[libvirt] [PATCH 38/38] qemu: domain: Add support for TLS for NBD with default TLS env

Peter Krempa pkrempa at redhat.com
Thu May 31 06:26:38 UTC 2018 

On Wed, May 30, 2018 at 18:55:34 -0400, John Ferlan wrote:
> 
> 
> On 05/30/2018 08:41 AM, Peter Krempa wrote:
> > Use the default TLS env if TLS is required for NBD. The rest of the
> > implementation is rather simple since all pieces were in place.
> > 
> > Note that separate configuration knobs in qemu.conf can be added later
> > if it's desired to configure them.
> > 
> > Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> > ---
> >  docs/schemas/domaincommon.rng                      |  5 ++++
> >  src/qemu/qemu_command.c                            |  5 ++++
> >  src/qemu/qemu_domain.c                             | 33 ++++++++++++++++++++--
> >  .../disk-drive-network-tlsx509.args                |  9 +++++-
> >  .../disk-drive-network-tlsx509.xml                 |  8 ++++++
> >  tests/qemuxml2argvtest.c                           |  2 +-
> >  .../disk-drive-network-tlsx509.xml                 |  8 ++++++
> >  7 files changed, 66 insertions(+), 4 deletions(-)
> > 
> 
> [...]
> 
> > 
> > diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> > index e329cdf958..db7884a9a1 100644
> > --- a/src/qemu/qemu_domain.c
> > +++ b/src/qemu/qemu_domain.c
> > @@ -9937,6 +9937,29 @@ qemuProcessPrepareStorageSourceTlsVxhs(virStorageSourcePtr src,
> >  }
> > 
> > 
> > +static int
> > +qemuProcessPrepareStorageSourceTlsNbd(virStorageSourcePtr src,
> > +                                      virQEMUDriverConfigPtr cfg,
> > +                                      virQEMUCapsPtr qemuCaps)
> > +{
> > +    /* XXX: for NBD we don't have the qemu.conf knobs for private TLS env */
> 
> I believe the thought was to use the migrate ones and not default. That
> way we could modify the qemu.conf to note that the migrate environment
> would be used for NBD as it made no sense to have/use separate envs.

No. The migration environment shall be used only for NBD when migrating
disks. This is already the case by the way.

For accessing regular disks we should use the default one or a specific
one (e.g. as we do have for vxhs) if that will ever be added.

The separate environment might be wanted in the future if somebody wants
to have separate certificates for it, but it's not strictly required and
can easily be retrofitted into this optional way.

> > +    if (src->haveTLS == VIR_TRISTATE_BOOL_YES) {
> > +        if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_NBD_TLS)) {
> > +            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> > +                           _("this qemu does not support TLS transport for nbd"));
> > +            return -1;
> > +        }
> > +
> > +        if (VIR_STRDUP(src->tlsCertdir, cfg->defaultTLSx509certdir) < 0)
> > +            return -1;
> > +
> > +        src->tlsVerify = true;
> 
> I think this is problematic for the default environment w/r/t since the
> right certs won't be present...

Please elaborate on this. I didn't quite get what you meant.

> 
> John
> 
> 
> [...]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180531/7ffc7622/attachment-0001.sig>

More information about the libvir-list mailing list