[libvirt] [PATCH v2 8/8] qemu: Utilize qemu secret objects for SCSI/RBD auth/secret
Michal Privoznik
mprivozn at redhat.com
Thu May 5 04:52:01 UTC 2016
On 02.05.2016 23:51, John Ferlan wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1182074
>
> If they're available and we need to pass secrets to qemu, then use the
> qemu domain secret object in order to pass the secrets for iSCSI and
> RBD volumes instead of passing plaintext or base64 encoded secrets on
> the command line.
>
> Adjust the qemuDomainSecretHaveEncrypt API in order to check for the
> HAVE_GNUTLS_CIPHER_ENCRYPT being set as the primary decision point
> to whether an IV secret can be attempted and fall back to plain secret
> if the API is not available.
>
> The goal is to make IV secrets the default and have no user interaction
> required in order to allow using the IV mechanism. If the mechanism
> is not available, then fall back to the current mechanism.
>
> New API's:
> qemuBuildSecretInfoProps: (private)
> Generate/return a JSON properties object for the IV secret to
> be used by both the command building and eventually the hotplug
> code in order to add the secret object. Code was designed so that
> in the future perhaps hotplug could use it if it made sense.
>
> qemuBuildSecretIVCommandLine (private)
> Generate and add to the command line the -object secret for the
> IV secret. This will be required for the subsequent iSCSI or
> RBD reference to the object.
>
> qemuBuildiSCSICommandLine: (private)
> Required for iSCSI since qemu only processes the "user=" and
> "password-secret=" options for an "-iscsi" entry. At some point
> in a future release, qemu may support those options on the -drive
> command line for iscsi devices. The one caveat to this code is
> rather than provide an 'id=' field for the -iscsi command, use
> the "initiator-name=" argument since it doesn't have the same
> restrictions regarding characters. The initiator-name is described
> as taking an IQN, which is the path argument.
>
> qemuBuildDiskSecinfoCommandLine
> qemuBuildHostdevSecretCommandLine
> These API's will handle adding the IV secret object and if necessary
> the '-iscsi' command line option. For an RBD disk, only the IV secret
> object will be required.
>
> Command Building:
>
> Adjust the qemuBuild{General|RBD}SecinfoURI API's in order to generate
> the specific command options for an IV secret, such as:
>
> For iSCSI:
>
> -object secret,id=$alias,keyid=$masterKey,data=$base64encodedencrypted,
> format=base64
> -iscsi -initiator-name=$iqn,user=user,password-secret=$alias
> -drive file=iscsi://example.com/$iqn,...
>
> For RBD:
>
> -object secret,id=$alias,keyid=$masterKey,data=$base64encodedencrypted,
> format=base64
> -drive file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
> mon_host=mon1.example.org\:6321,password-secret=$alias,...
>
> where for both 'id=' value is the secret object alias generated by
> concatenating the disk/hostdev alias and "-ivKey0". The 'keyid=
> $masterKey' is the master key shared with qemu, and the -drive
> syntax will reference that alias as the 'password-secret'. For
> the iSCSI object 'user=' replaces the URI generated 'user:secret@'
> prepended to the iSCSI 'host' name (example.com). For the RBD -drive
> syntax, the 'id=myname' is kept to define the username, while the
> 'key=$base64 encoded secret' is removed.
>
> While according to the syntax described for qemu commits 'b189346eb'
> (iSCSI) and '60390a21' (RBD) or as seen in the email archive:
>
> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg04083.html
>
> it is possible to pass a plaintext password via a file, the qemu
> commit 'ac1d8878' describes the more feature rich 'keyid=' option
> based upon the shared masterKey.
>
> Tests:
>
> Add mock's for virRandomBytes and gnutls_rnd in order to return a
> constant stream of '0xff' in the bytes for a non random key in order
> to generate "constant" values for the secrets so that the tests can
> use those results to compare results.
>
> Hotplug:
>
> Since the hotplug code doesn't add command line arguments, passing
> the encoded/plaintext secrets directly to the monitor will suffice.
> Besides, it's passing the IV secret via '-iscsi' won't be possible.
> Perhaps when the -drive command is modified to accept not only the
> initiator-name, but -user and -password-secret arguments, then the
> IV code can be utilized for hotplug secrets.
>
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
> configure.ac | 1 +
> src/qemu/qemu_command.c | 257 ++++++++++++++++++++-
> src/qemu/qemu_domain.c | 4 +
> ...uxml2argv-disk-drive-network-iscsi-auth-IV.args | 39 ++++
> ...muxml2argv-disk-drive-network-iscsi-auth-IV.xml | 43 ++++
> ...emuxml2argv-disk-drive-network-rbd-auth-IV.args | 31 +++
> ...qemuxml2argv-disk-drive-network-rbd-auth-IV.xml | 42 ++++
> ...emuxml2argv-hostdev-scsi-lsi-iscsi-auth-IV.args | 41 ++++
> ...qemuxml2argv-hostdev-scsi-lsi-iscsi-auth-IV.xml | 48 ++++
> ...xml2argv-hostdev-scsi-virtio-iscsi-auth-IV.args | 43 ++++
> ...uxml2argv-hostdev-scsi-virtio-iscsi-auth-IV.xml | 48 ++++
> tests/qemuxml2argvmock.c | 31 ++-
> tests/qemuxml2argvtest.c | 19 ++
> 13 files changed, 643 insertions(+), 4 deletions(-)
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-IV.args
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-IV.xml
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-IV.args
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-IV.xml
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-lsi-iscsi-auth-IV.args
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-lsi-iscsi-auth-IV.xml
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-IV.args
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-IV.xml
>
> diff --git a/configure.ac b/configure.ac
> index 88e2e20..3cabd5e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -1264,6 +1264,7 @@ if test "x$with_gnutls" != "xno"; then
> ]])
>
> AC_CHECK_FUNCS([gnutls_rnd])
> + AC_CHECK_FUNCS([gnutls_cipher_encrypt])
This change should go into the previous commit since it's that one who
uses it.
>
> CFLAGS="$old_CFLAGS"
> LIBS="$old_LIBS"
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index b56277f..27e31ec 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -607,9 +607,227 @@ qemuNetworkDriveGetPort(int protocol,
> }
>
Michal
More information about the libvir-list
mailing list