From nobody Mon Feb 9 11:47:17 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1689891725; cv=none; d=zohomail.com; s=zohoarc; b=Y6M1IV1mEaK7ZoS9Ey+9uy675yUd7FbW1EzlyKBCuDx78frlEFq2MfoziE7bsBiK7J5pj/2bQrYB39hfBQVQtRxKoXKDKkx5A7TbrXcb/BQfvR4M+HIZO7NSJ5kM5G+HdacT5+J2QebjvATbtf3TSSEvTTvw6QrjkRf28F4y2OA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1689891725; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=WkLbK7HHc2XfjhJdBUazSM/KxHSMwRg51DYrsfu/C2s=; b=f/evWfcsly7YbXW6hJZ5egqqNVi/3ynQ1w7AxtnDS8EnhHf6zTr3++rB2LO0bHtwKAFHmU3c5vVaj+ZNendO9iC3Ok5FBRYsxh1l9Utk6SommP3GQeaiKoyg+FTFvy3bg5x81inVcR/Zx7lIgRdi0O/TwK0+jM8H2m/+lWEE4UE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 168989172534732.893246431676516; Thu, 20 Jul 2023 15:22:05 -0700 (PDT) Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-464-B1PI5DThP8qnQNr5ipskNA-1; Thu, 20 Jul 2023 18:20:51 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 733853C1351C; Thu, 20 Jul 2023 22:20:37 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 51E7F1454149; Thu, 20 Jul 2023 22:20:37 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id F0CA619376BA; Thu, 20 Jul 2023 22:20:24 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 9D04019452C6 for ; Thu, 20 Jul 2023 22:20:14 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 9198140C20F5; Thu, 20 Jul 2023 22:20:11 +0000 (UTC) Received: from himantopus.redhat.com (unknown [10.22.8.155]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7039340C207D for ; Thu, 20 Jul 2023 22:20:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1689891724; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=WkLbK7HHc2XfjhJdBUazSM/KxHSMwRg51DYrsfu/C2s=; b=U7+PIXrH9ByrFJWxLMa4UkeXVLZd+unuDjSXMxqM0zaih5oJnyANfalABGfk4/dub36ckW mNPfUfLWWkdctbCxzpeyouDW9x0e9C5nlNS5KLP+8hwbFBfmPxHQuQwrUpGOxRefoYBmm0 /8N+MzMcxielTe9QjAfKx+gQJIxCaxI= X-MC-Unique: B1PI5DThP8qnQNr5ipskNA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Jonathon Jongsma To: libvir-list@redhat.com Subject: [libvirt PATCH v6 28/36] qemu: implement password auth for ssh disks with nbdkit Date: Thu, 20 Jul 2023 17:19:55 -0500 Message-ID: <20230720222003.411549-29-jjongsma@redhat.com> In-Reply-To: <20230720222003.411549-1-jjongsma@redhat.com> References: <20230720222003.411549-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1689891726929100005 Content-Type: text/plain; charset="utf-8"; x-default="true" For ssh disks that are served by nbdkit, lookup the password from the configured secret and securely pass it to the nbdkit process using fd passing. Signed-off-by: Jonathon Jongsma Reviewed-by: Peter Krempa --- src/qemu/qemu_nbdkit.c | 87 ++++++++++--------- .../disk-network-ssh-password.args.disk0 | 8 ++ ...k-network-ssh-password.args.disk0.pipe.778 | 1 + .../disk-network-ssh.args.disk1 | 8 ++ .../disk-network-ssh.args.disk1.pipe.778 | 1 + tests/qemunbdkittest.c | 1 + ...sk-network-ssh-password.x86_64-latest.args | 35 ++++++++ .../disk-network-ssh-password.xml | 34 ++++++++ tests/qemuxml2argvtest.c | 1 + 9 files changed, 137 insertions(+), 39 deletions(-) create mode 100644 tests/qemunbdkitdata/disk-network-ssh-password.args.dis= k0 create mode 100644 tests/qemunbdkitdata/disk-network-ssh-password.args.dis= k0.pipe.778 create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk1 create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.7= 78 create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-password.x86_64= -latest.args create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-password.xml diff --git a/src/qemu/qemu_nbdkit.c b/src/qemu/qemu_nbdkit.c index 8bb91de994..9dbe3af1dd 100644 --- a/src/qemu/qemu_nbdkit.c +++ b/src/qemu/qemu_nbdkit.c @@ -936,6 +936,46 @@ qemuNbdkitCommandPassDataByPipe(virCommand *cmd, } =20 =20 +static int +qemuNbdkitProcessBuildCommandAuth(virStorageAuthDef *authdef, + virCommand *cmd) +{ + g_autoptr(virConnect) conn =3D NULL; + g_autofree uint8_t *secret =3D NULL; + size_t secretlen =3D 0; + int secrettype; + + if (!authdef) + return 0; + + if ((secrettype =3D virSecretUsageTypeFromString(authdef->secrettype))= < 0) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("invalid secret type %1$s"), + authdef->secrettype); + return -1; + } + + conn =3D virGetConnectSecret(); + if (virSecretGetSecretString(conn, + &authdef->seclookupdef, + secrettype, + &secret, + &secretlen) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("failed to get auth secret for storage")); + return -1; + } + + virCommandAddArgPair(cmd, "user", authdef->username); + + if (qemuNbdkitCommandPassDataByPipe(cmd, "password", + &secret, secretlen) < 0) + return -1; + + return 0; +} + + static int qemuNbdkitProcessBuildCommandCurl(qemuNbdkitProcess *proc, virCommand *cmd) @@ -954,37 +994,8 @@ qemuNbdkitProcessBuildCommandCurl(qemuNbdkitProcess *p= roc, } virCommandAddArgPair(cmd, "url", uristring); =20 - if (proc->source->auth) { - g_autoptr(virConnect) conn =3D virGetConnectSecret(); - g_autofree uint8_t *secret =3D NULL; - size_t secretlen =3D 0; - int secrettype; - virStorageAuthDef *authdef =3D proc->source->auth; - - virCommandAddArgPair(cmd, "user", - proc->source->auth->username); - - if ((secrettype =3D virSecretUsageTypeFromString(proc->source->aut= h->secrettype)) < 0) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, - _("invalid secret type %1$s"), - proc->source->auth->secrettype); - return -1; - } - - if (virSecretGetSecretString(conn, - &authdef->seclookupdef, - secrettype, - &secret, - &secretlen) < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("failed to get auth secret for storage")); - return -1; - } - - if (qemuNbdkitCommandPassDataByPipe(cmd, "password", - &secret, secretlen) < 0) - return -1; - } + if (proc->source->auth && qemuNbdkitProcessBuildCommandAuth(proc->sour= ce->auth, cmd) < 0) + return -1; =20 /* Create a pipe to send the cookies to the nbdkit process. */ if (proc->source->ncookies) { @@ -1013,7 +1024,6 @@ static int qemuNbdkitProcessBuildCommandSSH(qemuNbdkitProcess *proc, virCommand *cmd) { - const char *user =3D NULL; virStorageNetHostDef *host =3D &proc->source->hosts[0]; g_autofree char *portstr =3D g_strdup_printf("%u", host->port); =20 @@ -1024,13 +1034,12 @@ qemuNbdkitProcessBuildCommandSSH(qemuNbdkitProcess = *proc, virCommandAddArgPair(cmd, "port", portstr); virCommandAddArgPair(cmd, "path", proc->source->path); =20 - if (proc->source->auth) - user =3D proc->source->auth->username; - else if (proc->source->ssh_user) - user =3D proc->source->ssh_user; - - if (user) - virCommandAddArgPair(cmd, "user", user); + if (proc->source->auth) { + if (qemuNbdkitProcessBuildCommandAuth(proc->source->auth, cmd) < 0) + return -1; + } else if (proc->source->ssh_user) { + virCommandAddArgPair(cmd, "user", proc->source->ssh_user); + } =20 if (proc->source->ssh_host_key_check_disabled) virCommandAddArgPair(cmd, "verify-remote-host", "false"); diff --git a/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0 b/te= sts/qemunbdkitdata/disk-network-ssh-password.args.disk0 new file mode 100644 index 0000000000..30711f7f07 --- /dev/null +++ b/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0 @@ -0,0 +1,8 @@ +nbdkit \ +--unix /tmp/statedir-0/nbdkit-test-disk-0.socket \ +--foreground ssh \ +host=3Dexample.org \ +port=3D2222 \ +path=3Dtest2.img \ +user=3Dtestuser \ +password=3D-777 diff --git a/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0.pipe= .778 b/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0.pipe.778 new file mode 100644 index 0000000000..ccdd4033fc --- /dev/null +++ b/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0.pipe.778 @@ -0,0 +1 @@ +iscsi-mycluster_myname-secret \ No newline at end of file diff --git a/tests/qemunbdkitdata/disk-network-ssh.args.disk1 b/tests/qemun= bdkitdata/disk-network-ssh.args.disk1 new file mode 100644 index 0000000000..9a8a16c8d5 --- /dev/null +++ b/tests/qemunbdkitdata/disk-network-ssh.args.disk1 @@ -0,0 +1,8 @@ +nbdkit \ +--unix /tmp/statedir-1/nbdkit-test-disk-1.socket \ +--foreground ssh \ +host=3Dexample.org \ +port=3D2222 \ +path=3Dtest2.img \ +user=3Dtestuser \ +password=3D-777 diff --git a/tests/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.778 b/te= sts/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.778 new file mode 100644 index 0000000000..ccdd4033fc --- /dev/null +++ b/tests/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.778 @@ -0,0 +1 @@ +iscsi-mycluster_myname-secret \ No newline at end of file diff --git a/tests/qemunbdkittest.c b/tests/qemunbdkittest.c index 2a74f27a5a..a51b287f34 100644 --- a/tests/qemunbdkittest.c +++ b/tests/qemunbdkittest.c @@ -298,6 +298,7 @@ mymain(void) DO_TEST("disk-network-source-curl-nbdkit-backing", QEMU_NBDKIT_CAPS_PL= UGIN_CURL); DO_TEST("disk-network-source-curl", QEMU_NBDKIT_CAPS_PLUGIN_CURL); DO_TEST("disk-network-ssh", QEMU_NBDKIT_CAPS_PLUGIN_SSH); + DO_TEST("disk-network-ssh-password", QEMU_NBDKIT_CAPS_PLUGIN_SSH); =20 cleanup: qemuTestDriverFree(&driver); diff --git a/tests/qemuxml2argvdata/disk-network-ssh-password.x86_64-latest= .args b/tests/qemuxml2argvdata/disk-network-ssh-password.x86_64-latest.args new file mode 100644 index 0000000000..fd24e51570 --- /dev/null +++ b/tests/qemuxml2argvdata/disk-network-ssh-password.x86_64-latest.args @@ -0,0 +1,35 @@ +LC_ALL=3DC \ +PATH=3D/bin \ +HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1 \ +USER=3Dtest \ +LOGNAME=3Dtest \ +XDG_DATA_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.local/share \ +XDG_CACHE_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.cache \ +XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=3DQEMUGuest1,debug-threads=3Don \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/va= r/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \ +-machine pc,usb=3Doff,dump-guest-core=3Doff,memory-backend=3Dpc.ram,acpi= =3Doff \ +-accel kvm \ +-cpu qemu64 \ +-m size=3D219136k \ +-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}'= \ +-overcommit mem-lock=3Doff \ +-smp 1,sockets=3D1,cores=3D1,threads=3D1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=3Dcharmonitor,fd=3D1729,server=3Don,wait=3Doff \ +-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \ +-rtc base=3Dutc \ +-no-shutdown \ +-boot strict=3Don \ +-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0= x2"}' \ +-blockdev '{"driver":"nbd","server":{"type":"unix","path":"/var/lib/libvir= t/qemu/domain--1-QEMUGuest1/nbdkit-libvirt-1-storage.socket"},"node-name":"= libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw= ","file":"libvirt-1-storage"}' \ +-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x2","drive":"li= bvirt-1-format","id":"virtio-disk0","bootindex":1}' \ +-audiodev '{"id":"audio1","driver":"none"}' \ +-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource= control=3Ddeny \ +-msg timestamp=3Don diff --git a/tests/qemuxml2argvdata/disk-network-ssh-password.xml b/tests/q= emuxml2argvdata/disk-network-ssh-password.xml new file mode 100644 index 0000000000..266acb761f --- /dev/null +++ b/tests/qemuxml2argvdata/disk-network-ssh-password.xml @@ -0,0 +1,34 @@ + + QEMUGuest1 + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 + 1 + + hvm + + + + destroy + restart + destroy + + + + + + + + + + + + + + + + + + + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index a516fdfa7e..c7d48851b8 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1237,6 +1237,7 @@ mymain(void) driver.config->vxhsTLS =3D 0; DO_TEST_CAPS_LATEST("disk-network-ssh"); DO_TEST_CAPS_LATEST_NBDKIT("disk-network-ssh-nbdkit", QEMU_NBDKIT_CAPS= _PLUGIN_SSH); + DO_TEST_CAPS_LATEST_NBDKIT("disk-network-ssh-password", QEMU_NBDKIT_CA= PS_PLUGIN_SSH); DO_TEST_CAPS_LATEST("disk-no-boot"); DO_TEST_CAPS_LATEST("disk-nvme"); DO_TEST_CAPS_VER("disk-vhostuser-numa", "4.2.0"); --=20 2.41.0