[PATCH 06/10] conf: Add support for setting expected TLS hostname for NBD disks
Peter Krempa
pkrempa at redhat.com
Thu Mar 10 12:25:25 UTC 2022
In cases when the hostname of the NBD server doesn't match the hostname
in the TLS certificate the new attribute 'tlsHostname' can be used to
override it.
Add the XML infrastructure and tests.
Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
docs/formatdomain.rst | 4 +-
docs/schemas/domaincommon.rng | 3 ++
src/conf/domain_conf.c | 3 ++
...work-tlsx509-nbd-hostname.x86_64-6.2.0.err | 1 +
...rk-tlsx509-nbd-hostname.x86_64-latest.args | 38 +++++++++++++++++++
.../disk-network-tlsx509-nbd-hostname.xml | 31 +++++++++++++++
tests/qemuxml2argvtest.c | 2 +
...ork-tlsx509-nbd-hostname.x86_64-latest.xml | 37 ++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
9 files changed, 119 insertions(+), 1 deletion(-)
create mode 100644 tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.x86_64-6.2.0.err
create mode 100644 tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.xml
create mode 100644 tests/qemuxml2xmloutdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.xml
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 9202cd3107..9b1b69bb4d 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -2653,7 +2653,9 @@ paravirtualized driver is specified via the ``disk`` element.
be enabled by setting the ``tls`` attribute to ``yes``. For the QEMU
hypervisor, usage of a TLS environment can also be globally controlled on
the host by the ``nbd_tls`` and ``nbd_tls_x509_cert_dir`` in
- /etc/libvirt/qemu.conf. ('tls' :since:`Since 4.5.0` )
+ /etc/libvirt/qemu.conf. ('tls' :since:`Since 4.5.0` ) :since:`Since 8.2.0`
+ the optional attribute ``tlsHostname`` can be used to override the
+ expected host name of the NBD server used for TLS certificate verification.
For protocols ``http`` and ``https`` an optional attribute ``query``
specifies the query string. ( :since:`Since 6.2.0` )
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 964b0c9e2f..9c1b64a644 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -2071,6 +2071,9 @@
<ref name="virYesNo"/>
</attribute>
</optional>
+ <optional>
+ <attribute name="tlsHostname"/>
+ </optional>
<ref name="diskSourceCommon"/>
<ref name="diskSourceNetworkHost"/>
<optional>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 34fec887a3..6c5a818649 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -8293,6 +8293,8 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
&src->haveTLS) < 0)
return -1;
+ src->tlsHostname = virXMLPropString(node, "tlsHostname");
+
if (flags & VIR_DOMAIN_DEF_PARSE_STATUS) {
int value;
if (virXMLPropInt(node, "tlsFromConfig", 10, VIR_XML_PROP_NONE,
@@ -23043,6 +23045,7 @@ virDomainDiskSourceFormatNetwork(virBuffer *attrBuf,
src->tlsFromConfig))
virBufferAsprintf(attrBuf, " tls='%s'",
virTristateBoolTypeToString(src->haveTLS));
+ virBufferEscapeString(attrBuf, " tlsHostname='%s'", src->tlsHostname);
if (flags & VIR_DOMAIN_DEF_FORMAT_STATUS)
virBufferAsprintf(attrBuf, " tlsFromConfig='%d'", src->tlsFromConfig);
diff --git a/tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.x86_64-6.2.0.err b/tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.x86_64-6.2.0.err
new file mode 100644
index 0000000000..685926157f
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.x86_64-6.2.0.err
@@ -0,0 +1 @@
+unsupported configuration: 'tlsHostname' field is not supported by this QEMU
diff --git a/tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args b/tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args
new file mode 100644
index 0000000000..870ec42482
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args
@@ -0,0 +1,38 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-QEMUGuest1 \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=QEMUGuest1,debug-threads=on \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}' \
+-machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram \
+-accel tcg \
+-cpu qemu64 \
+-m 214 \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-no-acpi \
+-boot strict=on \
+-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
+-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
+-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd/dummy,path","endpoint":"client","verify-peer":true,"passwordid":"objlibvirt-1-storage_tls0-secret0"}' \
+-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-hostname","node-name":"libvirt-1-storage","cache":{"direct":true,"no-flush":false},"auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-1-format","read-only":false,"cache":{"direct":true,"no-flush":false},"driver":"raw","file":"libvirt-1-storage"}' \
+-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"libvirt-1-format","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.xml b/tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.xml
new file mode 100644
index 0000000000..48425d2dd7
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-tlsx509-nbd-hostname.xml
@@ -0,0 +1,31 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='nbd' tls='yes' tlsHostname="test-hostname">
+ <host name='example.com' port='1234'/>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 7e1167e60e..e7fecb24d3 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1391,6 +1391,8 @@ mymain(void)
DO_TEST_CAPS_VER("disk-network-tlsx509-nbd", "5.2.0");
DO_TEST_CAPS_VER("disk-network-tlsx509-vxhs", "4.1.0");
DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd");
+ DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-tlsx509-nbd-hostname", "6.2.0");
+ DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd-hostname");
DO_TEST_CAPS_VER("disk-network-tlsx509-vxhs", "5.0.0");
DO_TEST_CAPS_LATEST("disk-network-http");
driver.config->vxhsTLS = 0;
diff --git a/tests/qemuxml2xmloutdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.xml b/tests/qemuxml2xmloutdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.xml
new file mode 100644
index 0000000000..216236582b
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.xml
@@ -0,0 +1,37 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <cpu mode='custom' match='exact' check='none'>
+ <model fallback='forbid'>qemu64</model>
+ </cpu>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='nbd' tls='yes' tlsHostname='test-hostname'>
+ <host name='example.com' port='1234'/>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0' model='piix3-uhci'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <audio id='1' type='none'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 2174965784..31917e5238 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -346,6 +346,7 @@ mymain(void)
DO_TEST_NOCAPS("disk-network-vxhs");
DO_TEST_CAPS_LATEST("disk-network-nfs");
DO_TEST_NOCAPS("disk-network-tlsx509-nbd");
+ DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd-hostname");
DO_TEST_NOCAPS("disk-network-tlsx509-vxhs");
DO_TEST("disk-nvme", QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_QCOW2_LUKS);
DO_TEST_CAPS_LATEST("disk-vhostuser");
--
2.35.1
More information about the libvir-list
mailing list