDriverPtr driver, virConnectPtr dconn, @@ -3629,6 +3877,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, { virDomainObjPtr vm =3D NULL; virObjectEventPtr event =3D NULL; + virQEMUDriverConfigPtr cfg =3D NULL; int ret =3D -1; int dataFD[2] =3D { -1, -1 }; qemuDomainObjPrivatePtr priv =3D NULL; @@ -3642,6 +3891,8 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, bool stopProcess =3D false; bool relabel =3D false; int rv; + char *tlsAlias =3D NULL; + char *secAlias =3D NULL; qemuMonitorMigrationParams migParams =3D { 0 }; =20 virNWFilterReadLockFilterUpdates(); @@ -3835,6 +4086,30 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, compression, &migParams) < 0) goto stopjob; =20 + /* Migrations using TLS need to add the "tls-creds-x509" object and + * set the migration TLS parameters */ + if (flags & VIR_MIGRATE_TLS) { + cfg =3D virQEMUDriverGetConfig(driver); + if (qemuMigrationCheckSetupTLS(dconn, driver, cfg, vm, + QEMU_ASYNC_JOB_MIGRATION_IN) < 0) + goto stopjob; + + if (qemuMigrationAddTLSObjects(driver, vm, cfg, true, + QEMU_ASYNC_JOB_MIGRATION_IN, + &tlsAlias, &secAlias, &migParams) <= 0) + goto stopjob; + + /* Force reset of 'tls-hostname', it's a source only parameter */ + if (VIR_STRDUP(migParams.migrateTLSHostname, "") < 0) + goto stopjob; + + } else { + if (qemuMigrationSetEmptyTLSParams(driver, vm, + QEMU_ASYNC_JOB_MIGRATION_IN, + &migParams) < 0) + goto stopjob; + } + if (STREQ_NULLABLE(protocol, "rdma") && virProcessSetMaxMemLock(vm->pid, vm->def->mem.hard_limit << 10) < = 0) { goto stopjob; @@ -3920,6 +4195,9 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, ret =3D 0; =20 cleanup: + VIR_FREE(tlsAlias); + VIR_FREE(secAlias); + virObjectUnref(cfg); qemuProcessIncomingDefFree(incoming); VIR_FREE(xmlout); VIR_FORCE_CLOSE(dataFD[0]); @@ -3946,6 +4224,10 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver, return ret; =20 stopjob: + ignore_value(qemuMigrationResetTLS(driver, vm, + QEMU_ASYNC_JOB_MIGRATION_IN, + tlsAlias, secAlias)); + if (stopProcess) { unsigned int stopFlags =3D VIR_QEMU_PROCESS_STOP_MIGRATED; if (!relabel) @@ -6421,6 +6703,10 @@ qemuMigrationFinish(virQEMUDriverPtr driver, QEMU_ASYNC_JOB_MIGRATION_IN); } =20 + if (qemuMigrationResetTLS(driver, vm, QEMU_ASYNC_JOB_MIGRATION_IN, + NULL, NULL) < 0) + goto endjob; + qemuMigrationJobFinish(driver, vm); if (!virDomainObjIsActive(vm)) qemuDomainRemoveInactive(driver, vm); diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index 4c8f2c9..5248f39 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -278,4 +278,11 @@ int qemuMigrationRunIncoming(virQEMUDriverPtr driver, void qemuMigrationPostcopyFailed(virQEMUDriverPtr driver, virDomainObjPtr vm); =20 +int +qemuMigrationResetTLS(virQEMUDriverPtr driver, + virDomainObjPtr vm, + qemuDomainAsyncJob asyncJob, + char *in_tlsAlias, + char *in_secAlias); + #endif /* __QEMU_MIGRATION_H__ */ diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index ec0e36d..05fd25b 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -2929,6 +2929,9 @@ qemuProcessRecoverMigrationIn(virQEMUDriverPtr driver, /* migration finished, we started resuming the domain but didn't * confirm success or failure yet; killing it seems safest unless * we already started guest CPUs or we were in post-copy mode */ + ignore_value(qemuMigrationResetTLS(driver, vm, + QEMU_ASYNC_JOB_MIGRATION_IN, + NULL, NULL)); if (postcopy) { qemuMigrationPostcopyFailed(driver, vm); } else if (state !