From nobody Sun May 5 20:11:50 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1506528796691799.5179088221662; Wed, 27 Sep 2017 09:13:16 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4D343CCB92; Wed, 27 Sep 2017 16:13:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B10A763BA7; Wed, 27 Sep 2017 16:13:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1DFD4410B2; Wed, 27 Sep 2017 16:13:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8RFk0fV018586 for ; Wed, 27 Sep 2017 11:46:00 -0400 Received: by smtp.corp.redhat.com (Postfix) id B603F80DB9; Wed, 27 Sep 2017 15:46:00 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-117-1.phx2.redhat.com [10.3.117.1]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6CA4E81ED7; Wed, 27 Sep 2017 15:46:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 4D343CCB92 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: John Ferlan To: libvir-list@redhat.com Date: Wed, 27 Sep 2017 11:45:51 -0400 Message-Id: <20170927154555.27156-2-jferlan@redhat.com> In-Reply-To: <20170927154555.27156-1-jferlan@redhat.com> References: <20170927154555.27156-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: ashmit602@gmail.com Subject: [libvirt] [PATCH v10 1/5] conf: Introduce TLS options for VxHS block device clients X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Wed, 27 Sep 2017 16:13:15 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Ashish Mittal Add a new TLS X.509 certificate type - "vxhs". This will handle the creation of a TLS certificate capability for properly configured VxHS network block device clients. The following describes the behavior of TLS for VxHS block device: (1) Two new options have been added in /etc/libvirt/qemu.conf to control TLS behavior with VxHS block devices "vxhs_tls" and "vxhs_tls_x509_cert_dir". (2) Setting "vxhs_tls=3D1" in /etc/libvirt/qemu.conf will enable TLS for VxHS block devices. (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the TLS CA certificate and the client certificate and keys are saved. If this value is missing, the "default_tls_x509_cert_dir" will be used instead. If the environment is not configured properly the authentication to the VxHS server will fail. Signed-off-by: Ashish Mittal Signed-off-by: John Ferlan --- src/qemu/libvirtd_qemu.aug | 4 ++++ src/qemu/qemu.conf | 34 ++++++++++++++++++++++++++++++++++ src/qemu/qemu_conf.c | 16 ++++++++++++++++ src/qemu/qemu_conf.h | 3 +++ src/qemu/test_libvirtd_qemu.aug.in | 2 ++ 5 files changed, 59 insertions(+) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index e1983d1fd..c19bf3a43 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -115,6 +115,9 @@ module Libvirtd_qemu =3D =20 let memory_entry =3D str_entry "memory_backing_dir" =20 + let vxhs_entry =3D bool_entry "vxhs_tls" + | str_entry "vxhs_tls_x509_cert_dir" + (* Each entry in the config is one of the following ... *) let entry =3D default_tls_entry | vnc_entry @@ -133,6 +136,7 @@ module Libvirtd_qemu =3D | nvram_entry | gluster_debug_level_entry | memory_entry + | vxhs_entry =20 let comment =3D [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \= t\n][^\n]*)?/ . del /\n/ "\n" ] let empty =3D [ label "#empty" . eol ] diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index f977e3b71..2e8370a5a 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -258,6 +258,40 @@ #chardev_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000" =20 =20 +# Enable use of TLS encryption for all VxHS network block devices that +# don't specifically disable. +# +# When the VxHS network block device server is set up appropriately, +# x509 certificates are required for authentication between the clients +# (qemu processes) and the remote VxHS server. +# +# It is necessary to setup CA and issue the client certificate before +# enabling this. +# +#vxhs_tls =3D 1 + + +# In order to override the default TLS certificate location for VxHS +# backed storage, supply a valid path to the certificate directory. +# This is used to authenticate the VxHS block device clients to the VxHS +# server. +# +# If the provided path does not exist then the default_tls_x509_cert_dir +# path will be used. +# +# VxHS block device clients expect the client certificate and key to be +# present in the certificate directory along with the CA master certificat= e. +# If using the default environment, default_tls_x509_verify must be config= ured. +# Since this is only a client the server-key.pem certificate is not needed. +# Thus a VxHS directory must contain the following: +# +# ca-cert.pem - the CA master certificate +# client-cert.pem - the client certificate signed with the ca-cert.pem +# client-key.pem - the client private key +# +#vxhs_tls_x509_cert_dir =3D "/etc/pki/libvirt-vxhs" + + # In order to override the default TLS certificate location for migration # certificates, supply a valid path to the certificate directory. If the # provided path does not exist then the default_tls_x509_cert_dir path diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 68c00c1e8..ec61c9c52 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -283,6 +283,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool priv= ileged) SET_TLS_X509_CERT_DEFAULT(spice); SET_TLS_X509_CERT_DEFAULT(chardev); SET_TLS_X509_CERT_DEFAULT(migrate); + SET_TLS_X509_CERT_DEFAULT(vxhs); =20 #undef SET_TLS_X509_CERT_DEFAULT =20 @@ -380,6 +381,8 @@ static void virQEMUDriverConfigDispose(void *obj) VIR_FREE(cfg->chardevTLSx509certdir); VIR_FREE(cfg->chardevTLSx509secretUUID); =20 + VIR_FREE(cfg->vxhsTLSx509certdir); + VIR_FREE(cfg->migrateTLSx509certdir); VIR_FREE(cfg->migrateTLSx509secretUUID); =20 @@ -457,6 +460,7 @@ virQEMUDriverConfigTLSDirResetDefaults(virQEMUDriverCon= figPtr cfg) CHECK_RESET_CERT_DIR_DEFAULT(spice); CHECK_RESET_CERT_DIR_DEFAULT(chardev); CHECK_RESET_CERT_DIR_DEFAULT(migrate); + CHECK_RESET_CERT_DIR_DEFAULT(vxhs); =20 return 0; } @@ -556,6 +560,10 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr= cfg, goto cleanup; if (virConfGetValueBool(conf, "spice_auto_unix_socket", &cfg->spiceAut= oUnixSocket) < 0) goto cleanup; + if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0) + goto cleanup; + if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir", &cfg->vxhsTL= Sx509certdir) < 0) + goto cleanup; =20 #define GET_CONFIG_TLS_CERTINFO(val) = \ do { = \ @@ -976,6 +984,14 @@ virQEMUDriverConfigValidate(virQEMUDriverConfigPtr cfg) return -1; } =20 + if (STRNEQ(cfg->vxhsTLSx509certdir, SYSCONFDIR "/pki/qemu") && + !virFileExists(cfg->vxhsTLSx509certdir)) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("vxhs_tls_x509_cert_dir directory '%s' does not e= xist"), + cfg->vxhsTLSx509certdir); + return -1; + } + return 