When using the --list option, qemu-nbd acts as an NBD client rather
than a server. As such when using TLS, it has a need to validate
the server certificate. This adds a --tls-hostname option which can
be used to override the default hostname used for certificate
validation.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
docs/tools/qemu-nbd.rst | 14 ++++++++++++++
qemu-nbd.c | 17 ++++++++++++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/docs/tools/qemu-nbd.rst b/docs/tools/qemu-nbd.rst
index 6031f96893..acce54a39d 100644
--- a/docs/tools/qemu-nbd.rst
+++ b/docs/tools/qemu-nbd.rst
@@ -169,6 +169,20 @@ driver options if ``--image-opts`` is specified.
option; or provide the credentials needed for connecting as a client
in list mode.
+.. option:: --tls-hostname=hostname
+
+ When validating an x509 certificate received over a TLS connection,
+ the hostname that the NBD client used to connect will be checked
+ against information in the server provided certificate. Sometimes
+ it might be required to override the hostname used to perform this
+ check. For example if the NBD client is using a tunnel from localhost
+ to connect to the remote server. In this case the `--tls-hostname`
+ option should be used to set the officially expected hostname of
+ the remote NBD server. This can also be used if accessing NBD over
+ a UNIX socket where there is no inherant hostname available. This
+ only is only permitted when acting as a NBD client with the `--list`
+ option.
+
.. option:: --fork
Fork off the server process and exit the parent once the server is running.
diff --git a/qemu-nbd.c b/qemu-nbd.c
index c6c20df68a..be8043fb00 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -69,6 +69,7 @@
#define QEMU_NBD_OPT_TLSAUTHZ 264
#define QEMU_NBD_OPT_PID_FILE 265
#define QEMU_NBD_OPT_SELINUX_LABEL 266
+#define QEMU_NBD_OPT_TLSHOSTNAME 267
#define MBR_SIZE 512
@@ -542,6 +543,7 @@ int main(int argc, char **argv)
{ "export-name", required_argument, NULL, 'x' },
{ "description", required_argument, NULL, 'D' },
{ "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
+ { "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOSTNAME },
{ "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
{ "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
{ "trace", required_argument, NULL, 'T' },
@@ -568,6 +570,7 @@ int main(int argc, char **argv)
strList *bitmaps = NULL;
bool alloc_depth = false;
const char *tlscredsid = NULL;
+ const char *tlshostname = NULL;
bool imageOpts = false;
bool writethrough = false; /* Client will flush as needed. */
bool fork_process = false;
@@ -747,6 +750,9 @@ int main(int argc, char **argv)
case QEMU_NBD_OPT_TLSCREDS:
tlscredsid = optarg;
break;
+ case QEMU_NBD_OPT_TLSHOSTNAME:
+ tlshostname = optarg;
+ break;
case QEMU_NBD_OPT_IMAGE_OPTS:
imageOpts = true;
break;
@@ -835,6 +841,10 @@ int main(int argc, char **argv)
error_report("TLS authorization is incompatible with export list");
exit(EXIT_FAILURE);
}
+ if (tlshostname && !list) {
+ error_report("TLS hostname is only required with export list");
+ exit(EXIT_FAILURE);
+ }
tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
if (local_err) {
error_reportf_err(local_err, "Failed to get TLS creds: ");
@@ -845,6 +855,10 @@ int main(int argc, char **argv)
error_report("--tls-authz is not permitted without --tls-creds");
exit(EXIT_FAILURE);
}
+ if (tlshostname) {
+ error_report("--tls-hostname is not permitted without --tls-creds");
+ exit(EXIT_FAILURE);
+ }
}
if (selinux_label) {
@@ -861,7 +875,8 @@ int main(int argc, char **argv)
if (list) {
saddr = nbd_build_socket_address(sockpath, bindto, port);
- return qemu_nbd_client_list(saddr, tlscreds, bindto);
+ return qemu_nbd_client_list(saddr, tlscreds,
+ tlshostname ? tlshostname : bindto);
}
#if !HAVE_NBD_DEVICE
--
2.34.1