=3D VIR_DOMAIN_RUNNING) { --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 10:09:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1490314434341471.7511066663835; Thu, 23 Mar 2017 17:13:54 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B2528C049D5D; Fri, 24 Mar 2017 00:13:53 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 88D2D83EB9; Fri, 24 Mar 2017 00:13:53 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 133BF18523C4; Fri, 24 Mar 2017 00:13:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2NN2PM7022008 for ; Thu, 23 Mar 2017 19:02:26 -0400 Received: by smtp.corp.redhat.com (Postfix) id F0F00892C8; Thu, 23 Mar 2017 23:02:25 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com [10.3.116.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id B13AB892C5 for ; Thu, 23 Mar 2017 23:02:24 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B2528C049D5D Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B2528C049D5D From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Mar 2017 19:02:10 -0400 Message-Id: <20170323230211.20641-10-jferlan@redhat.com> In-Reply-To: <20170323230211.20641-1-jferlan@redhat.com> References: <20170323230211.20641-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 09/10] qemu: Set up the migration TLS objects for source X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Fri, 24 Mar 2017 00:13:54 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.redhat.com/show_bug.cgi?id=3D1300769 If the migration flags indicate this migration will be using TLS, then while we have connection in the Begin phase check and setup the TLS environment that will be used by virMigrationRun during the Perform phase for the source to configure TLS. Processing adds an "-object tls-creds-x509,endpoint=3Dclient,..." and possibly an "-object secret,..." to handle the passphrase response. Then it sets the 'tls-creds' and possibly 'tls-hostname' migration parameters. The qemuMigrateCancel will clean up and reset the environment as it was originally found. Signed-off-by: John Ferlan --- src/qemu/qemu_migration.c | 51 +++++++++++++++++++++++++++++++++++++++++++= ++++ 1 file changed, 51 insertions(+) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 29621c7..93cd04a 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3448,6 +3448,7 @@ qemuMigrationBegin(virConnectPtr conn, unsigned long flags) { virQEMUDriverPtr driver =3D conn->privateData; + virQEMUDriverConfigPtr cfg =3D NULL; char *xml =3D NULL; qemuDomainAsyncJob asyncJob; =20 @@ -3481,6 +3482,12 @@ qemuMigrationBegin(virConnectPtr conn, nmigrate_disks, migrate_disks, fla= gs))) goto endjob; =20 + if (flags & VIR_MIGRATE_TLS) { + cfg =3D virQEMUDriverGetConfig(driver); + if (qemuMigrationCheckSetupTLS(conn, driver, cfg, vm, asyncJob) < = 0) + goto endjob; + } + if ((flags & VIR_MIGRATE_CHANGE_PROTECTION)) { /* We keep the job active across API calls until the confirm() cal= l. * This prevents any other APIs being invoked while migration is t= aking @@ -3497,6 +3504,7 @@ qemuMigrationBegin(virConnectPtr conn, } =20 cleanup: + virObjectUnref(cfg); virDomainObjEndAPI(&vm); return xml; =20 @@ -4957,8 +4965,11 @@ qemuMigrationRun(virQEMUDriverPtr driver, { int ret =3D -1; unsigned int migrate_flags =3D QEMU_MONITOR_MIGRATE_BACKGROUND; + virQEMUDriverConfigPtr cfg =3D NULL; qemuDomainObjPrivatePtr priv =3D vm->privateData; qemuMigrationCookiePtr mig =3D NULL; + char *tlsAlias =3D NULL; + char *secAlias =3D NULL; qemuMigrationIOThreadPtr iothread =3D NULL; int fd =3D -1; unsigned long migrate_speed =3D resource ? resource : priv->migMaxBand= width; @@ -5022,6 +5033,35 @@ qemuMigrationRun(virQEMUDriverPtr driver, if (qemuDomainMigrateGraphicsRelocate(driver, vm, mig, graphicsuri) < = 0) VIR_WARN("unable to provide data for graphics client relocation"); =20 + if (flags & VIR_MIGRATE_TLS) { + cfg =3D virQEMUDriverGetConfig(driver); + + /* Begin/CheckSetupTLS already set up migTLSAlias, the