0; } =20 diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index d469b50bd..13b6f818a 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -203,6 +203,9 @@ struct _virQEMUDriverConfig { unsigned int glusterDebugLevel; =20 char *memoryBackingDir; + + bool vxhsTLS; + char *vxhsTLSx509certdir; }; =20 /* Main driver state */ diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index 676d48cf5..688e5b9fd 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -25,6 +25,8 @@ module Test_libvirtd_qemu =3D { "chardev_tls_x509_cert_dir" =3D "/etc/pki/libvirt-chardev" } { "chardev_tls_x509_verify" =3D "1" } { "chardev_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } +{ "vxhs_tls" =3D "1" } +{ "vxhs_tls_x509_cert_dir" =3D "/etc/pki/libvirt-vxhs" } { "migrate_tls_x509_cert_dir" =3D "/etc/pki/libvirt-migrate" } { "migrate_tls_x509_verify" =3D "1" } { "migrate_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } --=20 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 20:11:50 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1506527637038179.69496947954588; Wed, 27 Sep 2017 08:53:57 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AB6632DA9B1; Wed, 27 Sep 2017 15:53:55 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5DA18E8187; Wed, 27 Sep 2017 15:53:55 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6E53D1855949; Wed, 27 Sep 2017 15:53:54 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8RFk1vP018597 for ; Wed, 27 Sep 2017 11:46:01 -0400 Received: by smtp.corp.redhat.com (Postfix) id 66BBD80DB9; Wed, 27 Sep 2017 15:46:01 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-117-1.phx2.redhat.com [10.3.117.1]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1E0A281EF0; Wed, 27 Sep 2017 15:46:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com AB6632DA9B1 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: John Ferlan To: libvir-list@redhat.com Date: Wed, 27 Sep 2017 11:45:52 -0400 Message-Id: <20170927154555.27156-3-jferlan@redhat.com> In-Reply-To: <20170927154555.27156-1-jferlan@redhat.com> References: <20170927154555.27156-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: ashmit602@gmail.com Subject: [libvirt] [PATCH v10 2/5] docs: Clean up the description for network disk protocol options X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Wed, 27 Sep 2017 15:53:56 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Clean up the description a bit to make it more readable and not appear as one long run-on paragraph. Signed-off-by: John Ferlan --- docs/formatdomain.html.in | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 9ce4620c6..bfca7ed3a 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -2514,19 +2514,28 @@
The protocol attribute specifies the protocol to access to the requested image. Possible values are "nbd", - "iscsi", "rbd", "sheepdog", "gluster" or "vxhs". If the - protocol attribute is "rbd", "sheepdog", "glust= er" - or "vxhs", an additional attribute name is - mandatory to specify which volume/image will be used. For "n= bd", - the name attribute is optional. For "iscsi" - (since 1.0.4), the name - attribute may include a logical unit number, separated from = the - target's name by a slash (e.g., + "iscsi", "rbd", "sheepdog", "gluster" or "vxhs". + +

If the protocol attribute is "rbd", "sheepdo= g", + "gluster", or "vxhs", an additional attribute name + is mandatory to specify which volume/image will be used. +

+ +

For "nbd", the name attribute is optional. +

+ +

For "iscsi" (since 1.0.4), t= he + name attribute may include a logical unit numbe= r, + separated from the target's name by a slash (e.g., iqn.2013-07.com.example:iscsi-pool/1). If not specified, the default LUN is zero. +

+ +

For "vxhs" (since 3.8.0), the name is the UUID of the volume, assigned by the HyperScale server. +

Since 0.8.7
volume
--=20 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 20:11:50 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1506528819443819.1339772085239; Wed, 27 Sep 2017 09:13:39 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 318A4C0BFD02; Wed, 27 Sep 2017 16:13:38 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EC2175F6E8; Wed, 27 Sep 2017 16:13:37 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A7D7F1855946; Wed, 27 Sep 2017 16:13:37 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8RFk1Bk018607 for ; Wed, 27 Sep 2017 11:46:01 -0400 Received: by smtp.corp.redhat.com (Postfix) id D0B8281EE9; Wed, 27 Sep 2017 15:46:01 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-117-1.phx2.redhat.com [10.3.117.1]) by smtp.corp.redhat.com (Postfix) with ESMTP id 873B781EC0; Wed, 27 Sep 2017 15:46:01 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 318A4C0BFD02 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: John Ferlan To: libvir-list@redhat.com Date: Wed, 27 Sep 2017 11:45:53 -0400 Message-Id: <20170927154555.27156-4-jferlan@redhat.com> In-Reply-To: <20170927154555.27156-1-jferlan@redhat.com> References: <20170927154555.27156-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: ashmit602@gmail.com Subject: [libvirt] [PATCH v10 3/5] util: Add TLS attributes to virStorageSource X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Wed, 27 Sep 2017 16:13:38 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Ashish Mittal Add an optional virTristateBool haveTLS to virStorageSource to manage whether a storage source will be using TLS. Sample XML for a VxHS disk: Additionally add a tlsFromConfig boolean to control whether the TLS setting was due to domain configuration or qemu.conf global setting in order to decide whether to Format the haveTLS setting for either a live or saved domain configuration file. Update the qemuxml2xmltest in order to add a test to show the proper parsing. Also update the docs to describe the tls attribute. Signed-off-by: Ashish Mittal Signed-off-by: John Ferlan --- docs/formatdomain.html.in | 17 +++++- docs/schemas/domaincommon.rng | 5 ++ src/conf/domain_conf.c | 64 ++++++++++++++++++= ---- src/conf/domain_conf.h | 3 +- src/conf/snapshot_conf.c | 7 ++- src/util/virstoragefile.c | 2 + src/util/virstoragefile.h | 7 +++ ...emuxml2argv-disk-drive-network-tlsx509-vxhs.xml | 32 +++++++++++ ...uxml2xmlout-disk-drive-network-tlsx509-vxhs.xml | 34 ++++++++++++ tests/qemuxml2xmltest.c | 1 + 10 files changed, 154 insertions(+), 18 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-= tlsx509-vxhs.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-netw= ork-tlsx509-vxhs.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index bfca7ed3a..3e10213b5 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -2531,10 +2531,21 @@ specified, the default LUN is zero.

