From nobody Fri Nov 21 10:10:51 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1763658246; cv=none; d=zohomail.com; s=zohoarc; b=MG0IXOHJH+4sSGEEtypEn0b7iBjvY4swF7sNm9Hexe6omW+j0a3b/JCZ4r8ohBMHXzq5oQCreJt/1bwfRTSD9lo/NwyoWfqj6I5YCgojOgE8R1z8Yhz+ResPUlE4L/1QkgMr0cr3GpJw9Bp4VdduY3jN8ObPzexvF0TQAjfRrVM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1763658246; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=VOzY1QvoNB0HFCV0tjWh5vsEBBB2Pjcc1MnlbMZVh2w=; b=PSgW6rmWj+4BLqZPzKCrsDCTzwS237xOtQhIZDcdlVD3eGtHRr7DTbgvoXvQj+OgrpmpRUAqisnB77pL8fnG2zIsJTb/DlMdL+XuwiEKiiI+ocnK3JLqG9g6UxVoalIbIWR4J4RYAEsCyuqS7+ho96RCbS+fY1TDTebQY6AVXSY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1763658245880780.3180624589407; Thu, 20 Nov 2025 09:04:05 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 6C4564184C; Thu, 20 Nov 2025 12:03:56 -0500 (EST) Received: from [172.19.199.53] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id E726E44381; Thu, 20 Nov 2025 11:57:33 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id B38813F84A; Thu, 20 Nov 2025 11:54:03 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id E37293F87C for ; Thu, 20 Nov 2025 11:54:01 -0500 (EST) Received: from mail-pg1-f198.google.com (mail-pg1-f198.google.com [209.85.215.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-563-FUSjpKydM86qgfNYtoNHpQ-1; Thu, 20 Nov 2025 11:53:59 -0500 Received: by mail-pg1-f198.google.com with SMTP id 41be03b00d2f7-bcecfea0e8aso1750000a12.0 for ; Thu, 20 Nov 2025 08:53:59 -0800 (PST) Received: from armenon-kvm.armenon-thinkpadp16vgen1.bengluru.csb ([49.36.104.36]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34727bcaf5asm2887551a91.4.2025.11.20.08.53.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 20 Nov 2025 08:53:57 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1763657641; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VOzY1QvoNB0HFCV0tjWh5vsEBBB2Pjcc1MnlbMZVh2w=; b=XPOnHHIPScvr24Tmq2cx67SzGlmTAkEpg7NUyH5H90GiA2SVxe6Wj//7FZ/Uo8s9GCYMtx sFPv2X0a3Q31+CaLWDemGdAEseNVdC+xfW2QoNTjNS1LhOkS1j6y9SJUoZ09oVIlsXMdep qyROA3xJXflNKhcmuDdDCoyIWjuXdGM= X-MC-Unique: FUSjpKydM86qgfNYtoNHpQ-1 X-Mimecast-MFC-AGG-ID: FUSjpKydM86qgfNYtoNHpQ_1763657639 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763657638; x=1764262438; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=VOzY1QvoNB0HFCV0tjWh5vsEBBB2Pjcc1MnlbMZVh2w=; b=QxonUCo3bRYNxuSFwYZ7zU5pzbuSjQGcaE0/4HTBSHOf+5nU/8UHyRLQD7N3bCZJWL DlwUszQJj2/J6+sVDxkO0kIOGXZ0Ze7tizs768lOrXhLdedfVsU/gBk1IbumHdvgOO06 94odozAdnTPt9r65AhXAa/GvypyuaDMIC75ZPVCpVYIpUmbHIm7+2R5lSTJOV5DeSh6p jNskMjKbKi6YbYcxEpx2mVraCNRXBi1DL7u7/eCbQw+PLkj3pnqjhQGi8fTNfSBM6s8r C7sphuP8/C8U5N7B7hRq7xUrVuGwoihaEi8cBKKXWmx9U558EKKB9QUICl90uGKAJhcU rMUg== X-Gm-Message-State: AOJu0YzYOvkg2hp+1Pbrjiv0VbkmPbyVhswHWREtLfBpePjk3YxzT6Z2 v4t7x5N40oHG6YMNVeKKUanzwAlcaM2eODUGui2ewuByYaJMFIxqnW/8+aZOzQoeJfjBJLq86DP p6XsHfHoEGIV4DQMoFH7ci2Kry98p4Cg3C7OEfjrikDs9UHuU750D4SmiSuR/EBex8QGfwWyY4X ZxZK2+/PfAwj7aN9SxHkk0wB4q1feH0qpr5e/NTKT/KQ== X-Gm-Gg: ASbGncskiZSkL/iSzQBymShx7k9ReU833wD956OYgeJ0bf+F0lrDKfMAnMSfVKbeevW 1V0U4c8eYgiv8B3SZUNQKGRr+CBxBvJ0vojj77Qz0g6XF8sqjShp0n02O8BKNrakdCp+bjYl5bw 5sm35j48g3zt4qzDhjSBdJehoZXoh8UzoWyKK6te/M4A/OiN2eUiHLxmSjR/ynUoBVt10m4zUJa 2vAIYzjivNlRpz8Q0KWzM44YOHLQoKOqioiQGrTyr1JO2iA98rVj9eFfm0xfDJxfc1XyZ1I+LVF Gqo69toYQ2RXtPymXTsUVXVL4b1XsR2sHYLnCd5gIZp3HajEJ0gxb/2hz6NCJPCPUaRAkQ19IRD p4QTTk7R2pja7FwafBUCyFxerV/thDy79dl5sokMiE0MoJ9XXVwV5e+ZF X-Received: by 2002:a17:90b:5826:b0:340:8d99:49d4 with SMTP id 98e67ed59e1d1-3472983a03dmr3790520a91.1.1763657638405; Thu, 20 Nov 2025 08:53:58 -0800 (PST) X-Google-Smtp-Source: AGHT+IF6dEYsdf5wm7r8c07r3tfILv6+W2cGYwyayY6ZJpaDmFaB/PCvJpWZ4w/Rxq6Te9iGLi+SgA== X-Received: by 2002:a17:90b:5826:b0:340:8d99:49d4 with SMTP id 98e67ed59e1d1-3472983a03dmr3790482a91.1.1763657637637; Thu, 20 Nov 2025 08:53:57 -0800 (PST) To: devel@lists.libvirt.org Subject: [RFC v2 3/5] secret: Add secrets.conf configuration file and parse it Date: Thu, 20 Nov 2025 22:23:44 +0530 Message-ID: <20251120165346.161124-4-armenon@redhat.