[libvirt] [PATCH 38/38] qemu: domain: Add support for TLS for NBD with default TLS env

John Ferlan jferlan at redhat.com
Thu May 31 11:34:14 UTC 2018 

[...]

>>> +qemuProcessPrepareStorageSourceTlsNbd(virStorageSourcePtr src,
>>> +                                      virQEMUDriverConfigPtr cfg,
>>> +                                      virQEMUCapsPtr qemuCaps)
>>> +{
>>> +    /* XXX: for NBD we don't have the qemu.conf knobs for private TLS env */
>>
>> I believe the thought was to use the migrate ones and not default. That
>> way we could modify the qemu.conf to note that the migrate environment
>> would be used for NBD as it made no sense to have/use separate envs.
> 
> No. The migration environment shall be used only for NBD when migrating
> disks. This is already the case by the way.
> 
> For accessing regular disks we should use the default one or a specific
> one (e.g. as we do have for vxhs) if that will ever be added.
> 
> The separate environment might be wanted in the future if somebody wants
> to have separate certificates for it, but it's not strictly required and
> can easily be retrofitted into this optional way.
> 

And how would anyone really know this? Why was this decision was made in
favor of creating an NBD specific set of values. Ironically not a
shortcut we've used/allowed for when adding TLS to chardev, migrate, or
vxhs.


>>> +    if (src->haveTLS == VIR_TRISTATE_BOOL_YES) {
>>> +        if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_NBD_TLS)) {
>>> +            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
>>> +                           _("this qemu does not support TLS transport for nbd"));
>>> +            return -1;
>>> +        }
>>> +
>>> +        if (VIR_STRDUP(src->tlsCertdir, cfg->defaultTLSx509certdir) < 0)
>>> +            return -1;
>>> +
>>> +        src->tlsVerify = true;
>>
>> I think this is problematic for the default environment w/r/t since the
>> right certs won't be present...
> 
> Please elaborate on this. I didn't quite get what you meant.
> 

tlsVerify is what's used for the verifypeer - in order for it to be
useful, then the default environment would need:

#  client-cert.pem - the client certificate signed with the ca-cert.pem
#  client-key.pem - the client private key

if the default environment doesn't have those, then blindly setting this
will cause a TLS failure if the default environment doesn't have those
files.

Since you're using cfg->defaultTLSx509certdir, then this should use
cfg->defaultTLSx509verify.

John

More information about the libvir-list mailing list