This allows a Certificate Authority bundle to be passed to the curl
driver, allowing authentication against servers that check
certificates. For example this allows you to access a disk on an
oVirt node:
qemu-img create -f qcow2 \
-b 'json:{ "file.driver": "https",
"file.url": "https://ovirt-node:54322/images/<disk-id>",
"file.header": ["Authorization: <ticket>"] }' \
"file.cainfo": "/tmp/ca.pem" }' \
test.qcow2
(<disk-id> and <ticket> have to be determined using some extra code.
See
https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/upload_ova_as_vm.py
for some guidance).
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
---
block/curl.c | 14 ++++++++++++++
qapi/block-core.json | 3 +++
2 files changed, 17 insertions(+)
diff --git a/block/curl.c b/block/curl.c
index 972673ba5c..2dc9035ff8 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -84,6 +84,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
#define CURL_BLOCK_OPT_COOKIE "cookie"
#define CURL_BLOCK_OPT_COOKIE_SECRET "cookie-secret"
#define CURL_BLOCK_OPT_HEADER_PATTERN "header."
+#define CURL_BLOCK_OPT_CAINFO "cainfo"
#define CURL_BLOCK_OPT_USERNAME "username"
#define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret"
#define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username"
@@ -136,6 +137,7 @@ typedef struct BDRVCURLState {
uint64_t timeout;
char *cookie;
struct curl_slist *headers;
+ char *cainfo;
bool accept_range;
AioContext *aio_context;
QemuMutex mutex;
@@ -491,6 +493,9 @@ static int curl_init_state(BDRVCURLState *s, CURLState *state)
if (s->headers) {
curl_easy_setopt(state->curl, CURLOPT_HTTPHEADER, s->headers);
}
+ if (s->cainfo) {
+ curl_easy_setopt(state->curl, CURLOPT_CAINFO, s->cainfo);
+ }
curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, (long)s->timeout);
curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
(void *)curl_read_cb);
@@ -648,6 +653,11 @@ static QemuOptsList runtime_opts = {
.help = "ID of secret used as cookie passed with each request"
},
{
+ .name = CURL_BLOCK_OPT_CAINFO,
+ .type = QEMU_OPT_STRING,
+ .help = "Pass the Certificate Authority bundle"
+ },
+ {
.name = CURL_BLOCK_OPT_USERNAME,
.type = QEMU_OPT_STRING,
.help = "Username for HTTP auth"
@@ -757,6 +767,8 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
qdict_del(options, key);
}
+ s->cainfo = qemu_opt_get(opts, CURL_BLOCK_OPT_CAINFO);
+
file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
if (file == NULL) {
error_setg(errp, "curl block driver requires an 'url' option");
@@ -864,6 +876,7 @@ out:
state->curl = NULL;
out_noclean:
qemu_mutex_destroy(&s->mutex);
+ g_free(s->cainfo);
curl_slist_free_all(s->headers);
g_free(s->cookie);
g_free(s->url);
@@ -963,6 +976,7 @@ static void curl_close(BlockDriverState *bs)
curl_detach_aio_context(bs);
qemu_mutex_destroy(&s->mutex);
+ g_free(s->cainfo);
curl_slist_free_all(s->headers);
g_free(s->cookie);
g_free(s->url);
diff --git a/qapi/block-core.json b/qapi/block-core.json
index ca1ebdbef1..bf3066af08 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -3073,6 +3073,8 @@
# @cookie-secret: ID of a QCryptoSecret object providing the cookie data in a
# secure way. See @cookie for the format. (since 2.10)
#
+# @cainfo: Certificate Authority bundle.
+#
# @header: List of HTTP request headers, see CURLOPT_HTTPHEADER(3).
#
# Since: 2.9
@@ -3082,6 +3084,7 @@
'data': { '*cookie': 'str',
'*sslverify': 'bool',
'*cookie-secret': 'str',
+ '*cainfo': 'str',
'*header': [ 'str' ] } }
##
--
2.13.2
On Thu, Mar 1, 2018 at 4:02 PM Richard W.M. Jones <rjones@redhat.com> wrote:
> This allows a Certificate Authority bundle to be passed to the curl
> driver, allowing authentication against servers that check
> certificates. For example this allows you to access a disk on an
> oVirt node:
>
> qemu-img create -f qcow2 \
> -b 'json:{ "file.driver": "https",
> "file.url": "https://ovirt-node:54322/images/<disk-id>",
>
<disk-id> is actually <ticket-id>, a random id assigned for
every transfer operation.
> "file.header": ["Authorization: <ticket>"] }' \
> "file.cainfo": "/tmp/ca.pem" }' \
> test.qcow2
>
> (<disk-id> and <ticket> have to be determined using some extra code.
> See
>
> https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/upload_ova_as_vm.py
> for some guidance).
>
> Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
> ---
> block/curl.c | 14 ++++++++++++++
> qapi/block-core.json | 3 +++
> 2 files changed, 17 insertions(+)
>
> diff --git a/block/curl.c b/block/curl.c
> index 972673ba5c..2dc9035ff8 100644
> --- a/block/curl.c
> +++ b/block/curl.c
> @@ -84,6 +84,7 @@ static CURLMcode __curl_multi_socket_action(CURLM
> *multi_handle,
> #define CURL_BLOCK_OPT_COOKIE "cookie"
> #define CURL_BLOCK_OPT_COOKIE_SECRET "cookie-secret"
> #define CURL_BLOCK_OPT_HEADER_PATTERN "header."
