From nobody Mon Feb 9 19:37:50 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1693518138; cv=none; d=zohomail.com; s=zohoarc; b=bWtTAobkh00U0Nj84zgXx02IOqppPlgTQNCCyy8dfGwrrRLo7/zHljY3O7F8/I5+AnNUL0LOeNSdo0coX7m5ENx/3iYnSvTV4cc6DQ5/BcwZeyoDLSpxKBXuSWjmSsmkNy0053MzuhR6q5q4VkNtFV3IZ3lxkVz4hzSanMlOzKg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1693518138; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=WMsg9gggcEbsm4Iysi3paP7Ls5l2CtX9Lg+2Io5Dazk=; b=bl7yyWDc+YR1HpaQVNJNjjdqxdssf+wiamOslZ6Hcg8eD3GoufYVYB/xSaISdzj5HjaPl8jjQyo7bZie7SqbsScDDjGQw4J3RFF53s81uWpqYqA7EU5El8CVN8QnzyCBmaU9Luki95Hwrl2RNznO4I1HsUzH5eYCFtS1w2W+iZo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1693518138985308.3561757895551; Thu, 31 Aug 2023 14:42:18 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-590-44G8Cs3xNtCOr4MJ6TwasA-1; Thu, 31 Aug 2023 17:40:56 -0400 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 61B50823DE5; Thu, 31 Aug 2023 21:40:49 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 48382413705; Thu, 31 Aug 2023 21:40:49 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 2D3A2194F4AF; Thu, 31 Aug 2023 21:40:32 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 3EBFB1946A4D for ; Thu, 31 Aug 2023 21:40:26 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 34F2C492C18; Thu, 31 Aug 2023 21:40:26 +0000 (UTC) Received: from himantopus.redhat.com (unknown [10.22.17.68]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0A015492C13; Thu, 31 Aug 2023 21:40:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1693518137; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=WMsg9gggcEbsm4Iysi3paP7Ls5l2CtX9Lg+2Io5Dazk=; b=e+a1biM40M9BJuT4qAU10zSrqBxtkroQky07a7WtxYxJB2SjT8ZJ1Fw21pMvD7410imutO 6zhQlesRpz87JOwzWGBSCK7iRkooYKlf+E7gZcX0PFQLmiuXM49BjxcZ05ebq6/mJItj6n 0EExSsSCJT15kahLeOzd0hYSNrDfuxU= X-MC-Unique: 44G8Cs3xNtCOr4MJ6TwasA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Jonathon Jongsma To: libvir-list@redhat.com Subject: [libvirt PATCH v8 29/37] qemu: implement password auth for ssh disks with nbdkit Date: Thu, 31 Aug 2023 16:40:09 -0500 Message-ID: <20230831214017.1536388-30-jjongsma@redhat.com> In-Reply-To: <20230831214017.1536388-1-jjongsma@redhat.com> References: <20230831214017.1536388-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Krempa Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1693518140725100002 Content-Type: text/plain; charset="utf-8"; x-default="true" For ssh disks that are served by nbdkit, lookup the password from the configured secret and securely pass it to the nbdkit process using fd passing. Signed-off-by: Jonathon Jongsma Reviewed-by: Peter Krempa --- src/qemu/qemu_nbdkit.c | 84 ++++++++++--------- .../disk-network-ssh-password.args.disk0 | 8 ++ ...k-network-ssh-password.args.disk0.pipe.778 | 1 + .../disk-network-ssh.args.disk1 | 8 ++ .../disk-network-ssh.args.disk1.pipe.778 | 1 + tests/qemunbdkittest.c | 1 + ...sk-network-ssh-password.x86_64-latest.args | 35 ++++++++ .../disk-network-ssh-password.xml | 34 ++++++++ tests/qemuxml2argvtest.c | 1 + 9 files changed, 134 insertions(+), 39 deletions(-) create mode 100644 tests/qemunbdkitdata/disk-network-ssh-password.args.dis= k0 create mode 100644 tests/qemunbdkitdata/disk-network-ssh-password.args.dis= k0.pipe.778 create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk1 create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.7= 78 create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-password.x86_64= -latest.args create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-password.xml diff --git a/src/qemu/qemu_nbdkit.c b/src/qemu/qemu_nbdkit.c index db86a18321..4cd91e282b 100644 --- a/src/qemu/qemu_nbdkit.c +++ b/src/qemu/qemu_nbdkit.c @@ -950,6 +950,43 @@ qemuNbdkitCommandPassDataByPipe(virCommand *cmd, } =20 =20 +static int +qemuNbdkitProcessBuildCommandAuth(virStorageAuthDef *authdef, + virCommand *cmd) +{ + g_autoptr(virConnect) conn =3D NULL; + g_autofree uint8_t *secret =3D NULL; + size_t secretlen =3D 0; + int secrettype; + + if (!authdef) + return 0; + + if ((secrettype =3D virSecretUsageTypeFromString(authdef->secrettype))= < 0) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("invalid secret type %1$s"), + authdef->secrettype); + return -1; + } + + conn =3D virGetConnectSecret(); + if (virSecretGetSecretString(conn, + &authdef->seclookupdef, + secrettype, + &secret, + &secretlen) < 0) + return -1; + + virCommandAddArgPair(cmd, "user", authdef->username); + + if (qemuNbdkitCommandPassDataByPipe(cmd, "password", + &secret, secretlen) < 0) + return -1; + + return 0; +} + + static int qemuNbdkitProcessBuildCommandCurl(qemuNbdkitProcess *proc, virCommand *cmd) @@ -968,37 +1005,8 @@ qemuNbdkitProcessBuildCommandCurl(qemuNbdkitProcess *= proc, } virCommandAddArgPair(cmd, "url", uristring); =20 - if (proc->source->auth) { - g_autoptr(virConnect) conn =3D virGetConnectSecret(); - g_autofree uint8_t *secret =3D NULL; - size_t secretlen =3D 0; - int secrettype; - virStorageAuthDef *authdef =3D proc->source->auth; - - virCommandAddArgPair(cmd, "user", - proc->source->auth->username); - - if ((secrettype =3D virSecretUsageTypeFromString(proc->source->aut= h->secrettype)) < 0) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, - _("invalid secret type %1$s"), - proc->source->auth->secrettype); - return -1; - } - - if (virSecretGetSecretString(conn, - &authdef->seclookupdef, - secrettype, - &secret, - &secretlen) < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("failed to get auth secret for storage")); - return -1; - } - - if (qemuNbdkitCommandPassDataByPipe(cmd, "password", - &secret, secretlen) < 0) - return -1; - } + if (proc->source->auth && qemuNbdkitProcessBuildCommandAuth(proc->sour= ce->auth, cmd) < 0) + return -1; =20 /* Create a pipe to send the cookies to the nbdkit process. */ if (proc->source->ncookies) { @@ -1027,7 +1035,6 @@ static int qemuNbdkitProcessBuildCommandSSH(qemuNbdkitProcess *proc, virCommand *cmd) { - const char *user =3D NULL; virStorageNetHostDef *host =3D &proc->source->hosts[0]; g_autofree char *portstr =3D g_strdup_printf("%u", host->port); =20 @@ -1038,13 +1045,12 @@ qemuNbdkitProcessBuildCommandSSH(qemuNbdkitProcess = *proc, virCommandAddArgPair(cmd, "port", portstr); virCommandAddArgPair(cmd, "path", proc->source->path); =20 - if (proc->source->auth) - user =3D proc->source->auth->username; - else if (proc->source->ssh_user) - user =3D proc->source->ssh_user; - - if (user) - virCommandAddArgPair(cmd, "user", user); + if (proc->source->auth) { + if (qemuNbdkitProcessBuildCommandAuth(proc->source->auth, cmd) < 0) + return -1; + } else if (proc->source->ssh_user) { + virCommandAddArgPair(cmd, "user", proc->source->ssh_user); + } =20 if (proc->source->ssh_host_key_check_disabled) virCommandAddArgPair(cmd, "verify-remote-host", "false"); diff --git a/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0 b/te= sts/qemunbdkitdata/disk-network-ssh-password.args.disk0 new file mode 100644 index 0000000000..30711f7f07 --- /dev/null +++ b/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0 @@ -0,0 +1,8 @@ +nbdkit \ +--unix /tmp/statedir-0/nbdkit-test-disk-0.socket \ +--foreground ssh \ +host=3Dexample.org \ +port=3D2222 \ +path=3Dtest2.img \ +user=3Dtestuser \ +password=3D-777 diff --git a/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0.pipe= .778 b/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0.pipe.778 new file mode 100644 index 0000000000..ccdd4033fc --- /dev/null +++ b/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0.pipe.778 @@ -0,0 +1 @@ +iscsi-mycluster_myname-secret \ No newline at end of file diff --git a/tests/qemunbdkitdata/disk-network-ssh.args.disk1 b/tests/qemun= bdkitdata/disk-network-ssh.args.disk1 new file mode 100644 index 0000000000..9a8a16c8d5 --- /dev/null +++ b/tests/qemunbdkitdata/disk-network-ssh.args.disk1 @@ -0,0 +1,8 @@ +nbdkit \ +--unix /tmp/statedir-1/nbdkit-test-disk-1.socket \ +--foreground ssh \ +host=3Dexample.org \ +port=3D2222 \ +path=3Dtest2.img \ +user=3Dtestuser \ +password=3D-777 diff --git a/tests/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.778 b/te= sts/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.778 new file mode 100644 index 0000000000..ccdd4033fc --- /dev/null +++ b/tests/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.778 @@ -0,0 +1 @@ +iscsi-mycluster_myname-secret \ No newline at end of file diff --git a/tests/qemunbdkittest.c b/tests/qemunbdkittest.c index 2a74f27a5a..a51b287f34 100644 --- a/tests/qemunbdkittest.c +++ b/tests/qemunbdkittest.c @@ -298,6 +298,7 @@ mymain(void) DO_TEST("disk-network-source-curl-nbdkit-backing", QEMU_NBDKIT_CAPS_PL= UGIN_CURL); DO_TEST("disk-network-source-curl", QEMU_NBDKIT_CAPS_PLUGIN_CURL); DO_TEST("disk-network-ssh", QEMU_NBDKIT_CAPS_PLUGIN_SSH); + DO_TEST("disk-network-ssh-password", QEMU_NBDKIT_CAPS_PLUGIN_SSH); =20 cleanup: qemuTestDriverFree(&driver); diff --git a/tests/qemuxml2argvdata/disk-network-ssh-password.x86_64-latest= .args b/tests/qemuxml2argvdata/disk-network-ssh-password.x86_64-latest.args new file mode 100644 index 0000000000..fd24e51570 --- /dev/null +++ b/tests/qemuxml2argvdata/disk-network-ssh-password.x86_64-latest.args @@ -0,0 +1,35 @@ +LC_ALL=3DC \ +PATH=3D/bin \ +HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1 \ +USER=3Dtest \ +LOGNAME=3Dtest \ +XDG_DATA_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.local/share \ +XDG_CACHE_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.cache \ +XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=3DQEMUGuest1,debug-threads=3Don \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/va= r/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \ +-machine pc,usb=3Doff,dump-guest-core=3Doff,memory-backend=3Dpc.ram,acpi= =3Doff \ +-accel kvm \ +-cpu qemu64 \ +-m size=3D219136k \ +-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}'= \ +-overcommit mem-lock=3Doff \ +-smp 1,sockets=3D1,cores=3D1,threads=3D1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=3Dcharmonitor,fd=3D1729,server=3Don,wait=3Doff \ +-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \ +-rtc base=3Dutc \ +-no-shutdown \ +-boot strict=3Don \ +-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0= x2"}' \ +-blockdev '{"driver":"nbd","server":{"type":"unix","path":"/var/lib/libvir= t/qemu/domain--1-QEMUGuest1/nbdkit-libvirt-1-storage.socket"},"node-name":"= libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw= ","file":"libvirt-1-storage"}' \ +-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x2","drive":"li= bvirt-1-format","id":"virtio-disk0","bootindex":1}' \ +-audiodev '{"id":"audio1","driver":"none"}' \ +-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource= control=3Ddeny \ +-msg timestamp=3Don diff --git a/tests/qemuxml2argvdata/disk-network-ssh-password.xml b/tests/q= emuxml2argvdata/disk-network-ssh-password.xml new file mode 100644 index 0000000000..266acb761f --- /dev/null +++ b/tests/qemuxml2argvdata/disk-network-ssh-password.xml @@ -0,0 +1,34 @@ + + QEMUGuest1 + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 + 1 + + hvm + + + + destroy + restart + destroy + + + + + + + + + + + + + + + + + + + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 216fd3a841..4541172672 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1276,6 +1276,7 @@ mymain(void) driver.config->vxhsTLS =3D 0; DO_TEST_CAPS_LATEST("disk-network-ssh"); DO_TEST_CAPS_LATEST_NBDKIT("disk-network-ssh-nbdkit", QEMU_NBDKIT_CAPS= _PLUGIN_SSH); + DO_TEST_CAPS_LATEST_NBDKIT("disk-network-ssh-password", QEMU_NBDKIT_CA= PS_PLUGIN_SSH); DO_TEST_CAPS_LATEST("disk-no-boot"); DO_TEST_CAPS_LATEST("disk-nvme"); DO_TEST_CAPS_VER("disk-vhostuser-numa", "4.2.0"); --=20 2.41.0