=20 -

- For "vxhs" (since 3.8.0), the +

For "vxhs" (since 3.8.0), the name is the UUID of the volume, assigned by the - HyperScale server. + HyperScale server. Additionally, an optional attribute + tls (QEMU only) can be used to control whether a + VxHS block device would utilize a hypervisor configured TLS + X.509 certificate environment in order to encrypt the data + channel. For the QEMU hypervisor, usage of a TLS environment= can + also be globally controlled on the host by the + vxhs_tls and vxhs_tls_x509_cert_dir or + default_tls_x509_cert_dir settings in the file + /etc/libvirt/qemu.conf. If vxhs_tls is enabled, + then unless the domain tls attribute is set to = "no", + libvirt will use the host configured TLS environment. If the + tls attribute is set to "yes", then regardless = of + the qemu.conf setting, TLS authentication will be attempted.

Since 0.8.7 diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 76852abb3..bac371ea3 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -1644,6 +1644,11 @@ + + + + + diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index fd6d3120f..87192eb2d 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -8109,11 +8109,15 @@ virDomainDiskSourcePoolDefParse(xmlNodePtr node, int virDomainDiskSourceParse(xmlNodePtr node, xmlXPathContextPtr ctxt, - virStorageSourcePtr src) + virStorageSourcePtr src, + unsigned int flags) { int ret =3D -1; char *protocol =3D NULL; xmlNodePtr saveNode =3D ctxt->node; + char *haveTLS =3D NULL; + char *tlsCfg =3D NULL; + int tlsCfgVal; =20 ctxt->node =3D node; =20 @@ -8147,6 +8151,30 @@ virDomainDiskSourceParse(xmlNodePtr node, goto cleanup; } =20 + /* Check tls=3Dyes|no domain setting for the block device + * At present only VxHS. Other block devices may be added later */ + if (src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS && + (haveTLS =3D virXMLPropString(node, "tls"))) { + if ((src->haveTLS =3D + virTristateBoolTypeFromString(haveTLS)) <=3D 0) { + virReportError(VIR_ERR_XML_ERROR, + _("unknown disk source 'tls' setting '%s'"), + haveTLS); + goto cleanup; + } + } + + if ((flags & VIR_DOMAIN_DEF_PARSE_STATUS) && + (tlsCfg =3D virXMLPropString(node, "tlsFromConfig"))) { + if (virStrToLong_i(tlsCfg, NULL, 10, &tlsCfgVal) < 0) { + virReportError(VIR_ERR_XML_ERROR, + _("Invalid tlsFromConfig value: %s"), + tlsCfg); + goto cleanup; + } + src->tlsFromConfig =3D !!tlsCfgVal; + } + /* for historical reasons the volume name for gluster volume is st= ored * as a part of the path. This is hard to work with when dealing w= ith * relative names. Split out the volume into a separate variable */ @@ -8202,6 +8230,8 @@ virDomainDiskSourceParse(xmlNodePtr node, =20 cleanup: VIR_FREE(protocol); + VIR_FREE(haveTLS); + VIR_FREE(tlsCfg); ctxt->node =3D saveNode; return ret; } @@ -8209,7 +8239,8 @@ virDomainDiskSourceParse(xmlNodePtr node, =20 static int virDomainDiskBackingStoreParse(xmlXPathContextPtr ctxt, - virStorageSourcePtr src) + virStorageSourcePtr src, + unsigned int flags) { virStorageSourcePtr backingStore =3D NULL; xmlNodePtr save_ctxt =3D ctxt->node; @@ -8258,8 +8289,8 @@ virDomainDiskBackingStoreParse(xmlXPathContextPtr ctx= t, goto cleanup; } =20 - if (virDomainDiskSourceParse(source, ctxt, backingStore) < 0 || - virDomainDiskBackingStoreParse(ctxt, backingStore) < 0) + if (virDomainDiskSourceParse(source, ctxt, backingStore, flags) < 0 || + virDomainDiskBackingStoreParse(ctxt, backingStore, flags) < 0) goto cleanup; =20 src->backingStore =3D backingStore; @@ -8360,7 +8391,8 @@ virDomainDiskDefIotuneParse(virDomainDiskDefPtr def, static int virDomainDiskDefMirrorParse(virDomainDiskDefPtr def, xmlNodePtr cur, - xmlXPathContextPtr ctxt) + xmlXPathContextPtr ctxt, + unsigned int flags) { xmlNodePtr mirrorNode; char *mirrorFormat =3D NULL; @@ -8398,7 +8430,7 @@ virDomainDiskDefMirrorParse(virDomainDiskDefPtr def, goto cleanup; } =20 - if (virDomainDiskSourceParse(mirrorNode, ctxt, def->mirror) < 0) + if (virDomainDiskSourceParse(mirrorNode, ctxt, def->mirror, flags)= < 0) goto cleanup; } else { /* For back-compat reasons, we handle a file name @@ -8815,7 +8847,7 @@ virDomainDiskDefParseXML(virDomainXMLOptionPtr xmlopt, if (!source && virXMLNodeNameEqual(cur, "source")) { sourceNode =3D cur; =20 - if (virDomainDiskSourceParse(cur, ctxt, def->src) < 0) + if (virDomainDiskSourceParse(cur, ctxt, def->src, flags) < 0) goto error; =20 source =3D true; @@ -8871,7 +8903,7 @@ virDomainDiskDefParseXML(virDomainXMLOptionPtr xmlopt, } else if (!def->mirror && virXMLNodeNameEqual(cur, "mirror") && !(flags & VIR_DOMAIN_DEF_PARSE_INACTIVE)) { - if (virDomainDiskDefMirrorParse(def, cur, ctxt) < 0) + if (virDomainDiskDefMirrorParse(def, cur, ctxt, flags) < 0) goto error; } else if (!authdef && virXMLNodeNameEqual(cur, "auth")) { @@ -9126,7 +9158,7 @@ virDomainDiskDefParseXML(virDomainXMLOptionPtr xmlopt, product =3D NULL; =20 if (!