From nobody Fri May 16 00:49:28 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1503988836256544.9446326155206; Mon, 28 Aug 2017 23:40:36 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 44FBAC056870; Tue, 29 Aug 2017 06:40:34 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2408F66D65; Tue, 29 Aug 2017 06:40:34 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DEB803FAD3; Tue, 29 Aug 2017 06:40:33 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7T6eDcG006990 for ; Tue, 29 Aug 2017 02:40:13 -0400 Received: by smtp.corp.redhat.com (Postfix) id 7BDDB6A76B; Tue, 29 Aug 2017 06:40:13 +0000 (UTC) Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 018486A77F; Tue, 29 Aug 2017 06:40:10 +0000 (UTC) Received: from mail-io0-f195.google.com (mail-io0-f195.google.com [209.85.223.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1BC3D5D698; Tue, 29 Aug 2017 06:40:09 +0000 (UTC) Received: by mail-io0-f195.google.com with SMTP id m40so2573649ioi.5; Mon, 28 Aug 2017 23:40:09 -0700 (PDT) Received: from localhost.localdomain.localdomain ([172.58.73.57]) by smtp.gmail.com with ESMTPSA id u196sm479335itc.12.2017.08.28.23.40.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 28 Aug 2017 23:40:07 -0700 (PDT) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 44FBAC056870 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 44FBAC056870 Authentication-Results: mx1.redhat.com; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VAA97ucR" DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 1BC3D5D698 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=ashmit602@gmail.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 1BC3D5D698 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=P2jKpctQ5QxTXg2VDchJVEh5wQr1pdJUQL+bJEiGyMQ=; b=VAA97ucR3IFu6kp1hMqRoBgK6tWO+64A9G9+k8bzv2oa+vpALGohgGh2GlrcSebdGs nR+3qkI80osHKKRJD9pMglc1lEAeHCS/jin+U5a50ydalBKeKmrmS7xpZSz/T49XI8J7 Chtmpz2YeWN/NVoW6cTqVCaEKAUaWXOzSG6zXmlOud9WCknQsmZ2tT0XXPw21xWj+N3X f5YlXQpsZ+XLfmHCEkEhZyghXoYdtw56GZS3kmwkLMMfLQyMlpTdxGFwAJ8MBt5DauB8 HQKcSNiQdUgkO9JZl+PV49yGS75Bq+XGOIPMixuFuPLO1QaRbXuYKDshBrdzXxoPBOYA DBBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=P2jKpctQ5QxTXg2VDchJVEh5wQr1pdJUQL+bJEiGyMQ=; b=jJLheHHU73MFSXGRrYu0nsX+GaUMySQLksc3jVN8PcPBYTa6YRU94vWIg0fCZqIsun b1+fcj3G6xxmSwUU4Fjacg0kxUyVbhB8s4LDW72z7bJyF0Q0vDw7j7eM93vTmVhXb5Tn FXZ/RYcHDxTPBkm6Zzp1aR8tBjn1Dcebxb1CPW+XJTuhDpgGTvL8BhjAYIQMc4RbKWRN 4ZdrQ7zcYcuLB2gjCnwPG432JheK4CERzJsgo+cAo2gE27nujHuBWsgC1NdhlPWMzOo/ EQ1B0ERyZMzkp13n8bDD9o/c3WPq2Paze3diRGnA+SYIgTWIYkLu8OD3QvZDnFeH4cmO tlzA== X-Gm-Message-State: AHYfb5hmmxQzFF0Tcq1bQolNKSWCnYtR+piIrog+yOY6uduO7YMZUt9z Gn4+Mvdv/2ukgERR7co= X-Received: by 10.107.183.197 with SMTP id h188mr2708193iof.61.1503988808014; Mon, 28 Aug 2017 23:40:08 -0700 (PDT) From: Ashish Mittal X-Google-Original-From: Ashish Mittal To: libvir-list@redhat.com, jferlan@redhat.com, pbonzini@redhat.com, berrange@redhat.com, jcody@redhat.com, ashish.mittal@veritas.com, stefanha@gmail.com, Ketan.Nilangekar@veritas.com, Nitin.Jerath@veritas.com, venkatesha.mg@veritas.com, pkrempa@redhat.com, areis@redhat.com, pchavva@redhat.com, ashmit602@gmail.com, Suraj.Singh@veritas.com Date: Mon, 28 Aug 2017 23:39:29 -0700 Message-Id: <1503988773-118859-6-git-send-email-Ashish.Mittal@veritas.com> In-Reply-To: <1503988773-118859-1-git-send-email-Ashish.Mittal@veritas.com> References: <1503988773-118859-1-git-send-email-Ashish.Mittal@veritas.com> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 29 Aug 2017 06:40:09 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 29 Aug 2017 06:40:09 +0000 (UTC) for IP:'209.85.223.195' DOMAIN:'mail-io0-f195.google.com' HELO:'mail-io0-f195.google.com' FROM:'ashmit602@gmail.com' RCPT:'' X-RedHat-Spam-Score: -2.16 (DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, RCVD_IN_SORBS_SPAM, SPF_PASS) 209.85.223.195 mail-io0-f195.google.com 209.85.223.195 mail-io0-f195.google.