From nobody Sun Feb 8 16:50:18 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1505872169461735.8767289299263; Tue, 19 Sep 2017 18:49:29 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C65CD4026E; Wed, 20 Sep 2017 01:49:27 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9D2406017B; Wed, 20 Sep 2017 01:49:27 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 65E513FA9E; Wed, 20 Sep 2017 01:49:27 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8K1WsiV003614 for ; Tue, 19 Sep 2017 21:32:54 -0400 Received: by smtp.corp.redhat.com (Postfix) id A109B5D97F; Wed, 20 Sep 2017 01:32:54 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-150.phx2.redhat.com [10.3.116.150]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4564F5D979; Wed, 20 Sep 2017 01:32:54 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com C65CD4026E Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: John Ferlan To: libvir-list@redhat.com Date: Tue, 19 Sep 2017 21:32:46 -0400 Message-Id: <20170920013246.28868-5-jferlan@redhat.com> In-Reply-To: <20170920013246.28868-1-jferlan@redhat.com> References: <20170920013246.28868-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Cc: ashmit602@gmail.com Subject: [libvirt] [PATCH v9 4/4] qemu: Add TLS support for Veritas HyperScale (VxHS) X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Wed, 20 Sep 2017 01:49:28 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Ashish Mittal Alter qemu command line generation in order to possibly add TLS for a suitably configured domain. Sample TLS args generated by libvirt - -object tls-creds-x509,id=3Dobjvirtio-disk0_tls0,dir=3D/etc/pki/qemu,\ endpoint=3Dclient,verify-peer=3Dyes \ -drive file.driver=3Dvxhs,file.tls-creds=3Dobjvirtio-disk0_tls0,\ file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.type=3Dtcp,file.server.host=3D192.168.0.1,\ file.server.port=3D9999,format=3Draw,if=3Dnone,\ id=3Ddrive-virtio-disk0,cache=3Dnone \ -device virtio-blk-pci,bus=3Dpci.0,addr=3D0x4,drive=3Ddrive-virtio-disk= 0,\ id=3Dvirtio-disk0 Update the qemuxml2argvtest with a couple of examples. One for a simple case and the other a bit more complex where multiple VxHS disks are added where at least one uses a VxHS that doesn't require TLS credentials and thus sets the domain disk source attribute "tls =3D 'no'". Update the hotplug to be able to handle processing the tlsAlias whether it's to add the TLS object when hotplugging a disk or to remove the TLS object when hot unplugging a disk. The hot plug/unplug code is largely generic, but the addition code does make the VXHS specific checks only because it needs to grab the correct config directory and generate the object as the command line would do. Signed-off-by: Ashish Mittal Signed-off-by: John Ferlan --- src/qemu/qemu_block.c | 8 +++ src/qemu/qemu_command.c | 33 +++++++++ src/qemu/qemu_hotplug.c | 79 ++++++++++++++++++= ++++ ...-disk-drive-network-tlsx509-multidisk-vxhs.args | 43 ++++++++++++ ...v-disk-drive-network-tlsx509-multidisk-vxhs.xml | 50 ++++++++++++++ ...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 30 ++++++++ tests/qemuxml2argvtest.c | 7 ++ 7 files changed, 250 insertions(+) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-= tlsx509-multidisk-vxhs.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-= tlsx509-multidisk-vxhs.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-= tlsx509-vxhs.args diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index 3437302dd..77ffc6c51 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -529,16 +529,24 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePt= r src) return NULL; } =20 + if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES && !src->tlsAlias) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("VxHS disk does not have TLS alias set")); + return NULL; + } + if (!