(flags & VIR_DOMAIN_DEF_PARSE_DISK_SOURCE)) { - if (virDomainDiskBackingStoreParse(ctxt, def->src) < 0) + if (virDomainDiskBackingStoreParse(ctxt, def->src, flags) < 0) goto error; } =20 @@ -21673,7 +21705,8 @@ virDomainSourceDefFormatSeclabel(virBufferPtr buf, static int virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf, virBufferPtr childBuf, - virStorageSourcePtr src) + virStorageSourcePtr src, + unsigned int flags) { size_t n; char *path =3D NULL; @@ -21690,6 +21723,14 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attr= Buf, =20 VIR_FREE(path); =20 + if (src->haveTLS !=3D VIR_TRISTATE_BOOL_ABSENT && + !(flags & VIR_DOMAIN_DEF_FORMAT_MIGRATABLE && + src->tlsFromConfig)) + virBufferAsprintf(attrBuf, " tls=3D'%s'", + virTristateBoolTypeToString(src->haveTLS)); + if (flags & VIR_DOMAIN_DEF_FORMAT_STATUS) + virBufferAsprintf(attrBuf, " tlsFromConfig=3D'%d'", src->tlsFromCo= nfig); + for (n =3D 0; n < src->nhosts; n++) { virBufferAddLit(childBuf, "hosts[n].name= ); @@ -21754,7 +21795,8 @@ virDomainDiskSourceFormatInternal(virBufferPtr buf, break; =20 case VIR_STORAGE_TYPE_NETWORK: - if (virDomainDiskSourceFormatNetwork(&attrBuf, &childBuf, src)= < 0) + if (virDomainDiskSourceFormatNetwork(&attrBuf, &childBuf, + src, flags) < 0) goto error; break; =20 diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index e11ae5247..05a035a16 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -2995,7 +2995,8 @@ virDomainDiskDefPtr virDomainDiskRemoveByName(virDomainDefPtr def, const char *name); int virDomainDiskSourceParse(xmlNodePtr node, xmlXPathContextPtr ctxt, - virStorageSourcePtr src); + virStorageSourcePtr src, + unsigned int flags); =20 int virDomainNetFindIdx(virDomainDefPtr def, virDomainNetDefPtr net); virDomainNetDefPtr virDomainNetFind(virDomainDefPtr def, const char *devic= e); diff --git a/src/conf/snapshot_conf.c b/src/conf/snapshot_conf.c index 07706e0b2..f0e852c92 100644 --- a/src/conf/snapshot_conf.c +++ b/src/conf/snapshot_conf.c @@ -109,7 +109,8 @@ void virDomainSnapshotDefFree(virDomainSnapshotDefPtr d= ef) static int virDomainSnapshotDiskDefParseXML(xmlNodePtr node, xmlXPathContextPtr ctxt, - virDomainSnapshotDiskDefPtr def) + virDomainSnapshotDiskDefPtr def, + unsigned int flags) { int ret =3D -1; char *snapshot =3D NULL; @@ -154,7 +155,7 @@ virDomainSnapshotDiskDefParseXML(xmlNodePtr node, } =20 if ((cur =3D virXPathNode("./source", ctxt)) && - virDomainDiskSourceParse(cur, ctxt, def->src) < 0) + virDomainDiskSourceParse(cur, ctxt, def->src, flags) < 0) goto cleanup; =20 if ((driver =3D virXPathString("string(./driver/@type)", ctxt))) { @@ -348,7 +349,7 @@ virDomainSnapshotDefParse(xmlXPathContextPtr ctxt, def->ndisks =3D n; for (i =3D 0; i < def->ndisks; i++) { if (virDomainSnapshotDiskDefParseXML(nodes[i], ctxt, - &def->disks[i]) < 0) + &def->disks[i], flags) < = 0) goto cleanup; } VIR_FREE(nodes); diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index 484a5c806..c0b9bcd8d 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -2040,6 +2040,8 @@ virStorageSourceCopy(const virStorageSource *src, ret->physical =3D src->physical; ret->readonly =3D src->readonly; ret->shared =3D src->shared; + ret->haveTLS =3D src->haveTLS; + ret->tlsFromConfig =3D src->tlsFromConfig; =20 /* storage driver metadata are not copied */ ret->drv =3D NULL; diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h index f7e897f25..4817090fc 100644 --- a/src/util/virstoragefile.h +++ b/src/util/virstoragefile.h @@ -281,6 +281,13 @@ struct _virStorageSource { /* metadata that allows identifying given storage source */ char *nodeformat; /* name of the format handler object */ char *nodestorage; /* name of the storage object */ + + /* An optional setting to enable usage of TLS for the storage source */ + int haveTLS; /* enum virTristateBool */ + + /* Indication whether the haveTLS value was altered due to qemu.conf + * setting when haveTLS is missing from the domain config file */ + bool tlsFromConfig; }; =20 =20 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509= -vxhs.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-= vxhs.xml new file mode 100644 index 000000000..61b5e2e79 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.x= ml @@ -0,0 +1,32 @@ + + QEMUGuest1 + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 + 1 + + hvm + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + + + + + + eb90327c-8302-4725-9e1b-4e85ed4dc251 +
+ + + + + + + + diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tls= x509-vxhs.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-= tlsx509-vxhs.xml new file mode 100644 index 000000000..16f0883e0 --- /dev/null +++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vx= hs.xml @@ -0,0 +1,34 @@ + + QEMUGuest1 + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 + 1 + + hvm + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + + + + + + eb90327c-8302-4725-9e1b-4e85ed4dc251 +
+ + +
+ + + + + + + diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c index 4b2fbd990..2dba3607c 100644 --- a/tests/qemuxml2xmltest.c +++ b/tests/qemuxml2xmltest.c @@ -475,6 +475,7 @@ mymain(void) DO_TEST("disk-drive-network-rbd-ceph-env", NONE); DO_TEST("disk-drive-network-sheepdog", NONE); DO_TEST("disk-drive-network-vxhs", NONE); + DO_TEST("disk-drive-network-tlsx509-vxhs", NONE); DO_TEST("disk-scsi-device", QEMU_CAPS_NODEFCONFIG, QEMU_CAPS_SCSI_LSI); DO_TEST("disk-scsi-vscsi", NONE); --=20 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 20:11:50 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1506527661548515.6770855975053; Wed, 27 Sep 2017 08:54:21 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 464D0C098D14; Wed, 27 Sep 2017 15:54:20 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2079C63BBA; Wed, 27 Sep 2017 15:54:20 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 993E6410B4; Wed, 27 Sep 2017 15:54:19 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8RFk2fQ018615 for ; Wed, 27 Sep 2017 11:46:02 -0400 Received: by smtp.corp.redhat.com (Postfix) id 52E7A81EDE; Wed, 27 Sep 2017 15:46:02 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-117-1.phx2.redhat.com [10.3.117.1]) by smtp.corp.redhat.com (Postfix) with ESMTP id 09C6581EF2; Wed, 27 Sep 2017 15:46:01 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 464D0C098D14 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: John Ferlan To: libvir-list@redhat.com Date: Wed, 27 Sep 2017 11:45:54 -0400 Message-Id: <20170927154555.27156-5-jferlan@redhat.com> In-Reply-To: <20170927154555.27156-1-jferlan@redhat.com> References: <20170927154555.27156-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: ashmit602@gmail.com Subject: [libvirt] [PATCH v10 4/5] qemu: Introduce qemuDomainPrepareDiskSource X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Wed, 27 Sep 2017 15:54:20 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Introduce a function to setup any TLS needs for a disk source. If there's a configuration or other error setting up the disk source for TLS, then cause the domain startup to fail. For VxHS, follow the chardevTLS model where if the src->haveTLS hasn't been configured, then take the system/global cfg->haveTLS setting for the storage source *and* mark that we've done so via the tlsFromConfig setting in storage source. Next, if we are using TLS, then generate an alias into a virStorageSource 'tlsAlias' field that will be used to create the TLS object and added to the disk object in order to link the two together for QEMU. Signed-off-by: John Ferlan --- src/qemu/qemu_domain.c | 73 +++++++++++++++++++++++++++++++++++++++++++= ++++ src/qemu/qemu_domain.h | 11 +++++++ src/qemu/qemu_process.c | 4 +++ src/util/virstoragefile.c | 8 +++++- src/util/virstoragefile.h | 7 +++++ 5 files changed, 102 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 0b094a15e..d53f4545e 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -7635,6 +7635,79 @@ qemuDomainPrepareChardevSource(virDomainDefPtr def, } =20 =20 +/* qemuProcessPrepareDiskSourceTLS: + * @source: pointer to host interface data for disk device + * @diskAlias: alias use for the disk device + * @cfg: driver configuration + * + * Updates host interface TLS encryption setting based on qemu.conf + * for disk devices. This will be presented as "tls=3D'yes|no'" in + * live XML of a guest. + * + * Returns 0 on success, -1 on bad config/failure + */ +int +qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src, + const char *diskAlias, + virQEMUDriverConfigPtr cfg) +{ + + /* VxHS uses only client certificates and thus has no need for + * the server-key.pem nor a secret that could be used to decrypt + * the it, so no need to add a secinfo for a secret UUID. */ + if (src->type =3D=3D VIR_STORAGE_TYPE_NETWORK && + src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS) { + + if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_ABSENT) { + if (cfg->vxhsTLS) + src->haveTLS =3D VIR_TRISTATE_BOOL_YES; + else + src->haveTLS =3D VIR_TRISTATE_BOOL_NO; + src->tlsFromConfig =3D true; + } + + if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES) { + if (!diskAlias) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("disk does not have an alias")); + return -1; + } + + /* Grab the vxhsTLSx509certdir and set the verify/listen value= s. + * NB: tlsAlias filled in during qemuDomainGetTLSObjects. */ + if (VIR_STRDUP(src->tlsCertdir, cfg->vxhsTLSx509certdir) < 0) + return -1; + + src->tlsVerify =3D true; + } + } + + return 0; +} + + +/* qemuProcessPrepareDiskSource: + * @def: live domain definition + * @driver: qemu driver + * + * Returns 0 on success, -1 on failure + */ +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) +{ + size_t i; + + for (i =3D 0; i < def->ndisks; i++) { + if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src, + def->disks[i]->info.alias, + cfg) < 0) + return -1; + } + + return 0; +} + =20 int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem) diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index 09201b1a4..b0ced2a39 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -863,6 +863,17 @@ void qemuDomainPrepareChardevSource(virDomainDefPtr de= f, virQEMUDriverConfigPtr cfg) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); =20 +int +qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src, + const char *diskAlias, + virQEMUDriverConfigPtr