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.39 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Ashish Mittal Subject: [libvirt] [PATCH v5 5/9] Add TLS support for Veritas HyperScale (VxHS) block device protocol X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 29 Aug 2017 06:40:34 +0000 (UTC) X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The following describes the behavior of TLS for VxHS block device: (1) Two new options have been added in /etc/libvirt/qemu.conf to control TLS behavior with VxHS block devices "vxhs_tls" and "vxhs_tls_x509_cert_dir". (2) Setting "vxhs_tls=3D1" in /etc/libvirt/qemu.conf will enable TLS for VxHS block devices. (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the TLS certificates and keys are saved. If this value is missing, the "default_tls_x509_cert_dir" will be used instead. (4) If the value of "vxhs_tls" is set to 1, TLS creds will be added automatically on the qemu command line for every VxHS block device. (5) With "vxhs_tls=3D1", TLS may selectively be disabled on individual VxHS disks by specifying tls=3D'no' in the device domain specification. (6) Valid values for domain TLS setting are tls=3D'yes|no'. (7) tls=3D'yes' can only be specified if "vxhs_tls" is enabled. Specifying tls=3D'yes' when "vxhs_tls=3D0" results in an error. QEMU changes for VxHS (including TLS support) are already upstream. Sample TLS args generated by libvirt - -object tls-creds-x509,id=3Dobjvxhs_tls0,dir=3D/usr/local/etc/pki/qemu,\ endpoint=3Dclient,verify-peer=3Dyes \ -drive file.driver=3Dvxhs,file.tls-creds=3Dobjvxhs_tls0,\ file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.host=3D192.168.0.1,file.server.port=3D9999,format=3Draw,if=3Dno= ne,\ id=3Ddrive-virtio-disk0,cache=3Dnone \ -device virtio-blk-pci,bus=3Dpci.0,addr=3D0x4,drive=3Ddrive-virtio-disk0,\ id=3Dvirtio-disk0 Signed-off-by: Ashish Mittal --- v5 changelog: (1) The v4 3/3 patch has been split into smaller chunks. (2) Functionally there are no changes in TLS code yet. TODO: Changes to TLS functionality are pending. docs/schemas/domaincommon.rng | 5 ++++ src/conf/domain_conf.c | 19 ++++++++++++ src/qemu/qemu_block.c | 42 +++++++++++++++++++-------- src/qemu/qemu_command.c | 67 +++++++++++++++++++++++++++++++++++++++= ++++ src/util/virstoragefile.c | 13 +++++++++ src/util/virstoragefile.h | 9 ++++++ 6 files changed, 143 insertions(+), 12 deletions(-) diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 458b8d8..af38c9a 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -1651,6 +1651,11 @@ + + + + + =20 diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 5bad397..f3fb3d0 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -8017,6 +8017,7 @@ virDomainDiskSourceParse(xmlNodePtr node, int ret =3D -1; char *protocol =3D NULL; xmlNodePtr saveNode =3D ctxt->node; + char *haveTLS =3D NULL; =20 ctxt->node =3D node; =20 @@ -8050,6 +8051,19 @@ virDomainDiskSourceParse(xmlNodePtr node, goto cleanup; } =20 + /* Check tls=3Dyes|no domain setting for the block device */ + /* At present only VxHS. Other block devices may be added later */ + if ((haveTLS =3D virXMLPropString(node, "tls")) && + src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS) { + if ((src->haveTLS =3D + virTristateBoolTypeFromString(haveTLS)) <=3D 