[libvirt] [PATCH v6 07/13] conf: Introduce TLS options for VxHS block device clients

Peter Krempa pkrempa at redhat.com
Thu Aug 31 12:21:40 UTC 2017 

On Wed, Aug 30, 2017 at 18:46:07 -0400, John Ferlan wrote:
> From: Ashish Mittal <Ashish.Mittal at veritas.com>
> 
> Add a new TLS X.509 certificate type - "vxhs". This will handle the
> creation of a TLS certificate capability for properly configured
> VxHS network block device clients.
> 
> The following describes the behavior of TLS for VxHS block device:
> 
>   (1) Two new options have been added in /etc/libvirt/qemu.conf
>       to control TLS behavior with VxHS block devices
>       "vxhs_tls" and "vxhs_tls_x509_cert_dir".
>   (2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable
>       TLS for VxHS block devices.
>   (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the
>       TLS CA certificate and the client certificate and keys are saved.
>       If this value is missing, the "default_tls_x509_cert_dir" will be
>       used instead. If the environment is not configured properly the
>       authentication to the VxHS server will fail.
> 
> Signed-off-by: Ashish Mittal <Ashish.Mittal at veritas.com>
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
> 
>  This is "most of" the v5 patch4 with a few adjustments:
> 
>   * Alter the qemu.conf description to describe what files are really
>     necessary for the environment, especially if someone was going to
>     assume the default environment would work.
> 
>   * Extracted the formatdomain.html.in and moved it to the subsequent
>     patch where the domain XML is updated
> 
>   * Added calls/checks to CHECK_RESET_CERT_DIR_DEFAULT(vxhs); and
>     virQEMUDriverConfigValidate.  I think we could possibly add more
>     to the validate check to ensure the "right" files are there -
>     especially the client files, but I wasn't sure if we should or
>     not so left it as an exercise for later
> 
>  src/qemu/libvirtd_qemu.aug         |  4 ++++
>  src/qemu/qemu.conf                 | 33 +++++++++++++++++++++++++++++++++
>  src/qemu/qemu_conf.c               | 16 ++++++++++++++++
>  src/qemu/qemu_conf.h               |  3 +++
>  src/qemu/test_libvirtd_qemu.aug.in |  2 ++
>  5 files changed, 58 insertions(+)

[...]

> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index f977e3b..f92d5fe 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -258,6 +258,39 @@
>  #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
>  
>  
> +# Enable use of TLS encryption on the VxHS network block devices.
> +#
> +# When the VxHS network block device server is set up appropriately,
> +# x509 certificates are used for authentication between the clients
> +# (qemu processes) and the remote VxHS server.
> +#
> +# It is necessary to setup CA and issue client and server certificates
> +# before enabling this.
> +#
> +#vxhs_tls = 1

I find the semantics of this parameter weird since it does two things at
the same time:

1) it says that you CAN use TLS for vhxs
    (if it's not set and you set tls='yes' in the XML you get an error)

2) It changes the default from tls='no' to tls='yes', if it was not
specified.

This means that there's no way to 'opt-in' to use TLS. I don't quite see
why the first thing is necessary at all. If you set the cert dir below
and the certificates exist I don't see why users should be forced to
switch the default to be able to use TLS.

> +# In order to override the default TLS certificate location for VxHS
> +# device TCP certificates, supply a valid path to the certificate directory.
> +# This is used to authenticate the VxHS block device clients to the VxHS
> +# server.
> +#
> +# If the provided path does not exist then the default_tls_x509_cert_dir
> +# path will be used.
> +#
> +# VxHS block device clients expect the client certificate and key to be
> +# present in the certificate directory along with the CA master certificate.
> +# If using the default environment, default_tls_x509_verify must be configured.
> +# The server key as well as secret UUID that would decrypt it is not used.
> +# Thus a VxHS directory must contain the following:
> +#
> +#  ca-cert.pem - the CA master certificate
> +#  client-cert.pem - the client certificate signed with the ca-cert.pem
> +#  client-key.pem - the client private key
> +#
> +#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170831/e1d59b76/attachment-0001.sig>

More information about the libvir-list mailing list