[libvirt] [PATCH 38/38] qemu: domain: Add support for TLS for NBD with default TLS env
Peter Krempa
pkrempa at redhat.com
Wed May 30 12:41:34 UTC 2018
Use the default TLS env if TLS is required for NBD. The rest of the
implementation is rather simple since all pieces were in place.
Note that separate configuration knobs in qemu.conf can be added later
if it's desired to configure them.
Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
docs/schemas/domaincommon.rng | 5 ++++
src/qemu/qemu_command.c | 5 ++++
src/qemu/qemu_domain.c | 33 ++++++++++++++++++++--
.../disk-drive-network-tlsx509.args | 9 +++++-
.../disk-drive-network-tlsx509.xml | 8 ++++++
tests/qemuxml2argvtest.c | 2 +-
.../disk-drive-network-tlsx509.xml | 8 ++++++
7 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 703a1bb6f8..ce2d1e91e0 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1706,6 +1706,11 @@
<optional>
<attribute name="name"/>
</optional>
+ <optional>
+ <attribute name="tls">
+ <ref name="virYesNo"/>
+ </attribute>
+ </optional>
<ref name="diskSourceNetworkHost"/>
<optional>
<ref name="encryption"/>
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 134e1a3a20..07fa35c6b3 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1392,6 +1392,11 @@ qemuDiskSourceNeedsProps(virStorageSourcePtr src,
virQEMUCapsGet(qemuCaps, QEMU_CAPS_ISCSI_PASSWORD_SECRET))
return true;
+ if (actualType == VIR_STORAGE_TYPE_NETWORK &&
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_NBD &&
+ src->haveTLS == VIR_TRISTATE_BOOL_YES)
+ return true;
+
return false;
}
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index e329cdf958..db7884a9a1 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -9937,6 +9937,29 @@ qemuProcessPrepareStorageSourceTlsVxhs(virStorageSourcePtr src,
}
+static int
+qemuProcessPrepareStorageSourceTlsNbd(virStorageSourcePtr src,
+ virQEMUDriverConfigPtr cfg,
+ virQEMUCapsPtr qemuCaps)
+{
+ /* XXX: for NBD we don't have the qemu.conf knobs for private TLS env */
+ if (src->haveTLS == VIR_TRISTATE_BOOL_YES) {
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_NBD_TLS)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("this qemu does not support TLS transport for nbd"));
+ return -1;
+ }
+
+ if (VIR_STRDUP(src->tlsCertdir, cfg->defaultTLSx509certdir) < 0)
+ return -1;
+
+ src->tlsVerify = true;
+ }
+
+ return 0;
+}
+
+
/* qemuProcessPrepareStorageSourceTLS:
* @source: source for a disk
* @cfg: driver configuration
@@ -9951,7 +9974,8 @@ qemuProcessPrepareStorageSourceTlsVxhs(virStorageSourcePtr src,
static int
qemuDomainPrepareStorageSourceTLS(virStorageSourcePtr src,
virQEMUDriverConfigPtr cfg,
- const char *parentAlias)
+ const char *parentAlias,
+ virQEMUCapsPtr qemuCaps)
{
if (virStorageSourceGetActualType(src) != VIR_STORAGE_TYPE_NETWORK)
return 0;
@@ -9963,6 +9987,10 @@ qemuDomainPrepareStorageSourceTLS(virStorageSourcePtr src,
break;
case VIR_STORAGE_NET_PROTOCOL_NBD:
+ if (qemuProcessPrepareStorageSourceTlsNbd(src, cfg, qemuCaps) < 0)
+ return -1;
+ break;
+
case VIR_STORAGE_NET_PROTOCOL_RBD:
case VIR_STORAGE_NET_PROTOCOL_SHEEPDOG:
case VIR_STORAGE_NET_PROTOCOL_GLUSTER:
@@ -12505,7 +12533,8 @@ qemuDomainPrepareDiskSourceLegacy(virDomainDiskDefPtr disk,
if (qemuDomainPrepareStorageSourcePR(disk->src, priv, disk->info.alias) < 0)
return -1;
- if (qemuDomainPrepareStorageSourceTLS(disk->src, cfg, disk->info.alias) < 0)
+ if (qemuDomainPrepareStorageSourceTLS(disk->src, cfg, disk->info.alias,
+ priv->qemuCaps) < 0)
return -1;
return 0;
diff --git a/tests/qemuxml2argvdata/disk-drive-network-tlsx509.args b/tests/qemuxml2argvdata/disk-drive-network-tlsx509.args
index 91d3a8a70a..970b8a32a6 100644
--- a/tests/qemuxml2argvdata/disk-drive-network-tlsx509.args
+++ b/tests/qemuxml2argvdata/disk-drive-network-tlsx509.args
@@ -43,4 +43,11 @@ id=virtio-disk1 \
file.server.host=192.168.0.3,file.server.port=9999,format=raw,if=none,\
id=drive-virtio-disk2,serial=eb90327c-8302-4725-9e1b-4e85ed4dc252,cache=none \
-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk2,\
-id=virtio-disk2
+id=virtio-disk2 \
+-object tls-creds-x509,id=objvirtio-disk3_tls0,dir=/etc/pki/qemu,\
+endpoint=client,verify-peer=yes \
+-drive file.driver=nbd,file.server.type=inet,file.server.host=example.com,\
+file.server.port=1234,file.tls-creds=objvirtio-disk3_tls0,format=raw,if=none,\
+id=drive-virtio-disk3,cache=none \
+-device virtio-blk-pci,bus=pci.0,addr=0x7,drive=drive-virtio-disk3,\
+id=virtio-disk3
diff --git a/tests/qemuxml2argvdata/disk-drive-network-tlsx509.xml b/tests/qemuxml2argvdata/disk-drive-network-tlsx509.xml
index a66e81f065..9f6f298b54 100644
--- a/tests/qemuxml2argvdata/disk-drive-network-tlsx509.xml
+++ b/tests/qemuxml2argvdata/disk-drive-network-tlsx509.xml
@@ -41,6 +41,14 @@
<serial>eb90327c-8302-4725-9e1b-4e85ed4dc252</serial>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='nbd' tls='yes'>
+ <host name='example.com' port='1234'/>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+ </disk>
<controller type='usb' index='0'/>
<controller type='pci' index='0' model='pci-root'/>
<input type='mouse' bus='ps2'/>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index a67d95f471..53b8b31a46 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1051,7 +1051,7 @@ mymain(void)
DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS);
driver.config->vxhsTLS = 1;
DO_TEST("disk-drive-network-tlsx509", QEMU_CAPS_VXHS,
- QEMU_CAPS_OBJECT_TLS_CREDS_X509);
+ QEMU_CAPS_OBJECT_TLS_CREDS_X509, QEMU_CAPS_NBD_TLS);
driver.config->vxhsTLS = 0;
VIR_FREE(driver.config->vxhsTLSx509certdir);
DO_TEST("disk-drive-no-boot",
diff --git a/tests/qemuxml2xmloutdata/disk-drive-network-tlsx509.xml b/tests/qemuxml2xmloutdata/disk-drive-network-tlsx509.xml
index 7053affd17..a9b8d32646 100644
--- a/tests/qemuxml2xmloutdata/disk-drive-network-tlsx509.xml
+++ b/tests/qemuxml2xmloutdata/disk-drive-network-tlsx509.xml
@@ -41,6 +41,14 @@
<serial>eb90327c-8302-4725-9e1b-4e85ed4dc252</serial>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='nbd' tls='yes'>
+ <host name='example.com' port='1234'/>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+ </disk>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
--
2.16.2
More information about the libvir-list
mailing list