[libvirt] [PATCH v2 1/6] conf: Add new default TLS X.509 certificate default directory
Daniel P. Berrange
berrange at redhat.com
Thu Jun 16 13:14:46 UTC 2016
On Thu, Jun 16, 2016 at 06:42:22AM -0400, John Ferlan wrote:
> Rather that specify perhaps multiple TLS X.509 certificate directories,
> let's create a "default" directory which can then be used if the service
> (e.g. for now vnc and spice) does not supply a default directory.
>
> Since the default for vnc and spice may have existed before without being
> supplied, the default check will first check if the service specific path
> exists and if so, set the cfg entry to that; otherwise, the default will
> be set to the (now) new defaultTLSx509certdir.
>
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
> src/qemu/libvirtd_qemu.aug | 5 ++++-
> src/qemu/qemu.conf | 36 ++++++++++++++++-----------------
> src/qemu/qemu_conf.c | 41 ++++++++++++++++++++++++++++++++------
> src/qemu/qemu_conf.h | 2 ++
> src/qemu/test_libvirtd_qemu.aug.in | 1 +
> 5 files changed, 60 insertions(+), 25 deletions(-)
>
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index 8bc23ba..39b3a34 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -24,6 +24,8 @@ module Libvirtd_qemu =
>
>
> (* Config entry grouped by function - same order as example config *)
> + let default_tls_entry = str_entry "default_tls_x509_cert_dir"
> +
> let vnc_entry = str_entry "vnc_listen"
> | bool_entry "vnc_auto_unix_socket"
> | bool_entry "vnc_tls"
> @@ -93,7 +95,8 @@ module Libvirtd_qemu =
> let nvram_entry = str_array_entry "nvram"
>
> (* Each entry in the config is one of the following ... *)
> - let entry = vnc_entry
> + let entry = default_tls_entry
> + | vnc_entry
> | spice_entry
> | nogfx_entry
> | remote_display_entry
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 7964273..72acdfb 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -2,6 +2,16 @@
> # All settings described here are optional - if omitted, sensible
> # defaults are used.
>
> +# Use of TLS requires that x509 certificates be issued. The default is
> +# to keep them in /etc/pki/libvirt-default. This directory must contain
> +#
> +# ca-cert.pem - the CA master certificate
> +# server-cert.pem - the server certificate signed with ca-cert.pem
> +# server-key.pem - the server private key
> +#
Nit-pick, latest QEMU now also looks for an (optional) dh-params.pem file
> +#default_tls_x509_cert_dir = "/etc/pki/libvirt-default"
I wonder if it would be better to say "/etc/pki/qemu" as our default
location since this isn't really stuff used by libvirt.
> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index 6dfa738..118ca63 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -236,19 +236,44 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
> if (virAsprintf(&cfg->autostartDir, "%s/qemu/autostart", cfg->configBaseDir) < 0)
> goto error;
>
> -
> - if (VIR_STRDUP(cfg->vncListen, "127.0.0.1") < 0)
> + /* Set the default directory to find TLS X.509 certificates.
> + * This will then be used as a fallback if the service specific
> + * directory doesn't exist (although we don't check if this exists).
> + */
> + if (VIR_STRDUP(cfg->defaultTLSx509certdir,
> + SYSCONFDIR "/pki/libvirt-default") < 0)
s/libvirt-default/qemu/
> goto error;
>
> - if (VIR_STRDUP(cfg->vncTLSx509certdir, SYSCONFDIR "/pki/libvirt-vnc") < 0)
> + if (VIR_STRDUP(cfg->vncListen, "127.0.0.1") < 0)
> goto error;
>
> if (VIR_STRDUP(cfg->spiceListen, "127.0.0.1") < 0)
> goto error;
>
> - if (VIR_STRDUP(cfg->spiceTLSx509certdir,
> - SYSCONFDIR "/pki/libvirt-spice") < 0)
> - goto error;
> + /*
> + * If a "SYSCONFDIR" + "pki/libvirt-<val>" exists, then assume someone
> + * has created a val specific area to place service specific certificates.
> + *
> + * If the service specific directory doesn't exist, 'assume' that the
> + * user has created and populated the "SYSCONFDIR" + "pki/libvirt-default".
> + */
> +#define SET_TLS_X509_CERT_DEFAULT(val) \
> + do { \
> + if (virFileExists(SYSCONFDIR "/pki/libvirt-"#val)) { \
> + if (VIR_STRDUP(cfg->val ## TLSx509certdir, \
> + SYSCONFDIR "/pki/libvirt-"#val) < 0) \
> + goto error; \
> + } else { \
> + if (VIR_STRDUP(cfg->val ## TLSx509certdir, \
> + cfg->defaultTLSx509certdir) < 0) \
> + goto error; \
> + } \
> + } while (false);
> +
> + SET_TLS_X509_CERT_DEFAULT(vnc);
> + SET_TLS_X509_CERT_DEFAULT(spice);
> +
> +#undef SET_TLS_X509_CERT_DEFAULT
>
> cfg->remotePortMin = QEMU_REMOTE_PORT_MIN;
> cfg->remotePortMax = QEMU_REMOTE_PORT_MAX;
> @@ -333,6 +358,8 @@ static void virQEMUDriverConfigDispose(void *obj)
> VIR_FREE(cfg->channelTargetDir);
> VIR_FREE(cfg->nvramDir);
>
> + VIR_FREE(cfg->defaultTLSx509certdir);
> +
> VIR_FREE(cfg->vncTLSx509certdir);
> VIR_FREE(cfg->vncListen);
> VIR_FREE(cfg->vncPassword);
> @@ -445,6 +472,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
> goto cleanup; \
> }
>
> + GET_VALUE_STR("default_tls_x509_cert_dir", cfg->defaultTLSx509certdir);
> +
> GET_VALUE_BOOL("vnc_auto_unix_socket", cfg->vncAutoUnixSocket);
> GET_VALUE_BOOL("vnc_tls", cfg->vncTLS);
> GET_VALUE_BOOL("vnc_tls_x509_verify", cfg->vncTLSx509verify);
> diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
> index a09c81d..db22433 100644
> --- a/src/qemu/qemu_conf.h
> +++ b/src/qemu/qemu_conf.h
> @@ -109,6 +109,8 @@ struct _virQEMUDriverConfig {
> char *channelTargetDir;
> char *nvramDir;
>
> + char *defaultTLSx509certdir;
> +
> bool vncAutoUnixSocket;
> bool vncTLS;
> bool vncTLSx509verify;
> diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
> index c4d4f19..a4c9737 100644
> --- a/src/qemu/test_libvirtd_qemu.aug.in
> +++ b/src/qemu/test_libvirtd_qemu.aug.in
> @@ -2,6 +2,7 @@ module Test_libvirtd_qemu =
> ::CONFIG::
>
> test Libvirtd_qemu.lns get conf =
> +{ "default_tls_x509_cert_dir" = "/etc/pki/libvirt-default" }
s/libvirt-default/qemu/
> { "vnc_listen" = "0.0.0.0" }
> { "vnc_auto_unix_socket" = "1" }
> { "vnc_tls" = "1" }
> --
> 2.5.5
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
ACK with those minor tweaks.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list