following + * assumes that and adds the TLS objects to the domain. */ + if (qemuMigrationAddTLSObjects(driver, vm, cfg, false, + QEMU_ASYNC_JOB_MIGRATION_OUT, + &tlsAlias, &secAlias, migParams) < = 0) + goto cleanup; + + /* We need to add tls-hostname whenever QEMU itself does not + * connect directly to the destination. */ + if (spec->destType =3D=3D MIGRATION_DEST_CONNECT_HOST || + spec->destType =3D=3D MIGRATION_DEST_FD) { + if (VIR_STRDUP(migParams->migrateTLSHostname, + spec->dest.host.name) < 0) + goto cleanup; + } else { + /* Be sure there's nothing from a previous migration */ + if (VIR_STRDUP(migParams->migrateTLSHostname, "") < 0) + goto cleanup; + } + } else { + if (qemuMigrationSetEmptyTLSParams(driver, vm, + QEMU_ASYNC_JOB_MIGRATION_OUT, + migParams) < 0) + goto cleanup; + } + if (migrate_flags & (QEMU_MONITOR_MIGRATE_NON_SHARED_DISK | QEMU_MONITOR_MIGRATE_NON_SHARED_INC)) { if (mig->nbd) { @@ -5202,6 +5242,14 @@ qemuMigrationRun(virQEMUDriverPtr driver, ret =3D -1; } =20 + if (qemuMigrationResetTLS(driver, vm, QEMU_ASYNC_JOB_MIGRATION_OUT, + tlsAlias, secAlias) < 0) + ret =3D -1; + + VIR_FREE(tlsAlias); + VIR_FREE(secAlias); + virObjectUnref(cfg); + if (spec->fwdType !=3D MIGRATION_FWD_DIRECT) { if (iothread && qemuMigrationStopTunnel(iothread, ret < 0) < 0) ret =3D -1; @@ -6906,6 +6954,9 @@ qemuMigrationCancel(virQEMUDriverPtr driver, if (qemuDomainObjExitMonitor(driver, vm) < 0 || (storage && !blockJobs= )) goto endsyncjob; =20 + ignore_value(qemuMigrationResetTLS(driver, vm, QEMU_ASYNC_JOB_NONE, + NULL, NULL)); + if (!storage) { ret =3D 0; goto cleanup; --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 10:09:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1490314439315768.6309142447666; Thu, 23 Mar 2017 17:13:59 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B680037E72; Fri, 24 Mar 2017 00:13:58 +0000 (UTC) Received: from colo-mx.corp.redhat.com (unknown [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8D22317D58; Fri, 24 Mar 2017 00:13:58 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 407DA4ED25; Fri, 24 Mar 2017 00:13:58 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v2NN2RWk022018 for ; Thu, 23 Mar 2017 19:02:27 -0400 Received: by smtp.corp.redhat.com (Postfix) id 91961892CC; Thu, 23 Mar 2017 23:02:27 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com [10.3.116.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id 513CA892CB for ; Thu, 23 Mar 2017 23:02:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B680037E72 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B680037E72 From: John Ferlan To: libvir-list@redhat.com Date: Thu, 23 Mar 2017 19:02:11 -0400 Message-Id: <20170323230211.20641-11-jferlan@redhat.com> In-Reply-To: <20170323230211.20641-1-jferlan@redhat.com> References: <20170323230211.20641-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 10/10] docs: Add news entry for Migration using TLS X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 24 Mar 2017 00:13:59 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Signed-off-by: John Ferlan --- docs/news.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/news.xml b/docs/news.xml index f1bfeda..bb8a83c 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -51,6 +51,14 @@ enhanced check may also be requested when starting a new domain = to ensure the virtual CPU exactly matches the one specified in the = XML. + + qemu: Add support to migrate using TLS + + + Add the ability to migrate QEMU guests using TLS via a new flag + VIR_MIGRATE_TLS or virsh migrate '--tls' option. Requires using = at + least QEMU 2.9.0 in order to work properly. +
--=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list