(server =3D qemuBlockStorageSourceBuildJSONSocketAddress(src->hos= ts, true))) return NULL; =20 /* VxHS disk specification example: * { driver:"vxhs", + * tls-creds:"objvirtio-disk0_tls0", * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", * server:{type:"tcp", host:"1.2.3.4", port:9999}} */ if (virJSONValueObjectCreate(&ret, "s:driver", protocol, + "S:tls-creds", src->tlsAlias, "s:vdisk-id", src->path, "a:server", server, NULL) < 0) virJSONValueFree(server); diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 9b3e3fc04..756bf3836 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -794,6 +794,35 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd, } =20 =20 +/* qemuBuildDiskSrcTLSx509CommandLine: + * + * Add TLS object if the disk src uses a secure communication channel + * + * Returns 0 on success, -1 w/ error on some sort of failure. + */ +static int +qemuBuildDiskSrcTLSx509CommandLine(virCommandPtr cmd, + virStorageSourcePtr src, + const char *srcalias, + virQEMUCapsPtr qemuCaps) +{ + + + /* other protocols may be added later */ + if (src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS && + src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES) { + if (!(src->tlsAlias =3D qemuAliasTLSObjFromSrcAlias(srcalias))) + return -1; + + return qemuBuildTLSx509CommandLine(cmd, src->tlsCertdir, + src->tlsListen, src->tlsVerify, + false, srcalias, qemuCaps); + } + + return 0; +} + + static char * qemuBuildNetworkDriveURI(virStorageSourcePtr src, qemuDomainSecretInfoPtr secinfo) @@ -2221,6 +2250,10 @@ qemuBuildDiskDriveCommandLine(virCommandPtr cmd, if (qemuBuildDiskSecinfoCommandLine(cmd, encinfo) < 0) return -1; =20 + if (qemuBuildDiskSrcTLSx509CommandLine(cmd, disk->src, disk->info.= alias, + qemuCaps) < 0) + return -1; + virCommandAddArg(cmd, "-drive"); =20 if (!(optstr =3D qemuBuildDriveStr(disk, cfg, driveBoot, qemuCaps)= )) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 7dd6e5fd9..7751a608d 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -156,6 +156,52 @@ qemuDomainPrepareDisk(virQEMUDriverPtr driver, =20 =20 static int +qemuDomainAddDiskSrcTLSObject(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virStorageSourcePtr src, + const char *srcalias) +{ + int ret =3D -1; + qemuDomainObjPrivatePtr priv =3D vm->privateData; + virJSONValuePtr tlsProps =3D NULL; + + /* NB: Initial implementation doesn't require/use a secret to decrypt + * a server certificate, so there's no need to manage a tlsSecAlias + * and tlsSecProps. See qemuDomainAddChardevTLSObjects for the + * methodology required to add a secret object. */ + + /* Create the TLS object using the source tls* settings */ + if (qemuDomainGetTLSObjects(priv->qemuCaps, NULL, + src->tlsCertdir, + src->tlsListen, + src->tlsVerify, + srcalias, &tlsProps, &src->tlsAlias, + NULL, NULL) < 0) + goto cleanup; + + if (qemuDomainAddTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, + NULL, NULL, src->tlsAlias, &tlsProps) < 0) + goto cleanup; + + ret =3D 0; + + cleanup: + virJSONValueFree(tlsProps); + + return ret; +} + + +static void +qemuDomainDelDiskSrcTLSObject(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virStorageSourcePtr src) +{ + qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, NULL, src->tl= sAlias); +} + + +static int qemuHotplugWaitForTrayEject(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainDiskDefPtr disk, @@ -376,6 +422,14 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn, if (encinfo && qemuBuildSecretInfoProps(encinfo, &encobjProps) < 0) goto error; =20 + if (qemuDomainPrepareDiskSourceTLS(disk->src, disk->info.alias, cfg) <= 0) + goto error; + + if (disk->src->haveTLS && + qemuDomainAddDiskSrcTLSObject(driver, vm, disk->src, + disk->info.alias) < 0) + goto error; + if (!