From nobody Fri May 3 17:07:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1524754344241392.7070224952671; Thu, 26 Apr 2018 07:52:24 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9FEE9C058EB0; Thu, 26 Apr 2018 14:52:21 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 981D788E14; Thu, 26 Apr 2018 14:52:20 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 081D0180215F; Thu, 26 Apr 2018 14:52:19 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w3QEq0A3007740 for ; Thu, 26 Apr 2018 10:52:00 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5656E202323C; Thu, 26 Apr 2018 14:52:00 +0000 (UTC) Received: from angien.brq.redhat.com (unknown [10.43.2.136]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9356C202323E; Thu, 26 Apr 2018 14:51:59 +0000 (UTC) From: Peter Krempa To: libvir-list@redhat.com Date: Thu, 26 Apr 2018 16:51:46 +0200 Message-Id: <9a617936dd53b9d7bbe18ca004fd3df16a139143.1524754194.git.pkrempa@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: libvir-list@redhat.com Cc: Peter Krempa Subject: [libvirt] [RFC PATCH 1/4] qemu: caps: Add capability for TLS transport in the NBD server X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 26 Apr 2018 14:52:22 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The NBD server in qemu supports TLS transport. Detect this capability. Signed-off-by: Peter Krempa Reviewed-by: Daniel P. Berrang=C3=A9 --- src/qemu/qemu_capabilities.c | 2 ++ src/qemu/qemu_capabilities.h | 1 + tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 + 21 files changed, 22 insertions(+) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 833c75514c..aa8d350f51 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -473,6 +473,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST, /* 290 */ "query-cpus-fast", "disk-write-cache", + "nbd-tls", ); @@ -1247,6 +1248,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsQMPSc= hemaQueries[] =3D { { "blockdev-add/arg-type/+vxhs", QEMU_CAPS_VXHS}, { "blockdev-add/arg-type/+iscsi/password-secret", QEMU_CAPS_ISCSI_PASS= WORD_SECRET }, { "blockdev-add/arg-type/+qcow2/encrypt/+luks/key-secret", QEMU_CAPS_Q= COW2_LUKS }, + { "nbd-server-start/arg-type/tls-creds", QEMU_CAPS_NBD_TLS }, }; typedef struct _virQEMUCapsObjectTypeProps virQEMUCapsObjectTypeProps; diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index c55cada7b8..2afe7ef580 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -457,6 +457,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for = syntax-check */ /* 290 */ QEMU_CAPS_QUERY_CPUS_FAST, /* query-cpus-fast command */ QEMU_CAPS_DISK_WRITE_CACHE, /* qemu block frontends support write-cach= e param */ + QEMU_CAPS_NBD_TLS, /* NBD server supports TLS transport */ QEMU_CAPS_LAST /* this must always be the last item */ } virQEMUCapsFlags; diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml b/tests/qem= ucapabilitiesdata/caps_2.10.0.aarch64.xml index 527b425dee..a7f8ddd661 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml @@ -153,6 +153,7 @@ + 2010000 0 303541 diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml b/tests/qemuc= apabilitiesdata/caps_2.10.0.ppc64.xml index 3ac6be2d88..41d07ffb2b 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml @@ -152,6 +152,7 @@ + 2010000 0 382824 diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml b/tests/qemuc= apabilitiesdata/caps_2.10.0.s390x.xml index b682d36c93..098326ecc9 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml @@ -113,6 +113,7 @@ + 2010000 0 303326 diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml b/tests/qemu= capabilitiesdata/caps_2.10.0.x86_64.xml index 8dd30ccbcf..dd794092a1 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml @@ -196,6 +196,7 @@ + 2010000 0 344938 diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml b/tests/qemuc= apabilitiesdata/caps_2.11.0.s390x.xml index 6dd392502e..64bd554541 100644 --- a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml @@ -118,6 +118,7 @@ + 2011000 0 342058 diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml b/tests/qem= ucapabilitiesdata/caps_2.12.0.aarch64.xml index 31c5d0dd23..197060abb5 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml @@ -157,6 +157,7 @@ + 2011090 0 342346 diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml b/tests/qemuc= apabilitiesdata/caps_2.12.0.ppc64.xml index 7dead4a1f4..b0eb0552da 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml @@ -154,6 +154,7 @@ + 2011090 0 419215 diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml