[libvirt] [PATCH v2 00/14] Add TLS support for migration

John Ferlan jferlan at redhat.com
Thu Feb 23 18:42:02 UTC 2017 

v1: http://www.redhat.com/archives/libvir-list/2017-February/msg00897.html
v1 cover letter reiterated:

Patches 1, 3 -> 9 are primarily quite a bit of code motion in order to allow
reuse of the "core" of the chardev TLS code.

Theoretically speaking of course, these patches should work - I don't
have a TLS and migration environment to test with, so between following
the qemu command model on Daniel's blog and prior experience with the
chardev TLS would 

I added the saving of a flag to the private qemu domain state, although
I'm not 100% sure it was necessary. At one time I created the source TLS
objects during the Begin phase, but later decided to wait until just
before the migration is run. I think the main reason to have the flag
would be a restart of libvirtd to let 'something' know migration using
TLS was configured. I think it may only be "necessary" in order to
repopulate the migSecinfo after libvirtd restart, but it's not entirely
clear. By the time I started thinking more about while writing this cover
letter it was too late to just remove.

Also rather than create the destination host TLS objects on the fly,
I modified the command line generation. That model could change to adding
the TLS objects once the destination is started and before the params are
set for the migration.

This 'model' is also going to be used for the NBD, but I figured I'd get
this posted now since it was already too long of a series.


v2: Changes

Reorder the patches to put the reused 'chardev' code up front. Most of
these patches were "ok" along the way, but only one was officially ACK'd
(and that was pushed).

Patch1 is new - based off code review comment to create a common New
       function for secinfo allocation
Patch2 is adjusted to use Patch1
Patch3 is new based on review comment and having ExitMonitor outside
       the virSaveLastError ... virSetError
Patch4 mainly follows older logic with adjustments as suggested during
       code review
Patch5 -> Patch8 had minor changes as a result of other suggestions
Patch9 just removed the _set logic
Patch10 fixed the order/placement of VIR_MIGRATE_TLS
Patch11 is the old patch1 w/ the fixed #undef
Patch12 is the old patch2 w/o changes
Patch13 Alters the server logic to create the objects on the fly rather
        that via command line. It also introduces 3 helpers to perform the
        migration TLS manipulation
Patch14 similarly uses those API's

AFAIU - removal of the objects would remove the migration tls-creds,
tls-hostname settings.

NB:
I left the cfg->migrateTLS in for now - it's very simple to remove, but
there would still need to be a key on something to ensure the migrateTLS
environment has been properly configured since that would mean the default
environment would need to be used/configured. Setting up the default
environment is keyed off having the migrateTLS defined. That's all part
of the qemu_conf reading logic.

John Ferlan (14):
  qemu: Introduce qemuDomainSecretInfoNew
  qemu: Introduce qemuDomainSecretMigratePrepare
  qemu: Move exit monitor calls in failure paths
  qemu: Refactor hotplug to introduce qemuDomain{Add|Del}TLSObjects
  qemu: Refactor qemuDomainGetChardevTLSObjects to converge code
  qemu: Move qemuDomainSecretChardevPrepare call
  qemu: Move qemuDomainPrepareChardevSourceTLS call
  qemu: Introduce qemuDomainGetTLSObjects
  qemu: Add TLS params to _qemuMonitorMigrationParams
  Add new migration flag VIR_MIGRATE_TLS
  qemu: Create #define for TLS configuration setup.
  conf: Introduce migrate_tls_x509_cert_dir
  qemu: Set up the migrate TLS objects for target
  qemu: Set up the migration TLS objects for source

 include/libvirt/libvirt-domain.h   |   8 +
 src/qemu/libvirtd_qemu.aug         |   6 +
 src/qemu/qemu.conf                 |  39 +++++
 src/qemu/qemu_conf.c               |  45 +++--
 src/qemu/qemu_conf.h               |   5 +
 src/qemu/qemu_domain.c             | 195 +++++++++++++--------
 src/qemu/qemu_domain.h             |  89 ++++++----
 src/qemu/qemu_hotplug.c            | 343 ++++++++++++++++++++-----------------
 src/qemu/qemu_hotplug.h            |  24 +++
 src/qemu/qemu_migration.c          | 200 +++++++++++++++++++++
 src/qemu/qemu_migration.h          |   3 +-
 src/qemu/qemu_monitor.c            |  11 +-
 src/qemu/qemu_monitor.h            |   3 +
 src/qemu/qemu_monitor_json.c       |  10 ++
 src/qemu/test_libvirtd_qemu.aug.in |   4 +
 tools/virsh-domain.c               |   7 +
 16 files changed, 705 insertions(+), 287 deletions(-)

-- 
2.9.3

More information about the libvir-list mailing list