cfg) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3); + +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); + int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem) ATTRIBUTE_NONNULL(1); =20 diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 929a0d2e9..63f499da3 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -5357,6 +5357,10 @@ qemuProcessPrepareDomain(virConnectPtr conn, if (qemuDomainMasterKeyCreate(vm) < 0) goto cleanup; =20 + VIR_DEBUG("Prepare disk source backends for TLS"); + if (qemuDomainPrepareDiskSource(vm->def, cfg) < 0) + goto cleanup; + VIR_DEBUG("Prepare chardev source backends for TLS"); qemuDomainPrepareChardevSource(vm->def, cfg); =20 diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index c0b9bcd8d..467237a2a 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -2042,6 +2042,7 @@ virStorageSourceCopy(const virStorageSource *src, ret->shared =3D src->shared; ret->haveTLS =3D src->haveTLS; ret->tlsFromConfig =3D src->tlsFromConfig; + ret->tlsVerify =3D src->tlsVerify; =20 /* storage driver metadata are not copied */ ret->drv =3D NULL; @@ -2055,7 +2056,9 @@ virStorageSourceCopy(const virStorageSource *src, VIR_STRDUP(ret->configFile, src->configFile) < 0 || VIR_STRDUP(ret->nodeformat, src->nodeformat) < 0 || VIR_STRDUP(ret->nodestorage, src->nodestorage) < 0 || - VIR_STRDUP(ret->compat, src->compat) < 0) + VIR_STRDUP(ret->compat, src->compat) < 0 || + VIR_STRDUP(ret->tlsAlias, src->tlsAlias) < 0 || + VIR_STRDUP(ret->tlsCertdir, src->tlsCertdir) < 0) goto error; =20 if (src->nhosts) { @@ -2280,6 +2283,9 @@ virStorageSourceClear(virStorageSourcePtr def) =20 virStorageSourceBackingStoreClear(def); =20 + VIR_FREE(def->tlsAlias); + VIR_FREE(def->tlsCertdir); + memset(def, 0, sizeof(*def)); } =20 diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h index 4817090fc..56f23fc35 100644 --- a/src/util/virstoragefile.h +++ b/src/util/virstoragefile.h @@ -288,6 +288,13 @@ struct _virStorageSource { /* Indication whether the haveTLS value was altered due to qemu.conf * setting when haveTLS is missing from the domain config file */ bool tlsFromConfig; + + /* If TLS is used, then mgmt of the TLS credentials occurs via an + * object that is generated using a specific alias for a specific + * certificate directory with listen and verify bools. */ + char *tlsAlias; + char *tlsCertdir; + bool tlsVerify; }; =20 =20 --=20 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 20:11:50 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1506527682238180.56212379597991; Wed, 27 Sep 2017 08:54:42 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0A66F63760; Wed, 27 Sep 2017 15:54:41 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DDEBAE8178; Wed, 27 Sep 2017 15:54:40 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A10281806104; Wed, 27 Sep 2017 15:54:40 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8RFk2I3018621 for ; Wed, 27 Sep 2017 11:46:02 -0400 Received: by smtp.corp.redhat.com (Postfix) id DB50981EC0; Wed, 27 Sep 2017 15:46:02 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-117-1.phx2.redhat.com [10.3.117.1]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8F75881EE9; Wed, 27 Sep 2017 15:46:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0A66F63760 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: John Ferlan To: libvir-list@redhat.com Date: Wed, 27 Sep 2017 11:45:55 -0400 Message-Id: <20170927154555.27156-6-jferlan@redhat.com> In-Reply-To: <20170927154555.27156-1-jferlan@redhat.com> References: <20170927154555.27156-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: ashmit602@gmail.com Subject: [libvirt] [PATCH v10 5/5] qemu: Add TLS support for Veritas HyperScale (VxHS) X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Wed, 27 Sep 2017 15:54:41 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Ashish Mittal Alter qemu command line generation in order to possibly add TLS for a suitably configured domain. Sample TLS args generated by libvirt - -object tls-creds-x509,id=3Dobjvirtio-disk0_tls0,dir=3D/etc/pki/qemu,\ endpoint=3Dclient,verify-peer=3Dyes \ -drive file.driver=3Dvxhs,file.tls-creds=3Dobjvirtio-disk0_tls0,\ file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.type=3Dtcp,file.server.host=3D192.168.0.1,\ file.server.port=3D9999,format=3Draw,if=3Dnone,\ id=3Ddrive-virtio-disk0,cache=3Dnone \ -device virtio-blk-pci,bus=3Dpci.0,addr=3D0x4,drive=3Ddrive-virtio-disk= 0,\ id=3Dvirtio-disk0 Update the qemuxml2argvtest with a couple of examples. One for a simple case and the other a bit more complex where multiple VxHS disks are added where at least one uses a VxHS that doesn't require TLS credentials and thus sets the domain disk source attribute "tls =3D 'no'". Update the hotplug to be able to handle processing the tlsAlias whether it's to add the TLS object when hotplugging a disk or to remove the TLS object when hot unplugging a disk. The hot plug/unplug code is largely generic, but the addition code does make the VXHS specific checks only because it needs to grab the correct config directory and generate the object as the command line would do. Signed-off-by: Ashish Mittal Signed-off-by: John Ferlan --- src/qemu/qemu_block.c | 2 + src/qemu/qemu_command.c | 33 ++++++++++ src/qemu/qemu_hotplug.c | 73 ++++++++++++++++++= ++++ ...