(drivestr =3D qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps)= )) goto error; =20 @@ -453,6 +507,8 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn, virDomainAuditDisk(vm, NULL, disk->src, "attach", false); =20 error: + qemuDomainDelDiskSrcTLSObject(driver, vm, disk->src); + if (releaseaddr) qemuDomainReleaseDeviceAddress(vm, &disk->info, src); =20 @@ -667,6 +723,14 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn, if (!(devstr =3D qemuBuildDriveDevStr(vm->def, disk, 0, priv->qemuCaps= ))) goto error; =20 + if (qemuDomainPrepareDiskSourceTLS(disk->src, disk->info.alias, cfg) <= 0) + goto error; + + if (disk->src->haveTLS && + qemuDomainAddDiskSrcTLSObject(driver, vm, disk->src, + disk->info.alias) < 0) + goto error; + if (!(drivestr =3D qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps)= )) goto error; =20 @@ -737,6 +801,8 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn, virDomainAuditDisk(vm, NULL, disk->src, "attach", false); =20 error: + qemuDomainDelDiskSrcTLSObject(driver, vm, disk->src); + ignore_value(qemuDomainPrepareDisk(driver, vm, disk, NULL, true)); goto cleanup; } @@ -777,6 +843,14 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr = driver, if (qemuAssignDeviceDiskAlias(vm->def, disk, priv->qemuCaps) < 0) goto error; =20 + if (qemuDomainPrepareDiskSourceTLS(disk->src, disk->info.alias, cfg) <= 0) + goto error; + + if (disk->src->haveTLS && + qemuDomainAddDiskSrcTLSObject(driver, vm, disk->src, + disk->info.alias) < 0) + goto error; + if (!(drivestr =3D qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps)= )) goto error; =20 @@ -827,6 +901,8 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr d= river, virDomainAuditDisk(vm, NULL, disk->src, "attach", false); =20 error: + qemuDomainDelDiskSrcTLSObject(driver, vm, disk->src); + ignore_value(qemuDomainPrepareDisk(driver, vm, disk, NULL, true)); goto cleanup; } @@ -3677,6 +3753,9 @@ qemuDomainRemoveDiskDevice(virQEMUDriverPtr driver, ignore_value(qemuMonitorDelObject(priv->mon, encAlias)); VIR_FREE(encAlias); =20 + if (disk->src->haveTLS) + ignore_value(qemuMonitorDelObject(priv->mon, disk->src->tlsAlias)); + if (qemuDomainObjExitMonitor(driver, vm) < 0) return -1; =20 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509= -multidisk-vxhs.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-netwo= rk-tlsx509-multidisk-vxhs.args new file mode 100644 index 000000000..572c9f36c --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multid= isk-vxhs.args @@ -0,0 +1,43 @@ +LC_ALL=3DC \ +PATH=3D/bin \ +HOME=3D/home/test \ +USER=3Dtest \ +LOGNAME=3Dtest \ +QEMU_AUDIO_DRV=3Dnone \ +/usr/bin/qemu-system-x86_64 \ +-name QEMUGuest1 \ +-S \ +-M pc \ +-cpu qemu32 \ +-m 214 \ +-smp 1,sockets=3D1,cores=3D1,threads=3D1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-nographic \ +-nodefaults \ +-chardev socket,id=3Dcharmonitor,path=3D/tmp/lib/domain--1-QEMUGuest1/moni= tor.sock,\ +server,nowait \ +-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dreadline \ +-no-acpi \ +-boot c \ +-usb \ +-object tls-creds-x509,id=3Dobjvirtio-disk0_tls0,dir=3D/etc/pki/qemu,\ +endpoint=3Dclient,verify-peer=3Dyes \ +-drive file.driver=3Dvxhs,file.tls-creds=3Dobjvirtio-disk0_tls0,\ +file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4dc251,file.server.type=3Dtc= p,\ +file.server.host=3D192.168.0.1,file.server.port=3D9999,format=3Draw,if=3Dn= one,\ +id=3Ddrive-virtio-disk0,cache=3Dnone \ +-device virtio-blk-pci,bus=3Dpci.0,addr=3D0x4,drive=3Ddrive-virtio-disk0,\ +id=3Dvirtio-disk0 \ +-object tls-creds-x509,id=3Dobjvirtio-disk1_tls0,dir=3D/etc/pki/qemu,\ +endpoint=3Dclient,verify-peer=3Dyes \ +-drive file.driver=3Dvxhs,file.tls-creds=3Dobjvirtio-disk1_tls0,\ +file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4dc252,file.server.type=3Dtc= p,\ +file.server.host=3D192.168.0.2,file.server.port=3D9999,format=3Draw,if=3Dn= one,\ +id=3Ddrive-virtio-disk1,cache=3Dnone \ +-device virtio-blk-pci,bus=3Dpci.0,addr=3D0x5,drive=3Ddrive-virtio-disk1,\ +id=3Dvirtio-disk1 \ +-drive file.driver=3Dvxhs,file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4d= c253,\ +file.server.type=3Dtcp,file.server.host=3D192.168.0.3,file.server.port=3D9= 999,\ +format=3Draw,if=3Dnone,id=3Ddrive-virtio-disk2,cache=3Dnone \ +-device virtio-blk-pci,bus=3Dpci.0,addr=3D0x6,drive=3Ddrive-virtio-disk2,\ +id=3Dvirtio-disk2 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509= -multidisk-vxhs.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-networ= k-tlsx509-multidisk-vxhs.xml new file mode 100644 index 000000000..a66e81f06 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multid= isk-vxhs.xml @@ -0,0 +1,50 @@ + + QEMUGuest1 + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 + 1 + + hvm + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + + + + + + eb90327c-8302-4725-9e1b-4e85ed4dc251 +
+ + + + + + + + eb90327c-8302-4725-9e1b-4e85ed4dc252 +
+ + + + + + + + eb90327c-8302-4725-9e1b-4e85ed4dc252 +
+ + + + + + + + diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509= -vxhs.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509= -vxhs.args new file mode 100644 index 000000000..aaf88635b --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.a= rgs @@ -0,0 +1,30 @@ +LC_ALL=3DC \ +PATH=3D/bin \ +HOME=3D/home/test \ +USER=3Dtest \ +LOGNAME=3Dtest \ +QEMU_AUDIO_DRV=3Dnone \ +/usr/bin/qemu-system-x86_64 \ +-name QEMUGuest1 \ +-S \ +-M pc \ +-cpu qemu32 \ +-m 214 \ +-smp 1,sockets=3D1,cores=3D1,threads=3D1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-nographic \ +-nodefaults \ +-chardev socket,id=3Dcharmonitor,path=3D/tmp/lib/domain--1-QEMUGuest1/moni= tor.sock,\ +server,nowait \ +-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dreadline \ +-no-acpi \ +-boot c \ +-usb \ +-object tls-creds-x509,id=3Dobjvirtio-disk0_tls0,dir=3D/etc/pki/qemu,\ +endpoint=3Dclient,verify-peer=3Dyes \ +-drive file.driver=3Dvxhs,file.tls-creds=3Dobjvirtio-disk0_tls0,\ +file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4dc251,file.server.type=3Dtc= p,\ +file.server.host=3D192.168.0.1,file.server.port=3D9999,format=3Draw,if=3Dn= one,\ +id=3Ddrive-virtio-disk0,cache=3Dnone \ +-device virtio-blk-pci,bus=3Dpci.0,addr=3D0x4,drive=3Ddrive-virtio-disk0,\ +id=3Dvirtio-disk0 diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index bf43beb10..21f057460 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -934,6 +934,13 @@ mymain(void) DO_TEST("disk-drive-network-rbd-ipv6", NONE); DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE); DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS); + driver.config->vxhsTLS =3D 1; + DO_TEST("disk-drive-network-tlsx509-vxhs", QEMU_CAPS_VXHS, + QEMU_CAPS_OBJECT_TLS_CREDS_X509); + DO_TEST("disk-drive-network-tlsx509-multidisk-vxhs", QEMU_CAPS_VXHS, + QEMU_CAPS_OBJECT_TLS_CREDS_X509); + driver.config->vxhsTLS =3D 0; + VIR_FREE(driver.config->vxhsTLSx509certdir); DO_TEST("disk-drive-no-boot", QEMU_CAPS_BOOTINDEX); DO_TEST_PARSE_ERROR("disk-device-lun-type-invalid", --=20 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list