[libvirt] [PATCH 38/38] qemu: domain: Add support for TLS for NBD with default TLS env

John Ferlan jferlan at redhat.com
Wed May 30 22:55:34 UTC 2018 


On 05/30/2018 08:41 AM, Peter Krempa wrote:
> Use the default TLS env if TLS is required for NBD. The rest of the
> implementation is rather simple since all pieces were in place.
> 
> Note that separate configuration knobs in qemu.conf can be added later
> if it's desired to configure them.
> 
> Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> ---
>  docs/schemas/domaincommon.rng                      |  5 ++++
>  src/qemu/qemu_command.c                            |  5 ++++
>  src/qemu/qemu_domain.c                             | 33 ++++++++++++++++++++--
>  .../disk-drive-network-tlsx509.args                |  9 +++++-
>  .../disk-drive-network-tlsx509.xml                 |  8 ++++++
>  tests/qemuxml2argvtest.c                           |  2 +-
>  .../disk-drive-network-tlsx509.xml                 |  8 ++++++
>  7 files changed, 66 insertions(+), 4 deletions(-)
> 

[...]

> 
> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index e329cdf958..db7884a9a1 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
> @@ -9937,6 +9937,29 @@ qemuProcessPrepareStorageSourceTlsVxhs(virStorageSourcePtr src,
>  }
> 
> 
> +static int
> +qemuProcessPrepareStorageSourceTlsNbd(virStorageSourcePtr src,
> +                                      virQEMUDriverConfigPtr cfg,
> +                                      virQEMUCapsPtr qemuCaps)
> +{
> +    /* XXX: for NBD we don't have the qemu.conf knobs for private TLS env */

I believe the thought was to use the migrate ones and not default. That
way we could modify the qemu.conf to note that the migrate environment
would be used for NBD as it made no sense to have/use separate envs.

> +    if (src->haveTLS == VIR_TRISTATE_BOOL_YES) {
> +        if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_NBD_TLS)) {
> +            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                           _("this qemu does not support TLS transport for nbd"));
> +            return -1;
> +        }
> +
> +        if (VIR_STRDUP(src->tlsCertdir, cfg->defaultTLSx509certdir) < 0)
> +            return -1;
> +
> +        src->tlsVerify = true;

I think this is problematic for the default environment w/r/t since the
right certs won't be present...

John


[...]

More information about the libvir-list mailing list