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 43 +++++++++++++ ...emuxml2argv-disk-drive-network-tlsx509-vxhs.xml | 20 +++++- tests/qemuxml2argvtest.c | 5 ++ ...uxml2xmlout-disk-drive-network-tlsx509-vxhs.xml | 20 +++++- 7 files changed, 194 insertions(+), 2 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-= tlsx509-vxhs.args diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index 6faecb0ae..8d232de3e 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -545,11 +545,13 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePt= r src) =20 /* VxHS disk specification example: * { driver:"vxhs", + * tls-creds:"objvirtio-disk0_tls0", * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", * server:{type:"tcp", host:"1.2.3.4", port:9999}} */ if (virJSONValueObjectCreate(&ret, "s:driver", protocol, + "S:tls-creds", src->tlsAlias, "s:vdisk-id", src->path, "a:server", server, NULL) < 0) virJSONValueFree(server); diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index abeb24846..4f141e0ac 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -794,6 +794,35 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd, } =20 =20 +/* qemuBuildDiskSrcTLSx509CommandLine: + * + * Add TLS object if the disk src uses a secure communication channel + * + * Returns 0 on success, -1 w/ error on some sort of failure. + */ +static int +qemuBuildDiskSrcTLSx509CommandLine(virCommandPtr cmd, + virStorageSourcePtr src, + const char *srcalias, + virQEMUCapsPtr qemuCaps) +{ + + + /* other protocols may be added later */ + if (src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS && + src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES) { + if (!(src->tlsAlias =3D qemuAliasTLSObjFromSrcAlias(srcalias))) + return -1; + + return qemuBuildTLSx509CommandLine(cmd, src->tlsCertdir, + false, src->tlsVerify, + false, srcalias, qemuCaps); + } + + return 0; +} + + static char * qemuBuildNetworkDriveURI(virStorageSourcePtr src, qemuDomainSecretInfoPtr secinfo) @@ -2221,6 +2250,10 @@ qemuBuildDiskDriveCommandLine(virCommandPtr cmd, if (qemuBuildDiskSecinfoCommandLine(cmd, encinfo) < 0) return -1; =20 + if (qemuBuildDiskSrcTLSx509CommandLine(cmd, disk->src, disk->info.= alias, + qemuCaps) < 0) + return -1; + virCommandAddArg(cmd, "-drive"); =20 if (!(optstr =3D qemuBuildDriveStr(disk, cfg, driveBoot, qemuCaps)= )) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 4913e18e6..b77731df0 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -156,6 +156,46 @@ qemuDomainPrepareDisk(virQEMUDriverPtr driver, =20 =20 static int +qemuDomainAddDiskSrcTLSObject(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virStorageSourcePtr src, + const char *srcalias) +{ + int ret =3D -1; + qemuDomainObjPrivatePtr priv =3D vm->privateData; + virJSONValuePtr tlsProps =3D NULL; + + if (qemuDomainGetTLSObjects(priv->qemuCaps, NULL, + src->tlsCertdir, + false, + src->tlsVerify, + srcalias, &tlsProps, &src->tlsAlias, + NULL, NULL) < 0) + goto cleanup; + + if (qemuDomainAddTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, + NULL, NULL, src->tlsAlias, &tlsProps) < 0) + goto cleanup; + + ret =3D 0; + + cleanup: + virJSONValueFree(tlsProps); + + return ret; +} + + +static void +qemuDomainDelDiskSrcTLSObject(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virStorageSourcePtr src) +{ + qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, NULL, src->tl= sAlias); +} + + +static int qemuHotplugWaitForTrayEject(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainDiskDefPtr disk, @@ -376,6 +416,14 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn, if (encinfo && qemuBuildSecretInfoProps(encinfo, &encobjProps) < 0) goto error; =20 + if (qemuDomainPrepareDiskSourceTLS(disk->src, disk->info.alias, cfg) <= 0) + goto error; + + if (disk->src->haveTLS && + qemuDomainAddDiskSrcTLSObject(driver, vm, disk->src, + disk->info.alias) < 0) + goto error; + if (!(drivestr =3D qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps)= )) goto error; =20 @@ -453,6 +501,8 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn, virDomainAuditDisk(vm, NULL, disk->src, "attach", false); =20 error: + qemuDomainDelDiskSrcTLSObject(driver, vm, disk->src); + if (releaseaddr) qemuDomainReleaseDeviceAddress(vm, &disk->info, src); =20 @@ -667,6 +717,14 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn, if (!(devstr =3D qemuBuildDriveDevStr(vm->def, disk, 0, priv->qemuCaps= ))) goto error; =20 + if (qemuDomainPrepareDiskSourceTLS(disk->src, disk->info.alias, cfg) <= 0) + goto error; + + if (disk->src->haveTLS && + qemuDomainAddDiskSrcTLSObject(driver, vm, disk->src, + disk->info.alias) < 0) + goto error; + if (!