b/tests/qemuc= apabilitiesdata/caps_2.12.0.s390x.xml index 70ae8f91c7..80f3ec6ec7 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml @@ -119,6 +119,7 @@ + 2011090 0 0 diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml b/tests/qemu= capabilitiesdata/caps_2.12.0.x86_64.xml index d809a78380..0b18dd00f9 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml @@ -195,6 +195,7 @@ + 2011090 0 390060 diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml b/tests/qemu= capabilitiesdata/caps_2.6.0.aarch64.xml index b1bb3e7bd2..d80036cc6b 100644 --- a/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml @@ -140,6 +140,7 @@ + 2006000 0 228241 diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml b/tests/qemuca= pabilitiesdata/caps_2.6.0.ppc64.xml index f3611e1922..60463930e0 100644 --- a/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml @@ -135,6 +135,7 @@ + 2006000 0 263005 diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.6.0.x86_64.xml index 0e48180275..3e2399ef20 100644 --- a/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml @@ -171,6 +171,7 @@ + 2006000 0 227332 diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml b/tests/qemuca= pabilitiesdata/caps_2.7.0.s390x.xml index 34eed23694..266287344d 100644 --- a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml @@ -103,6 +103,7 @@ + 2007000 0 216732 diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.7.0.x86_64.xml index ee4b25d7fd..711e4c935a 100644 --- a/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml @@ -176,6 +176,7 @@ + 2007000 0 239029 diff --git a/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml b/tests/qemuca= pabilitiesdata/caps_2.8.0.s390x.xml index 21046c0546..3449ca5ff1 100644 --- a/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml @@ -105,6 +105,7 @@ + 2007093 0 241633 diff --git a/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.8.0.x86_64.xml index c4801ac23a..62e104f3a6 100644 --- a/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml @@ -178,6 +178,7 @@ + 2008000 0 255684 diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml b/tests/qemuca= pabilitiesdata/caps_2.9.0.ppc64.xml index 73f42a7392..0e679d1ce3 100644 --- a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml @@ -144,6 +144,7 @@ + 2009000 0 346538 diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml b/tests/qemuca= pabilitiesdata/caps_2.9.0.s390x.xml index 30fce6ecf1..2122a5126e 100644 --- a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml @@ -108,6 +108,7 @@ + 2009000 0 265051 diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.9.0.x86_64.xml index e1dc257a75..a359e2e75f 100644 --- a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml @@ -191,6 +191,7 @@ + 2009000 0 320947 --=20 2.16.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri May 3 17:07:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1524754355435307.0979086509584; Thu, 26 Apr 2018 07:52:35 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6E9F980F8F; Thu, 26 Apr 2018 14:52:33 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 17FBB2010CFA; Thu, 26 Apr 2018 14:52:33 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8F3EB180596E; Thu, 26 Apr 2018 14:52:32 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w3QEq1Ot007748 for ; Thu, 26 Apr 2018 10:52:01 -0400 Received: by smtp.corp.redhat.com (Postfix) id 34C092026E03; Thu, 26 Apr 2018 14:52:01 +0000 (UTC) Received: from angien.brq.redhat.com (unknown [10.43.2.136]) by smtp.corp.redhat.com (Postfix) with ESMTP id 918B4202323E; Thu, 26 Apr 2018 14:52:00 +0000 (UTC) From: Peter Krempa To: libvir-list@redhat.com Date: Thu, 26 Apr 2018 16:51:47 +0200 Message-Id: <692d66d4aaa0f64737e431b4c37df61c5950fe1c.1524754194.git.pkrempa@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: libvir-list@redhat.com Cc: Peter Krempa Subject: [libvirt] [RFC PATCH 2/4] qemu: monitor: Add 'tls-creds' parameter to 'nbd-server-start' command X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.25 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 26 Apr 2018 14:52:34 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" To allow encryption of the non-shared storage migration NBD connection we will need to instantiated the NBD server with the TLS env. Signed-off-by: Peter Krempa Reviewed-by: Daniel P. Berrang=C3=A9 --- src/qemu/qemu_migration.c | 2 +- src/qemu/qemu_monitor.c | 7 ++++--- src/qemu/qemu_monitor.h | 3 ++- src/qemu/qemu_monitor_json.c | 4 +++- src/qemu/qemu_monitor_json.h | 3 ++- tests/qemumonitorjsontest.c | 2 +- 6 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 88b8253fa9..743ae77dbb 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -411,7 +411,7 @@ qemuMigrationDstStartNBDServer(virQEMUDriverPtr driver, else if (virPortAllocatorAcquire(driver->migrationPorts, &port= ) < 0) goto exit_monitor; - if (qemuMonitorNBDServerStart(priv->mon, listenAddr, port) < 0) + if (qemuMonitorNBDServerStart(priv->mon, listenAddr, port, NUL= L) < 0) goto exit_monitor; } diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index f642d9a51a..8c26ee66b3 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -3999,13 +3999,14 @@ qemuMonitorGetGICCapabilities(qemuMonitorPtr mon, int qemuMonitorNBDServerStart(qemuMonitorPtr mon, const char *host, - unsigned int port) + unsigned int port, + const char *tls_alias) { - VIR_DEBUG("host=3D%s port=3D%u", host, port); + VIR_DEBUG("host=3D%s port=3D%u tls_alias=3D%s", host, port, NULLSTR(tl= s_alias)); QEMU_CHECK_MONITOR_JSON(mon); - return qemuMonitorJSONNBDServerStart(mon, host, port); + return qemuMonitorJSONNBDServerStart(mon, host, port, tls_alias); } diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h index d6b68b44ca..a93844f77b 100644 --- a/src/qemu/qemu_monitor.h +++ b/src/qemu/qemu_monitor.h @@ -1052,7 +1052,8 @@ char *qemuMonitorGetTargetArch(qemuMonitorPtr mon); int qemuMonitorNBDServerStart(qemuMonitorPtr mon, const char *host, - unsigned int port); + unsigned int port, + const char *tls_alias); int qemuMonitorNBDServerAdd(qemuMonitorPtr mon, const char *deviceID, bool writable); diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index 24d37eb41d..05ac8d0a3c 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -6396,7 +6396,8 @@ qemuMonitorJSONBuildUnixSocketAddress(const char *pat= h) int qemuMonitorJSONNBDServerStart(qemuMonitorPtr mon, const char *host, - unsigned int port) + unsigned int port, + const char *tls_alias) { int ret =3D -1; virJSONValuePtr cmd =3D NULL; @@ -6412,6 +6413,7 @@ qemuMonitorJSONNBDServerStart(qemuMonitorPtr mon, if (!(cmd =3D qemuMonitorJSONMakeCommand("nbd-server-start", "a:addr", &addr, + "S:tls-creds", tls_alias, NULL))) goto cleanup; diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h index 665da27d6d..ed5f29b20a 100644 --- a/src/qemu/qemu_monitor_json.h +++ b/src/qemu/qemu_monitor_json.h @@ -449,7 +449,8 @@ char *qemuMonitorJSONGetTargetArch(qemuMonitorPtr mon); int qemuMonitorJSONNBDServerStart(qemuMonitorPtr mon, const char *host, - unsigned int port); + unsigned int port, + const char *tls_alias); int qemuMonitorJSONNBDServerAdd(qemuMonitorPtr mon, const char *deviceID, bool writable); diff --git a/tests/qemumonitorjsontest.c b/tests/qemumonitorjsontest.c index f8d39c35ab..9a83c9a608 100644 --- a/tests/qemumonitorjsontest.c +++ b/tests/qemumonitorjsontest.c @@ -1350,7 +1350,7 @@ GEN_TEST_FUNC(qemuMonitorJSONBlockCommit, "vdb", "/fo= o/bar1", "/foo/bar2", NULL, GEN_TEST_FUNC(qemuMonitorJSONDrivePivot, "vdb") GEN_TEST_FUNC(qemuMonitorJSONScreendump, "/foo/bar") GEN_TEST_FUNC(qemuMonitorJSONOpenGraphics, "spice", "spicefd", false) -GEN_TEST_FUNC(qemuMonitorJSONNBDServerStart, "localhost", 12345) +GEN_TEST_FUNC(qemuMonitorJSONNBDServerStart, "localhost", 12345, "test-ali= as") GEN_TEST_FUNC(qemuMonitorJSONNBDServerAdd, "vda", true) GEN_TEST_FUNC(qemuMonitorJSONDetachCharDev, "serial1") --=20 2.16.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri May 3 17:07:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1524754715990691.4674526732188; Thu, 26 Apr 2018 07:58:35 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6C41E3003A48; Thu, 26 Apr 2018 14:58:33 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E0B4E31327A5; Thu, 26 Apr 2018 14:58:32 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BF6544CA96; Thu, 26 Apr 2018 14:58:31 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w3QEq2fT007753 for ; Thu, 26 Apr 2018 10:52:02 -0400 Received: by smtp.corp.redhat.com (Postfix) id 16996202323E; Thu, 26 Apr 2018 14:52:02 +0000 (UTC) Received: from angien.brq.redhat.com (unknown [10.43.2.136]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7279A202323B; Thu, 26 Apr 2018 14:52:01 +0000 (UTC) From: Peter Krempa To: libvir-list@redhat.com Date: Thu, 26 Apr 2018 16:51:48 +0200 Message-Id: <9e6c7769180482d5ab99eb82f0bec09cd9fad67f.1524754194.git.pkrempa@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: libvir-list@redhat.com Cc: Peter Krempa Subject: [libvirt] [RFC PATCH 3/4] qemu: migration: Use TLS environment for NBD server if requested X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]); Thu, 26 Apr 2018 14:58:34 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Use the TLS env for migration when starting the NBD server if TLS is enabled for migration. Signed-off-by: Peter Krempa Reviewed-by: Daniel P. Berrang=C3=A9 --- src/qemu/qemu_migration.