From nobody Mon Dec 15 01:53:09 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1503988834495376.2214837846801; Mon, 28 Aug 2017 23:40:34 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id ADD16C0587C8; Tue, 29 Aug 2017 06:40:31 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8F0134F9FB; Tue, 29 Aug 2017 06:40:31 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 553E71800C8A; Tue, 29 Aug 2017 06:40:31 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7T6eDFq006991 for ; Tue, 29 Aug 2017 02:40:13 -0400 Received: by smtp.corp.redhat.com (Postfix) id 7CCE06BC06; Tue, 29 Aug 2017 06:40:13 +0000 (UTC) Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E49EE5C6F6; Tue, 29 Aug 2017 06:40:12 +0000 (UTC) Received: from mail-io0-f194.google.com (mail-io0-f194.google.com [209.85.223.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 86371C0587E4; Tue, 29 Aug 2017 06:40:05 +0000 (UTC) Received: by mail-io0-f194.google.com with SMTP id j99so2583567ioo.4; Mon, 28 Aug 2017 23:40:05 -0700 (PDT) Received: from localhost.localdomain.localdomain ([172.58.73.57]) by smtp.gmail.com with ESMTPSA id u196sm479335itc.12.2017.08.28.23.40.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 28 Aug 2017 23:40:04 -0700 (PDT) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com ADD16C0587C8 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com ADD16C0587C8 Authentication-Results: mx1.redhat.com; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="c1EVXss+" DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 86371C0587E4 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=ashmit602@gmail.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 86371C0587E4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=yY5VOPsSSxm1+IosjgywwegYFGyUmJDswPnYc/kADLY=; b=c1EVXss+la10dbQSEZI2E9jxNASDnTMf0mgKWa88xtqQcrzM9DPgiCPiaFLivoYQ/i 13MwDeFftPpjEC99TEF5SFWgGyMcxyTr8suG9l4hJRqK+q0lBBgTyS/0PwxRtjeTS19B eWXe69itm4aFOpMV2BRV+MaY0sArjUf9BgYllyOwisMvDBQtJbpIdbPEZG1tCC4QPTUQ VdDqSz8iw8sB+EVPt/L2InAL1c29VNsIiCB7Vbs1Onp//lpJDvBfVgpbRfzdfRQBXX8w QOf2LMmsk5nJhSSycjyeFwm1gblflRoLe3EnDTtAJodhadVWMggzzWpu1LWP+yZ410y+ 3YOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=yY5VOPsSSxm1+IosjgywwegYFGyUmJDswPnYc/kADLY=; b=m/HxHJsi9Irgxteiq6ZQQswZDW+7BEDhtJEJhoFD9lnRW2k0/NTQ82wLcbLErhoitA kzUC1/eHq/NGVZBs/NAH/CGGsUvPuUhQxEW7hc9jseZoYMTEDTBf7ZLj9yJDEOHPKAXS xeL0/IwTLXQGunClGt5tVe+z2utaXr2yC8angxJ8KLh0/AYqof0B56t7dVZZ7qXarMNr OCBtgH8WZP9/f2jUdnrax8bLKfuMjXzI/r4677e3g+QTHw+ExhwQZGd3JRDuIS3dZiWt cieJZp0NUpNNX+EWV56JTsRav6e0m/iwZkM/zJ+2Q5FwpqrUe6GBqJUMnU1m3QlTfiL/ 6a1w== X-Gm-Message-State: AHYfb5hBAu25qr/n4IzY2ev8go4pZBGK73NDT5RWAJ/9NML7SjzHiUKn dUeC1PdYC9L/HlrqblU= X-Received: by 10.36.144.5 with SMTP id x5mr3295477itd.185.1503988804563; Mon, 28 Aug 2017 23:40:04 -0700 (PDT) From: Ashish Mittal X-Google-Original-From: Ashish Mittal To: libvir-list@redhat.com, jferlan@redhat.com, pbonzini@redhat.com, berrange@redhat.com, jcody@redhat.com, ashish.mittal@veritas.com, stefanha@gmail.com, Ketan.Nilangekar@veritas.com, Nitin.Jerath@veritas.com, venkatesha.mg@veritas.com, pkrempa@redhat.com, areis@redhat.com, pchavva@redhat.com, ashmit602@gmail.com, Suraj.Singh@veritas.com Date: Mon, 28 Aug 2017 23:39:28 -0700 Message-Id: <1503988773-118859-5-git-send-email-Ashish.Mittal@veritas.com> In-Reply-To: <1503988773-118859-1-git-send-email-Ashish.Mittal@veritas.com> References: <1503988773-118859-1-git-send-email-Ashish.Mittal@veritas.com> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 29 Aug 2017 06:40:05 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 29 Aug 2017 06:40:05 +0000 (UTC) for IP:'209.85.223.194' DOMAIN:'mail-io0-f194.google.com' HELO:'mail-io0-f194.google.com' FROM:'ashmit602@gmail.com' RCPT:'' X-RedHat-Spam-Score: -2.66 (DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_PASS) 209.85.223.194 mail-io0-f194.google.com 209.85.223.194 mail-io0-f194.google.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.32 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Ashish Mittal Subject: [libvirt] [PATCH v5 4/9] conf: Introduce TLS options for VxHS block device clients X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 29 Aug 2017 06:40:32 +0000 (UTC) X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add a new TLS X.509 certificate type - "vxhs". This will handle the creation of a TLS certificate capability for properly configured VxHS network block device clients. Signed-off-by: Ashish Mittal --- v5 changelog: (1) Fixed the release version for VxHS changes. (2) No functional changes. v4 changelog: (1) Add two new options in /etc/libvirt/qemu.conf to control TLS behavior with VxHS block devices "vxhs_tls" and "vxhs_tls_x509_cert_dir". (2) Setting "vxhs_tls=3D1" in /etc/libvirt/qemu.conf will enable TLS for VxHS block devices. (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the TLS certificates and keys are saved. If this value is missing, the "default_tls_x509_cert_dir" will be used instead. docs/formatdomain.html.in | 16 ++++++++++++++++ src/qemu/libvirtd_qemu.aug | 4 ++++ src/qemu/qemu.conf | 23 +++++++++++++++++++++++ src/qemu/qemu_conf.c | 7 +++++++ src/qemu/qemu_conf.h | 3 +++ src/qemu/test_libvirtd_qemu.aug.in | 2 ++ 6 files changed, 55 insertions(+) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 64397d4..41b4ea8 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -2649,6 +2649,22 @@ transport is "unix", the socket attribute specifies the path t= o an AF_UNIX socket.