(drivestr =3D qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps)= )) goto error; =20 @@ -737,6 +795,8 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn, virDomainAuditDisk(vm, NULL, disk->src, "attach", false); =20 error: + qemuDomainDelDiskSrcTLSObject(driver, vm, disk->src); + ignore_value(qemuDomainPrepareDisk(driver, vm, disk, NULL, true)); goto cleanup; } @@ -777,6 +837,14 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr = driver, if (qemuAssignDeviceDiskAlias(vm->def, disk, priv->qemuCaps) < 0) goto error; =20 + if (qemuDomainPrepareDiskSourceTLS(disk->src, disk->info.alias, cfg) <= 0) + goto error; + + if (disk->src->haveTLS && + qemuDomainAddDiskSrcTLSObject(driver, vm, disk->src, + disk->info.alias) < 0) + goto error; + if (!(drivestr =3D qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps)= )) goto error; =20 @@ -827,6 +895,8 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr d= river, virDomainAuditDisk(vm, NULL, disk->src, "attach", false); =20 error: + qemuDomainDelDiskSrcTLSObject(driver, vm, disk->src); + ignore_value(qemuDomainPrepareDisk(driver, vm, disk, NULL, true)); goto cleanup; } @@ -3679,6 +3749,9 @@ qemuDomainRemoveDiskDevice(virQEMUDriverPtr driver, ignore_value(qemuMonitorDelObject(priv->mon, encAlias)); VIR_FREE(encAlias); =20 + if (disk->src->haveTLS) + ignore_value(qemuMonitorDelObject(priv->mon, disk->src->tlsAlias)); + if (qemuDomainObjExitMonitor(driver, vm) < 0) return -1; =20 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509= -vxhs.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509= -vxhs.args new file mode 100644 index 000000000..572c9f36c --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.a= rgs @@ -0,0 +1,43 @@ +LC_ALL=3DC \ +PATH=3D/bin \ +HOME=3D/home/test \ +USER=3Dtest \ +LOGNAME=3Dtest \ +QEMU_AUDIO_DRV=3Dnone \ +/usr/bin/qemu-system-x86_64 \ +-name QEMUGuest1 \ +-S \ +-M pc \ +-cpu qemu32 \ +-m 214 \ +-smp 1,sockets=3D1,cores=3D1,threads=3D1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-nographic \ +-nodefaults \ +-chardev socket,id=3Dcharmonitor,path=3D/tmp/lib/domain--1-QEMUGuest1/moni= tor.sock,\ +server,nowait \ +-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dreadline \ +-no-acpi \ +-boot c \ +-usb \ +-object tls-creds-x509,id=3Dobjvirtio-disk0_tls0,dir=3D/etc/pki/qemu,\ +endpoint=3Dclient,verify-peer=3Dyes \ +-drive file.driver=3Dvxhs,file.tls-creds=3Dobjvirtio-disk0_tls0,\ +file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4dc251,file.server.type=3Dtc= p,\ +file.server.host=3D192.168.0.1,file.server.port=3D9999,format=3Draw,if=3Dn= one,\ +id=3Ddrive-virtio-disk0,cache=3Dnone \ +-device virtio-blk-pci,bus=3Dpci.0,addr=3D0x4,drive=3Ddrive-virtio-disk0,\ +id=3Dvirtio-disk0 \ +-object tls-creds-x509,id=3Dobjvirtio-disk1_tls0,dir=3D/etc/pki/qemu,\ +endpoint=3Dclient,verify-peer=3Dyes \ +-drive file.driver=3Dvxhs,file.tls-creds=3Dobjvirtio-disk1_tls0,\ +file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4dc252,file.server.type=3Dtc= p,\ +file.server.host=3D192.168.0.2,file.server.port=3D9999,format=3Draw,if=3Dn= one,\ +id=3Ddrive-virtio-disk1,cache=3Dnone \ +-device virtio-blk-pci,bus=3Dpci.0,addr=3D0x5,drive=3Ddrive-virtio-disk1,\ +id=3Dvirtio-disk1 \ +-drive file.driver=3Dvxhs,file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4d= c253,\ +file.server.type=3Dtcp,file.server.host=3D192.168.0.3,file.server.port=3D9= 999,\ +format=3Draw,if=3Dnone,id=3Ddrive-virtio-disk2,cache=3Dnone \ +-device virtio-blk-pci,bus=3Dpci.0,addr=3D0x6,drive=3Ddrive-virtio-disk2,\ +id=3Dvirtio-disk2 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509= -vxhs.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-= vxhs.xml index 61b5e2e79..a66e81f06 100644 --- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.x= ml +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.x= ml @@ -16,13 +16,31 @@ /usr/bin/qemu-system-x86_64 - + eb90327c-8302-4725-9e1b-4e85ed4dc251
+ + + + + + + eb90327c-8302-4725-9e1b-4e85ed4dc252 +
+ + + + + + + + eb90327c-8302-4725-9e1b-4e85ed4dc252 +
+ diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 70be0c32d..1958ad428 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -942,6 +942,11 @@ mymain(void) DO_TEST("disk-drive-network-rbd-ipv6", NONE); DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE); DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS); + driver.config->vxhsTLS =3D 1; + DO_TEST("disk-drive-network-tlsx509-vxhs", QEMU_CAPS_VXHS, + QEMU_CAPS_OBJECT_TLS_CREDS_X509); + driver.config->vxhsTLS =3D 0; + VIR_FREE(driver.config->vxhsTLSx509certdir); DO_TEST("disk-drive-no-boot", QEMU_CAPS_BOOTINDEX); DO_TEST_PARSE_ERROR("disk-device-lun-type-invalid", diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tls= x509-vxhs.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-= tlsx509-vxhs.xml index 16f0883e0..7053affd1 100644 --- a/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vx= hs.xml +++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vx= hs.xml @@ -16,13 +16,31 @@ /usr/bin/qemu-system-x86_64 - + eb90327c-8302-4725-9e1b-4e85ed4dc251
+ + + + + + + eb90327c-8302-4725-9e1b-4e85ed4dc252 +
+ + + + + + + + eb90327c-8302-4725-9e1b-4e85ed4dc252 +
+
--=20 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list