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 743ae77dbb..3b5ba4f0a1 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -369,7 +369,8 @@ qemuMigrationDstStartNBDServer(virQEMUDriverPtr driver, const char *listenAddr, size_t nmigrate_disks, const char **migrate_disks, - int nbdPort) + int nbdPort, + const char *tls_alias) { int ret =3D -1; qemuDomainObjPrivatePtr priv =3D vm->privateData; @@ -411,7 +412,7 @@ qemuMigrationDstStartNBDServer(virQEMUDriverPtr driver, else if (virPortAllocatorAcquire(driver->migrationPorts, &port= ) < 0) goto exit_monitor; - if (qemuMonitorNBDServerStart(priv->mon, listenAddr, port, NUL= L) < 0) + if (qemuMonitorNBDServerStart(priv->mon, listenAddr, port, tls= _alias) < 0) goto exit_monitor; } @@ -2401,9 +2402,21 @@ qemuMigrationDstPrepareAny(virQEMUDriverPtr driver, if (mig->nbd && flags & (VIR_MIGRATE_NON_SHARED_DISK | VIR_MIGRATE_NON_SHARED_INC)= && virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_NBD_SERVER)) { + const char *nbdTLSAlias =3D NULL; + + if (flags & VIR_MIGRATE_TLS) { + if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_NBD_TLS)) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("QEMU NBD server does not support TLS tra= nsport")); + goto stopjob; + } + + nbdTLSAlias =3D tlsAlias; + } + if (qemuMigrationDstStartNBDServer(driver, vm, incoming->address, nmigrate_disks, migrate_disks, - nbdPort) < 0) { + nbdPort, nbdTLSAlias) < 0) { goto stopjob; } cookieFlags |=3D QEMU_MIGRATION_COOKIE_NBD; --=20 2.16.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri May 3 17:07:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1524754725776893.5398820865374; Thu, 26 Apr 2018 07:58:45 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A9AC85F742; Thu, 26 Apr 2018 14:58:43 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6FE10314EE62; Thu, 26 Apr 2018 14:58:43 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id EC7B8180596E; Thu, 26 Apr 2018 14:58:42 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w3QEq3kL007760 for ; Thu, 26 Apr 2018 10:52:03 -0400 Received: by smtp.corp.redhat.com (Postfix) id E9296202323D; Thu, 26 Apr 2018 14:52:02 +0000 (UTC) Received: from angien.brq.redhat.com (unknown [10.43.2.136]) by smtp.corp.redhat.com (Postfix) with ESMTP id 520ED202323B; Thu, 26 Apr 2018 14:52:02 +0000 (UTC) From: Peter Krempa To: libvir-list@redhat.com Date: Thu, 26 Apr 2018 16:51:49 +0200 Message-Id: <98830abb94db16c215a2aa9f7da02a422bbcc324.1524754194.git.pkrempa@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: libvir-list@redhat.com Cc: Peter Krempa Subject: [libvirt] [RFC PATCH 4/4] qemu: migration: Forbid 'nbd' migration of non-shared storage if TLS is requested X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.24 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 26 Apr 2018 14:58:44 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Since libvirt is currently not able to setup the NBD migration stream secured by TLS we should not allow such migration since data would be transferred unencrypted. This will break compatibility of TLS migration if non-shared storage is requested but the security implications are more severe. Signed-off-by: Peter Krempa Reviewed-by: Daniel P. Berrang=C3=A9 --- src/qemu/qemu_migration.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 3b5ba4f0a1..24ef819738 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3352,6 +3352,15 @@ qemuMigrationSrcRun(virQEMUDriverPtr driver, if (migrate_flags & (QEMU_MONITOR_MIGRATE_NON_SHARED_DISK | QEMU_MONITOR_MIGRATE_NON_SHARED_INC)) { if (mig->nbd) { + /* Currently libvirt does not support setting up of the NBD + * non-shared storage migration with TLS. As we need to honour= the + * VIR_MIGRATE_TLS flag, we need to reject such migration. */ + if (flags & VIR_MIGRATE_TLS) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("NBD migration with TLS is not supported"= )); + goto error; + } + /* This will update migrate_flags on success */ if (qemuMigrationSrcDriveMirror(driver, vm, mig, spec->dest.host.name, --=20 2.16.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list