[libvirt] [PATCH v2 1/6] conf: Add new default TLS X.509 certificate default directory

Daniel P. Berrange berrange at redhat.com
Thu Jun 16 13:14:46 UTC 2016 

On Thu, Jun 16, 2016 at 06:42:22AM -0400, John Ferlan wrote:
> Rather that specify perhaps multiple TLS X.509 certificate directories,
> let's create a "default" directory which can then be used if the service
> (e.g. for now vnc and spice) does not supply a default directory.
> 
> Since the default for vnc and spice may have existed before without being
> supplied, the default check will first check if the service specific path
> exists and if so, set the cfg entry to that; otherwise, the default will
> be set to the (now) new defaultTLSx509certdir.
> 
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
>  src/qemu/libvirtd_qemu.aug         |  5 ++++-
>  src/qemu/qemu.conf                 | 36 ++++++++++++++++-----------------
>  src/qemu/qemu_conf.c               | 41 ++++++++++++++++++++++++++++++++------
>  src/qemu/qemu_conf.h               |  2 ++
>  src/qemu/test_libvirtd_qemu.aug.in |  1 +
>  5 files changed, 60 insertions(+), 25 deletions(-)
> 
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index 8bc23ba..39b3a34 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -24,6 +24,8 @@ module Libvirtd_qemu =
>  
>  
>     (* Config entry grouped by function - same order as example config *)
> +   let default_tls_entry = str_entry "default_tls_x509_cert_dir"
> +
>     let vnc_entry = str_entry "vnc_listen"
>                   | bool_entry "vnc_auto_unix_socket"
>                   | bool_entry "vnc_tls"
> @@ -93,7 +95,8 @@ module Libvirtd_qemu =
>     let nvram_entry = str_array_entry "nvram"
>  
>     (* Each entry in the config is one of the following ... *)
> -   let entry = vnc_entry
> +   let entry = default_tls_entry
> +             | vnc_entry
>               | spice_entry
>               | nogfx_entry
>               | remote_display_entry
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 7964273..72acdfb 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -2,6 +2,16 @@
>  # All settings described here are optional - if omitted, sensible
>  # defaults are used.
>  
> +# Use of TLS requires that x509 certificates be issued. The default is
> +# to keep them in /etc/pki/libvirt-default. This directory must contain
> +#
> +#  ca-cert.pem - the CA master certificate
> +#  server-cert.pem - the server certificate signed with ca-cert.pem
> +#  server-key.pem  - the server private key
> +#

Nit-pick, latest QEMU now also looks for an (optional) dh-params.pem file

> +#default_tls_x509_cert_dir = "/etc/pki/libvirt-default"

I wonder if it would be better to say "/etc/pki/qemu" as our default
location since this isn't really stuff used by libvirt.


> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index 6dfa738..118ca63 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -236,19 +236,44 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
>      if (virAsprintf(&cfg->autostartDir, "%s/qemu/autostart", cfg->configBaseDir) < 0)
>          goto error;
>  
> -
> -    if (VIR_STRDUP(cfg->vncListen, "127.0.0.1") < 0)
> +    /* Set the default directory to find TLS X.509 certificates.
> +     * This will then be used as a fallback if the service specific
> +     * directory doesn't exist (although we don't check if this exists).
> +     */
> +    if (VIR_STRDUP(cfg->defaultTLSx509certdir,
> +                   SYSCONFDIR "/pki/libvirt-default") < 0)

s/libvirt-default/qemu/

>          goto error;
>  
> -    if (VIR_STRDUP(cfg->vncTLSx509certdir, SYSCONFDIR "/pki/libvirt-vnc") < 0)
> +    if (VIR_STRDUP(cfg->vncListen, "127.0.0.1") < 0)
>          goto error;
>  
>      if (VIR_STRDUP(cfg->spiceListen, "127.0.0.1") < 0)
>          goto error;
>  
> -    if (VIR_STRDUP(cfg->spiceTLSx509certdir,
> -                   SYSCONFDIR "/pki/libvirt-spice") < 0)
> -        goto error;
> +    /*
> +     * If a "SYSCONFDIR" + "pki/libvirt-<val>" exists, then assume someone
> +     * has created a val specific area to place service specific certificates.
> +     *
> +     * If the service specific directory doesn't exist, 'assume' that the
> +     * user has created and populated the "SYSCONFDIR" + "pki/libvirt-default".
> +     */
> +#define SET_TLS_X509_CERT_DEFAULT(val)                                 \
> +    do {                                                               \
> +        if (virFileExists(SYSCONFDIR "/pki/libvirt-"#val)) {           \
> +            if (VIR_STRDUP(cfg->val ## TLSx509certdir,                 \
> +                           SYSCONFDIR "/pki/libvirt-"#val) < 0)        \
> +                goto error;                                            \
> +        } else {                                                       \
> +            if (VIR_STRDUP(cfg->val ## TLSx509certdir,                 \
> +                           cfg->defaultTLSx509certdir) < 0)            \
> +                goto error;                                            \
> +        }                                                              \
> +    } while (false);
> +
> +    SET_TLS_X509_CERT_DEFAULT(vnc);
> +    SET_TLS_X509_CERT_DEFAULT(spice);
> +
> +#undef SET_TLS_X509_CERT_DEFAULT
>  
>      cfg->remotePortMin = QEMU_REMOTE_PORT_MIN;
>      cfg->remotePortMax = QEMU_REMOTE_PORT_MAX;
> @@ -333,6 +358,8 @@ static void virQEMUDriverConfigDispose(void *obj)
>      VIR_FREE(cfg->channelTargetDir);
>      VIR_FREE(cfg->nvramDir);
>  
> +    VIR_FREE(cfg->defaultTLSx509certdir);
> +
>      VIR_FREE(cfg->vncTLSx509certdir);
>      VIR_FREE(cfg->vncListen);
>      VIR_FREE(cfg->vncPassword);
> @@ -445,6 +472,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
>              goto cleanup;                  \
>      }
>  
> +    GET_VALUE_STR("default_tls_x509_cert_dir", cfg->defaultTLSx509certdir);
> +
>      GET_VALUE_BOOL("vnc_auto_unix_socket", cfg->vncAutoUnixSocket);
>      GET_VALUE_BOOL("vnc_tls", cfg->vncTLS);
>      GET_VALUE_BOOL("vnc_tls_x509_verify", cfg->vncTLSx509verify);
> diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
> index a09c81d..db22433 100644
> --- a/src/qemu/qemu_conf.h
> +++ b/src/qemu/qemu_conf.h
> @@ -109,6 +109,8 @@ struct _virQEMUDriverConfig {
>      char *channelTargetDir;
>      char *nvramDir;
>  
> +    char *defaultTLSx509certdir;
> +
>      bool vncAutoUnixSocket;
>      bool vncTLS;
>      bool vncTLSx509verify;
> diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
> index c4d4f19..a4c9737 100644
> --- a/src/qemu/test_libvirtd_qemu.aug.in
> +++ b/src/qemu/test_libvirtd_qemu.aug.in
> @@ -2,6 +2,7 @@ module Test_libvirtd_qemu =
>    ::CONFIG::
>  
>     test Libvirtd_qemu.lns get conf =
> +{ "default_tls_x509_cert_dir" = "/etc/pki/libvirt-default" }

s/libvirt-default/qemu/

>  { "vnc_listen" = "0.0.0.0" }
>  { "vnc_auto_unix_socket" = "1" }
>  { "vnc_tls" = "1" }
> -- 
> 2.5.5
> 
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

ACK with those minor tweaks.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list