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251120165346.161124-1-armenon@redhat.com> References: <20251120165346.161124-1-armenon@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: _pSwuZ8W5Ih8Fh2i9YPH3XqW1reTYxtca3IgFYL8w9c_1763657639 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 6FXZEXVJMKD4H3J6YII322WFKLRSDJPL X-Message-ID-Hash: 6FXZEXVJMKD4H3J6YII322WFKLRSDJPL X-MailFrom: armenon@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Arun Menon X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Arun Menon via Devel Reply-To: Arun Menon X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1763658257183018900 Content-Type: text/plain; charset="utf-8"; x-default="true" A new configuration file called secrets.conf is introduced to let the user configure the path to the secrets encryption key. This key will be used to encrypt/decrypt the secrets in libvirt. By default the path is set to the runtime directory /run/libvirt/secrets, and it is commented in the config file. After parsing the file, the virtsecretd driver checks if an encryption key is present in the path and is valid. By default, if no encryption key is present in the path, then the service will by default use the encryption key stored in the CREDENTIALS_DIRECTORY. Add logic to parse the encryption key file and store the key. It also checks for the encrypt_data attribute in the config file. The encryption and decryption logic will be added in the subsequent patches. Signed-off-by: Arun Menon --- libvirt.spec.in | 3 + po/POTFILES | 1 + src/conf/meson.build | 1 + src/conf/secret_config.c | 207 +++++++++++++++++++++++++ src/conf/secret_config.h | 48 ++++++ src/libvirt_private.syms | 2 + src/secret/libvirt_secrets.aug | 40 +++++ src/secret/meson.build | 18 +++ src/secret/secrets.conf.in | 12 ++ src/secret/test_libvirt_secrets.aug.in | 6 + 10 files changed, 338 insertions(+) create mode 100644 src/conf/secret_config.c create mode 100644 src/conf/secret_config.h create mode 100644 src/secret/libvirt_secrets.aug create mode 100644 src/secret/secrets.conf.in create mode 100644 src/secret/test_libvirt_secrets.aug.in diff --git a/libvirt.spec.in b/libvirt.spec.in index fa477db031..8462d08c61 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -2249,6 +2249,9 @@ exit 0 %config(noreplace) %{_sysconfdir}/libvirt/virtsecretd.conf %{_datadir}/augeas/lenses/virtsecretd.aug %{_datadir}/augeas/lenses/tests/test_virtsecretd.aug +%{_datadir}/augeas/lenses/libvirt_secrets.aug +%{_datadir}/augeas/lenses/tests/test_libvirt_secrets.aug +%config(noreplace) %{_sysconfdir}/libvirt/secrets.conf %{_unitdir}/virtsecretd.service %{_unitdir}/virt-secret-init-encryption.service %{_unitdir}/virtsecretd.socket diff --git a/po/POTFILES b/po/POTFILES index 23da794f84..1a76e0505a 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -53,6 +53,7 @@ src/conf/nwfilter_conf.c src/conf/nwfilter_params.c src/conf/object_event.c src/conf/secret_conf.c +src/conf/secret_config.c src/conf/snapshot_conf.c src/conf/storage_adapter_conf.c src/conf/storage_conf.c diff --git a/src/conf/meson.build b/src/conf/meson.build index 5116c23fe3..9c51e99107 100644 --- a/src/conf/meson.build +++ b/src/conf/meson.build @@ -68,6 +68,7 @@ interface_conf_sources =3D [ =20 secret_conf_sources =3D [ 'secret_conf.c', + 'secret_config.c', 'virsecretobj.c', ] =20 diff --git a/src/conf/secret_config.c b/src/conf/secret_config.c new file mode 100644 index 0000000000..a1c9b6bc2f --- /dev/null +++ b/src/conf/secret_config.c @@ -0,0 +1,207 @@ +/* + * secret_config.c: secrets.conf config file handling + * + * Copyright (C) 2025 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include +#include +#include "configmake.h" +#include "datatypes.h" +#include "virlog.h" +#include "virerror.h" +#include "virfile.h" +#include "virutil.h" +#include "secret_config.h" + + +#define VIR_FROM_THIS VIR_FROM_CONF + +VIR_LOG_INIT("secret.secret_config"); + +static virClass *virSecretDaemonConfigClass; +static void virSecretDaemonConfigDispose(void *obj); + +static int +virSecretConfigOnceInit(void) +{ + if (!VIR_CLASS_NEW(virSecretDaemonConfig, virClassForObject())) + return -1; + + return 0; +} + +VIR_ONCE_GLOBAL_INIT(virSecretConfig); + +int +virSecretDaemonConfigFilePath(bool privileged, char **configfile) +{ + if (privileged) { + *configfile =3D g_strdup(SYSCONFDIR "/libvirt/secrets.conf"); + } else { + g_autofree char *configdir =3D NULL; + + configdir =3D virGetUserConfigDirectory(); + + *configfile =3D g_strdup_printf("%s/secrets.conf", configdir); + } + + return 0; +} + +static int +virSecretLoadDaemonConfig(virSecretDaemonConfig *cfg, + const char *filename) +{ + g_autoptr(virConf) conf =3D NULL; + + if (access(filename, R_OK) =3D=3D 0) { + conf =3D virConfReadFile(filename, 0); + if (!conf) + return -1; + if (virConfGetValueInt(conf, "encrypt_data", &cfg->encrypt_data) <= 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Failed to get encrypt_data from %1$s"), + filename); + return -1; + } + + if (virConfGetValueString(conf, "secrets_encryption_key", + &cfg->secretsEncryptionKeyPath) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Failed to get secrets_encryption_key from %1= $s"), + filename); + return -1; + } + } + return 0; +} + +static bool getSecretsEncryptionKey(virSecretDaemonConfig *cfg, + uint8_t **secrets_encryption_key, size= _t *secrets_encryption_keylen) +{ + int fd =3D -1; + struct stat st; + + if ((fd =3D open(cfg->secretsEncryptionKeyPath, O_RDONLY)) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("Cannot open secrets key = file '%1$s'"), + cfg->secretsEncryptionKeyPath); + return false; + } + if (fstat(fd, &st) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("Cannot stat secrets key = file '%1$s'"), + cfg->secretsEncryptionKeyPath); + VIR_FORCE_CLOSE(fd); + return false; + } + *secrets_encryption_keylen =3D st.st_size; + if (*secrets_encryption_keylen =3D=3D 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("Secrets encryption key f= ile %1$s is empty"), + cfg->secretsEncryptionKeyPath); + VIR_FORCE_CLOSE(fd); + return false; + } + *secrets_encryption_key =3D g_new0(uint8_t, *secrets_encryption_keylen= ); + if (saferead(fd, &secrets_encryption_key, *secrets_encryption_keylen) = !=3D *secrets_encryption_keylen) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("Cannot read secrets key = file '%1$s'"), + cfg->secretsEncryptionKeyPath); + VIR_FORCE_CLOSE(fd); + return false; + } + VIR_FORCE_CLOSE(fd); + if (*secrets_encryption_keylen !=3D 32) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("Secrets encryption key f= ile %1$s must be 32 bytes"), + cfg->secretsEncryptionKeyPath); + return false; + } + return true; +} + +virSecretDaemonConfig * +virSecretDaemonConfigNew(bool privileged) +{ + g_autoptr(virSecretDaemonConfig) cfg =3D NULL; + g_autofree char *configdir =3D NULL; + g_autofree char *configfile =3D NULL; + const char *credentials_directory; + + if (virSecretConfigInitialize() < 0) + goto error; + + if (!