+

+ Since 3.8.0, the optional attribu= te + tls (QEMU only) can be used to control whether a = vxhs + network block device would utilize a hypervisor configured + TLS X.509 certificate environment in order to encrypt the data + channel. For the QEMU hypervisor, usage of a TLS environment c= an + be controlled on the host by the vxhs_tls and + vxhs_tls_x509_cert_dir or + default_tls_x509_cert_dir settings in the file + /etc/libvirt/qemu.conf. If vxhs_tls is enabled, + then unless the domain tls attribute is set to "n= o", + libvirt will use the host configured TLS environment. + If vxhs_tls is disabled, but the tls + attribute is set to "yes" in the device domain specification, + then libvirt will throw an error. +

snapshot
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index e1983d1..c19bf3a 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -115,6 +115,9 @@ module Libvirtd_qemu =3D =20 let memory_entry =3D str_entry "memory_backing_dir" =20 + let vxhs_entry =3D bool_entry "vxhs_tls" + | str_entry "vxhs_tls_x509_cert_dir" + (* Each entry in the config is one of the following ... *) let entry =3D default_tls_entry | vnc_entry @@ -133,6 +136,7 @@ module Libvirtd_qemu =3D | nvram_entry | gluster_debug_level_entry | memory_entry + | vxhs_entry =20 let comment =3D [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \= t\n][^\n]*)?/ . del /\n/ "\n" ] let empty =3D [ label "#empty" . eol ] diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index f977e3b..0bbcdb2 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -258,6 +258,29 @@ #chardev_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000" =20 =20 +# Enable use of TLS encryption on the VxHS network block devices. +# +# When the VxHS network block device server is set up appropriately, +# x509 certificates are used for authentication between the clients +# (qemu processes) and the remote VxHS server. +# +# It is necessary to setup CA and issue client and server certificates +# before enabling this. +# +#vxhs_tls =3D 1 + + +# In order to override the default TLS certificate location for VxHS +# device TCP certificates, supply a valid path to the certificate director= y. +# This is used to authenticate the VxHS block device clients to the VxHS +# server. +# +# If the provided path does not exist then the default_tls_x509_cert_dir +# path will be used. +# +#vxhs_tls_x509_cert_dir =3D "/etc/pki/libvirt-vxhs" + + # In order to override the default TLS certificate location for migration # certificates, supply a valid path to the certificate directory. If the # provided path does not exist then the default_tls_x509_cert_dir path diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index ab5f7cc..3d53a86 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -283,6 +283,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool priv= ileged) SET_TLS_X509_CERT_DEFAULT(spice); SET_TLS_X509_CERT_DEFAULT(chardev); SET_TLS_X509_CERT_DEFAULT(migrate); + SET_TLS_X509_CERT_DEFAULT(vxhs); =20 #undef SET_TLS_X509_CERT_DEFAULT =20 @@ -380,6 +381,8 @@ static void virQEMUDriverConfigDispose(void *obj) VIR_FREE(cfg->chardevTLSx509certdir); VIR_FREE(cfg->chardevTLSx509secretUUID); =20 + VIR_FREE(cfg->vxhsTLSx509certdir); + VIR_FREE(cfg->migrateTLSx509certdir); VIR_FREE(cfg->migrateTLSx509secretUUID); =20 @@ -556,6 +559,10 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr= cfg, goto cleanup; if (virConfGetValueBool(conf, "spice_auto_unix_socket", &cfg->spiceAut= oUnixSocket) < 0) goto cleanup; + if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0) + goto cleanup; + if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir", &cfg->vxhsTL= Sx509certdir) < 0) + goto cleanup; =20 #define GET_CONFIG_TLS_CERTINFO(val) = \ do { = \ diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index d469b50..13b6f81 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -203,6 +203,9 @@ struct _virQEMUDriverConfig { unsigned int glusterDebugLevel; =20 char *memoryBackingDir; + + bool vxhsTLS; + char *vxhsTLSx509certdir; }; =20 /* Main driver state */ diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index 676d48c..688e5b9 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -25,6 +25,8 @@ module Test_libvirtd_qemu =3D { "chardev_tls_x509_cert_dir" =3D "/etc/pki/libvirt-chardev" } { "chardev_tls_x509_verify" =3D "1" } { "chardev_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } +{ "vxhs_tls" =3D "1" } +{ "vxhs_tls_x509_cert_dir" =3D "/etc/pki/libvirt-vxhs" } { "migrate_tls_x509_cert_dir" =3D "/etc/pki/libvirt-migrate" } { "migrate_tls_x509_verify" =3D "1" } { "migrate_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } --=20 2.5.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list