From nobody Sun Feb 8 23:25:20 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1505872716592298.1178341747151; Tue, 19 Sep 2017 18:58:36 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 74097356D9; Wed, 20 Sep 2017 01:58:35 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F35716060A; Wed, 20 Sep 2017 01:58:34 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E574F3FACE; Wed, 20 Sep 2017 01:58:33 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8K1WsC3003604 for ; Tue, 19 Sep 2017 21:32:54 -0400 Received: by smtp.corp.redhat.com (Postfix) id 20E665D979; Wed, 20 Sep 2017 01:32:54 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-150.phx2.redhat.com [10.3.116.150]) by smtp.corp.redhat.com (Postfix) with ESMTP id C8C5C5D97F; Wed, 20 Sep 2017 01:32:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 74097356D9 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: John Ferlan To: libvir-list@redhat.com Date: Tue, 19 Sep 2017 21:32:45 -0400 Message-Id: <20170920013246.28868-4-jferlan@redhat.com> In-Reply-To: <20170920013246.28868-1-jferlan@redhat.com> References: <20170920013246.28868-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Cc: ashmit602@gmail.com Subject: [libvirt] [PATCH v9 3/4] qemu: Introduce qemuDomainPrepareDiskSource X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Wed, 20 Sep 2017 01:58:35 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Introduce a function to setup any TLS needs for a disk source. If there's a configuration or other error setting up the disk source for TLS, then cause the domain startup to fail. For VxHS, follow the chardevTLS model where if the src->haveTLS hasn't been configured, then take the system/global cfg->haveTLS setting for the storage source *and* mark that we've done so via the tlsFromConfig setting in storage source. Next, if we are using TLS, then generate an alias into a virStorageSource 'tlsAlias' field that will be used to create the TLS object and added to the disk object in order to link the two together for QEMU. Signed-off-by: John Ferlan --- src/qemu/qemu_domain.c | 73 +++++++++++++++++++++++++++++++++++++++++++= ++++ src/qemu/qemu_domain.h | 11 +++++++ src/qemu/qemu_process.c | 4 +++ src/util/virstoragefile.c | 9 +++++- src/util/virstoragefile.h | 8 ++++++ 5 files changed, 104 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 50b536eec..8080b7fb1 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -7601,6 +7601,79 @@ qemuDomainPrepareChardevSource(virDomainDefPtr def, } =20 =20 +/* qemuProcessPrepareDiskSourceTLS: + * @source: pointer to host interface data for disk device + * @diskAlias: alias use for the disk device + * @cfg: driver configuration + * + * Updates host interface TLS encryption setting based on qemu.conf + * for disk devices. This will be presented as "tls=3D'yes|no'" in + * live XML of a guest. + * + * Returns 0 on success, -1 on bad config/failure + */ +int +qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src, + const char *diskAlias, + virQEMUDriverConfigPtr cfg) +{ + + /* VxHS doesn't utilize a password protected server certificate, + * so no need to add a secinfo for a secret UUID. */ + if (src->type =3D=3D VIR_STORAGE_TYPE_NETWORK && + src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS) { + + if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_ABSENT) { + if (cfg->vxhsTLS) + src->haveTLS =3D VIR_TRISTATE_BOOL_YES; + else + src->haveTLS =3D VIR_TRISTATE_BOOL_NO; + src->tlsFromConfig =3D true; + } + + if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES) { + if (!diskAlias) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("disk does not have an alias")); + return -1; + } + + /* Grab the vxhsTLSx509certdir and set the verify/listen value= s. + * NB: tlsAlias filled in during qemuDomainGetTLSObjects. */ + if (VIR_STRDUP(src->tlsCertdir, cfg->vxhsTLSx509certdir) < 0) + return -1; + + src->tlsListen =3D false; + src->tlsVerify =3D true; + } + } + + return 0; +} + + +/* qemuProcessPrepareDiskSource: + * @def: live domain definition + * @driver: qemu driver + * + * Returns 0 on success, -1 on failure + */ +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) +{ + size_t i; + + for (i =3D 0; i < def->ndisks; i++) { + if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src, + def->disks[i]->info.alias, + cfg) < 0) + return -1; + } + + return 0; +} + =20 int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem) diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index b291dc308..93db23c2b 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -864,6 +864,17 @@ void qemuDomainPrepareChardevSource(virDomainDefPtr de= f, virQEMUDriverConfigPtr cfg) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); =20 +int +qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src, + const char *diskAlias, + virQEMUDriverConfigPtr cfg) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3); + +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); + int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem) ATTRIBUTE_NONNULL(1); =20 diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index e6cc41e13..c3a1db497 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -5357,6 +5357,10 @@ qemuProcessPrepareDomain(virConnectPtr conn, if (qemuDomainMasterKeyCreate(vm) < 0) goto cleanup; =20 + VIR_DEBUG("Prepare disk source backends for TLS"); + if (qemuDomainPrepareDiskSource(vm->def, cfg) < 0) + goto cleanup; + VIR_DEBUG("Prepare chardev source backends for TLS"); qemuDomainPrepareChardevSource(vm->def, cfg); =20 diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index 35f468e35..95028e55b 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -2041,6 +2041,8 @@ virStorageSourceCopy(const virStorageSource *src, ret->shared =3D src->shared; ret->haveTLS =3D src->haveTLS; ret->tlsFromConfig =3D src->tlsFromConfig; + ret->tlsListen =3D src->tlsListen; + ret->tlsVerify =3D src->tlsVerify; =20 /* storage driver metadata are not copied */ ret->drv =3D NULL; @@ -2054,7 +2056,9 @@ virStorageSourceCopy(const virStorageSource *src, VIR_STRDUP(ret->configFile, src->configFile) < 0 || VIR_STRDUP(ret->nodeformat, src->nodeformat) < 0 || VIR_STRDUP(ret->nodestorage, src->nodestorage) < 0 || - VIR_STRDUP(ret->compat, src->compat) < 0) + VIR_STRDUP(ret->compat, src->compat) < 0 || + VIR_STRDUP(ret->tlsAlias, src->tlsAlias) < 0 || + VIR_STRDUP(ret->tlsCertdir, src->tlsCertdir) < 0) goto error; =20 if (src->nhosts) { @@ -2279,6 +2283,9 @@ virStorageSourceClear(virStorageSourcePtr def) =20 virStorageSourceBackingStoreClear(def); =20 + VIR_FREE(def->tlsAlias); + VIR_FREE(def->tlsCertdir); + memset(def, 0, sizeof(*def)); } =20 diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h index 4817090fc..28cc718a4 100644 --- a/src/util/virstoragefile.h +++ b/src/util/virstoragefile.h @@ -288,6 +288,14 @@ struct _virStorageSource { /* Indication whether the haveTLS value was altered due to qemu.conf * setting when haveTLS is missing from the domain config file */ bool tlsFromConfig; + + /* If TLS is used, then mgmt of the TLS credentials occurs via an + * object that is generated using a specific alias for a specific + * certificate directory with listen and verify bools. */ + char *tlsAlias; + char *tlsCertdir; + bool tlsListen; + bool tlsVerify; }; =20 =20 --=20 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list