(cfg =3D virObjectNew(virSecretDaemonConfigClass))) + goto error; + + cfg->secretsEncryptionKeyPath =3D NULL; + + if (privileged) { + configdir =3D g_strdup(SYSCONFDIR "/libvirt"); + } else { + g_autofree char *rundir =3D virGetUserRuntimeDirectory(); + configdir =3D virGetUserConfigDirectory(); + } + configfile =3D g_strconcat(configdir, "/secrets.conf", NULL); + + if (virSecretLoadDaemonConfig(cfg, configfile) < 0) + goto error; + + if (!(credentials_directory =3D getenv("CREDENTIALS_DIRECTORY"))) { + credentials_directory =3D NULL; + } + + if (cfg->secretsEncryptionKeyPath) { + VIR_DEBUG("Secrets encryption key path: %s", cfg->secretsEncryptio= nKeyPath); + } else if (credentials_directory) { + VIR_DEBUG("Using credentials directory from environment: %s", + credentials_directory); + cfg->secretsEncryptionKeyPath =3D g_strdup_printf("%s/secrets-encr= yption-key", + credentials_direct= ory); + } else { + VIR_DEBUG("No secrets encryption key found in credentials dire= ctory"); + cfg->secretsEncryptionKeyPath =3D NULL; + } + if (cfg->secretsEncryptionKeyPath && access(cfg->secretsEncryptionKeyP= ath, R_OK) =3D=3D 0) { + if (!getSecretsEncryptionKey(cfg, &cfg->secrets_encryption_key, &c= fg->secretsKeyLen)) { + VIR_DEBUG("Failed to get secrets encryption key from path: %s", + cfg->secretsEncryptionKeyPath); + goto error; + } + } + + if (cfg->encrypt_data !=3D 1) { + cfg->encrypt_data =3D (cfg->secretsKeyLen =3D=3D 32) ? 1 : 0; + } else if (cfg->encrypt_data =3D=3D 1) { + if (!cfg->secretsEncryptionKeyPath) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("secretsEncryptionKeyPath must be set if encr= ypt_data is 1 in %1$s"), + configfile); + goto error; + } + } + return g_steal_pointer(&cfg); + error: + virSecretDaemonConfigDispose(cfg); + return NULL; +} + +static void +virSecretDaemonConfigDispose(void *obj) +{ + virSecretDaemonConfig *cfg =3D obj; + + g_free(cfg->secrets_encryption_key); + g_free(cfg->secretsEncryptionKeyPath); +} diff --git a/src/conf/secret_config.h b/src/conf/secret_config.h new file mode 100644 index 0000000000..638b7c49a4 --- /dev/null +++ b/src/conf/secret_config.h @@ -0,0 +1,48 @@ +/* + * secret_config.h: secrets.conf config file handling + * + * Copyright (C) 2025 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#pragma once + +#include "internal.h" +#include "virinhibitor.h" +#include "secret_event.h" + +typedef struct _virSecretDaemonConfig virSecretDaemonConfig; +struct _virSecretDaemonConfig { + virObject parent; + /* secrets encryption key path from secrets.conf file */ + char *secretsEncryptionKeyPath; + + unsigned char* secrets_encryption_key; + size_t secretsKeyLen; + + /* Indicates if the newly written secrets are encrypted or not. + * 0 if not encrypted and 1 if encrypted. + */ + int encrypt_data; +}; + +G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSecretDaemonConfig, virObjectUnref); + +int virSecretDaemonConfigFilePath(bool privileged, char **configfile); +virSecretDaemonConfig *virSecretDaemonConfigNew(bool privileged); +int virSecretDaemonConfigLoadFile(virSecretDaemonConfig *data, + const char *filename, + bool allow_missing); diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index fc5fdb00f4..7ecb573851 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1064,6 +1064,8 @@ virSecretDefParse; virSecretUsageTypeFromString; virSecretUsageTypeToString; =20 +# conf/secret_config.h +virSecretDaemonConfigNew; =20 # conf/secret_event.h virSecretEventLifecycleNew; diff --git a/src/secret/libvirt_secrets.aug b/src/secret/libvirt_secrets.aug new file mode 100644 index 0000000000..092cdef41f --- /dev/null +++ b/src/secret/libvirt_secrets.aug @@ -0,0 +1,40 @@ +(* /etc/libvirt/secrets.conf *) + +module Libvirt_secrets =3D + autoload xfm + + let eol =3D del /[ \t]*\n/ "\n" + let value_sep =3D del /[ \t]*=3D[ \t]*/ " =3D " + let indent =3D del /[ \t]*/ "" + + let array_sep =3D del /,[ \t\n]*/ ", " + let array_start =3D del /\[[ \t\n]*/ "[ " + let array_end =3D del /\]/ "]" + + let str_val =3D del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\"" + let bool_val =3D store /0|1/ + let int_val =3D store /[0-9]+/ + let str_array_element =3D [ seq "el" . str_val ] . del /[ \t\n]*/ "" + let str_array_val =3D counter "el" . array_start . ( str_array_element = . ( array_sep . str_array_element ) * ) ? . array_end + + let str_entry (kw:string) =3D [ key kw . value_sep . str_val ] + let bool_entry (kw:string) =3D [ key kw . value_sep . bool_val ] + let int_entry (kw:string) =3D [ key kw . value_sep . int_val ] + let str_array_entry (kw:string) =3D [ key kw . value_sep . str_array_va= l ] + + let secrets_entry =3D str_entry "secrets_encryption_key" + | bool_entry "encrypt_data" + + (* Each entry in the config is one of the following three ... *) + let entry =3D secrets_entry + let comment =3D [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \= t\n][^\n]*)?/ . del /\n/ "\n" ] + let empty =3D [ label "#empty" . eol ] + + let record =3D indent . entry . eol + + let lns =3D ( record | comment | empty ) * + + let filter =3D incl "/etc/libvirt/secrets.conf" + . Util.stdexcl + + let xfm =3D transform lns filter diff --git a/src/secret/meson.build b/src/secret/meson.build index d8861fcbcd..e453e71464 100644 --- a/src/secret/meson.build +++ b/src/secret/meson.build @@ -27,6 +27,24 @@ if conf.has('WITH_SECRETS') ], } =20 + secrets_conf =3D configure_file( + input: 'secrets.conf.in', + output: 'secrets.conf', + copy: true + ) + virt_conf_files +=3D secrets_conf + + virt_aug_files +=3D files('libvirt_secrets.aug') + + virt_test_aug_files +=3D { + 'name': 'test_libvirt_secrets.aug', + 'aug': files('test_libvirt_secrets.aug.in'), + 'conf': files('secrets.conf.in'), + 'test_name': 'libvirt_secrets', + 'test_srcdir': meson.current_source_dir(), + 'test_builddir': meson.current_build_dir(), + } + virt_daemon_confs +=3D { 'name': 'virtsecretd', } diff --git a/src/secret/secrets.conf.in b/src/secret/secrets.conf.in new file mode 100644 index 0000000000..d998940140 --- /dev/null +++ b/src/secret/secrets.conf.in @@ -0,0 +1,12 @@ +# +# Configuration file for the secrets driver. +# +# The secret encryption key is used to override default encryption +# key path. The user can create an encryption key and set the secret_encry= ption_key +# to the path on which it resides. +# The key must be 32-bytes long. +#secrets_encryption_key =3D "/run/libvirt/secrets/secret-encryption-key" + +# The encrypt_data setting is used to indicate if the encryption is on or = off. +# 0 indicates off and 1 indicates on. By default it is set to on. +#encrypt_data =3D 1 diff --git a/src/secret/test_libvirt_secrets.aug.in b/src/secret/test_libvi= rt_secrets.aug.in new file mode 100644 index 0000000000..1bb205e0f2 --- /dev/null +++ b/src/secret/test_libvirt_secrets.aug.in @@ -0,0 +1,6 @@ +module Test_libvirt_secrets =3D + @CONFIG@ + + test Libvirt_secrets.lns get conf =3D +{ "secrets_encryption_key" =3D "/run/libvirt/secrets/secret-encryption-key= " } +{ "encrypt_data" =3D "1" } --=20 2.51.1