> +#define CURL_BLOCK_OPT_CAINFO "cainfo"
> #define CURL_BLOCK_OPT_USERNAME "username"
> #define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret"
> #define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username"
> @@ -136,6 +137,7 @@ typedef struct BDRVCURLState {
> uint64_t timeout;
> char *cookie;
> struct curl_slist *headers;
> + char *cainfo;
> bool accept_range;
> AioContext *aio_context;
> QemuMutex mutex;
> @@ -491,6 +493,9 @@ static int curl_init_state(BDRVCURLState *s, CURLState
> *state)
> if (s->headers) {
> curl_easy_setopt(state->curl, CURLOPT_HTTPHEADER, s->headers);
> }
> + if (s->cainfo) {
> + curl_easy_setopt(state->curl, CURLOPT_CAINFO, s->cainfo);
> + }
> curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, (long)s->timeout);
> curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
> (void *)curl_read_cb);
> @@ -648,6 +653,11 @@ static QemuOptsList runtime_opts = {
> .help = "ID of secret used as cookie passed with each request"
> },
> {
> + .name = CURL_BLOCK_OPT_CAINFO,
> + .type = QEMU_OPT_STRING,
> + .help = "Pass the Certificate Authority bundle"
> + },
> + {
> .name = CURL_BLOCK_OPT_USERNAME,
> .type = QEMU_OPT_STRING,
> .help = "Username for HTTP auth"
> @@ -757,6 +767,8 @@ static int curl_open(BlockDriverState *bs, QDict
> *options, int flags,
> qdict_del(options, key);
> }
>
> + s->cainfo = qemu_opt_get(opts, CURL_BLOCK_OPT_CAINFO);
> +
> file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
> if (file == NULL) {
> error_setg(errp, "curl block driver requires an 'url' option");
> @@ -864,6 +876,7 @@ out:
> state->curl = NULL;
> out_noclean:
> qemu_mutex_destroy(&s->mutex);
> + g_free(s->cainfo);
> curl_slist_free_all(s->headers);
> g_free(s->cookie);
> g_free(s->url);
> @@ -963,6 +976,7 @@ static void curl_close(BlockDriverState *bs)
> curl_detach_aio_context(bs);
> qemu_mutex_destroy(&s->mutex);
>
> + g_free(s->cainfo);
> curl_slist_free_all(s->headers);
> g_free(s->cookie);
> g_free(s->url);
> diff --git a/qapi/block-core.json b/qapi/block-core.json
> index ca1ebdbef1..bf3066af08 100644
> --- a/qapi/block-core.json
> +++ b/qapi/block-core.json
> @@ -3073,6 +3073,8 @@
> # @cookie-secret: ID of a QCryptoSecret object providing the cookie data
> in a
> # secure way. See @cookie for the format. (since 2.10)
> #
> +# @cainfo: Certificate Authority bundle.
> +#
> # @header: List of HTTP request headers, see CURLOPT_HTTPHEADER(3).
> #
> # Since: 2.9
> @@ -3082,6 +3084,7 @@
> 'data': { '*cookie': 'str',
> '*sslverify': 'bool',
> '*cookie-secret': 'str',
> + '*cainfo': 'str',
> '*header': [ 'str' ] } }
>
> ##
> --
> 2.13.2
>
>
>
On Thu, Mar 01, 2018 at 01:58:56PM +0000, Richard W.M. Jones wrote:
> This allows a Certificate Authority bundle to be passed to the curl
> driver, allowing authentication against servers that check
> certificates. For example this allows you to access a disk on an
> oVirt node:
>
> qemu-img create -f qcow2 \
> -b 'json:{ "file.driver": "https",
> "file.url": "https://ovirt-node:54322/images/<disk-id>",
> "file.header": ["Authorization: <ticket>"] }' \
> "file.cainfo": "/tmp/ca.pem" }' \
> test.qcow2
I think we ought to be using the TLS creds object to provide this data
qemu-img create \
--object tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
-b 'json:{ "file.driver": "https",
"file.url": "https://ovirt-node:54322/images/<disk-id>",
"file.header": ["Authorization: <ticket>"] }' \
"file.tls-creds": "tls0" }' \
test.qcow2
The /path/to/certs dir would contain ca-cert.pem, and optionally also a
client-key.pem & client-cert.pem, which would let curl provide client
certs to servers that mandate that. The 'verify-peer' option lets you
control whether to ignore or enforce CA validation errors too.
Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Thu, Mar 01, 2018 at 03:34:38PM +0000, Daniel P. Berrangé wrote:
> On Thu, Mar 01, 2018 at 01:58:56PM +0000, Richard W.M. Jones wrote:
> > This allows a Certificate Authority bundle to be passed to the curl
> > driver, allowing authentication against servers that check
> > certificates. For example this allows you to access a disk on an
> > oVirt node:
> >
> > qemu-img create -f qcow2 \
> > -b 'json:{ "file.driver": "https",
> > "file.url": "https://ovirt-node:54322/images/<disk-id>",
> > "file.header": ["Authorization: <ticket>"] }' \
> > "file.cainfo": "/tmp/ca.pem" }' \
> > test.qcow2
>
> I think we ought to be using the TLS creds object to provide this data
>
> qemu-img create \
> --object tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
> -b 'json:{ "file.driver": "https",
> "file.url": "https://ovirt-node:54322/images/<disk-id>",
> "file.header": ["Authorization: <ticket>"] }' \
> "file.tls-creds": "tls0" }' \
> test.qcow2
>
> The /path/to/certs dir would contain ca-cert.pem, and optionally also a
> client-key.pem & client-cert.pem, which would let curl provide client
> certs to servers that mandate that. The 'verify-peer' option lets you
> control whether to ignore or enforce CA validation errors too.
>
> Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.
Thanks, I'll have a look into this for the second revision. It seems
like a better way to do it.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
© 2016 - 2025 Red Hat, Inc.