0) { + virReportError(VIR_ERR_XML_ERROR, + _("unknown VxHS 'tls' setting '%s'"), + haveTLS); + goto cleanup; + } + } + /* for historical reasons the volume name for gluster volume is st= ored * as a part of the path. This is hard to work with when dealing w= ith * relative names. Split out the volume into a separate variable */ @@ -8105,6 +8119,7 @@ virDomainDiskSourceParse(xmlNodePtr node, =20 cleanup: VIR_FREE(protocol); + VIR_FREE(haveTLS); ctxt->node =3D saveNode; return ret; } @@ -21534,6 +21549,10 @@ virDomainDiskSourceFormatNetwork(virBufferPtr buf, =20 VIR_FREE(path); =20 + if (src->haveTLS !=3D VIR_TRISTATE_BOOL_ABSENT) + virBufferAsprintf(buf, " tls=3D'%s'", + virTristateBoolTypeToString(src->haveTLS)); + if (src->nhosts =3D=3D 0 && !src->snapshot && !src->configFile) { virBufferAddLit(buf, "/>\n"); } else { diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index a4d0160..766d07f 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -519,20 +519,38 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePt= r src) if (!(server =3D qemuBuildVxHSDriveJSONHost(src))) return NULL; =20 - /* VxHS disk specification example: - * { driver:"vxhs", - * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", - * server.host:"1.2.3.4", - * server.port:1234} - */ - if (virJSONValueObjectCreate(&ret, - "s:driver", protocol, - "s:vdisk-id", src->path, - "a:server", server, NULL) < 0) { - virJSONValueFree(server); - ret =3D NULL; + if (src->addTLS =3D=3D true) { + char *objalias =3D NULL; + + if (!(objalias =3D qemuAliasTLSObjFromSrcAlias("vxhs"))) + goto cleanup; + + if (virJSONValueObjectCreate(&ret, + "s:driver", protocol, + "s:tls-creds", objalias, + "s:vdisk-id", src->path, + "a:server", server, NULL) < 0) { + virJSONValueFree(server); + ret =3D NULL; + } + VIR_FREE(objalias); + } else { + /* VxHS disk specification example: + * { driver:"vxhs", + * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", + * server.host:"1.2.3.4", + * server.port:1234} + */ + if (virJSONValueObjectCreate(&ret, + "s:driver", protocol, + "s:vdisk-id", src->path, + "a:server", server, NULL) < 0) { + virJSONValueFree(server); + ret =3D NULL; + } } =20 + cleanup: return ret; } =20 diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 0fd2674..384a489 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -791,6 +791,70 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd, } =20 =20 + +/* qemuBuildDiskVxHSTLSinfoCommandLine: + * @cmd: Pointer to the command string + * @cfg: Pointer to the qemu driver config + * @disk: The disk we are processing + * @qemuCaps: qemu capabilities object + * + * Check if the VxHS disk meets all the criteria to enable TLS. + * If yes, add a new TLS object and mention it's ID on the disk + * command line. + * + * Returns 0 on success, -1 w/ error on some sort of failure. + */ +static int +qemuBuildDiskVxHSTLSinfoCommandLine(virCommandPtr cmd, + virQEMUDriverConfigPtr cfg, + virDomainDiskDefPtr disk, + virQEMUCapsPtr qemuCaps) +{ + int ret =3D 0; + + if (cfg->vxhsTLS =3D=3D true && disk->src->haveTLS !=3D VIR_TRISTATE_= BOOL_NO) { + disk->src->addTLS =3D true; + ret =3D qemuBuildTLSx509CommandLine(cmd, cfg->vxhsTLSx509certd= ir, + false, + true, + false, + "vxhs", + qemuCaps); + } else if (cfg->vxhsTLS =3D=3D false && + disk->src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Please enable VxHS specific TLS options in the q= emu " + "conf file before using TLS in VxHS device domain= " + "specification")); + ret =3D -1; + } + + return ret; +} + + +/* qemuBuildDiskTLSinfoCommandLine: + * + * Add TLS object if the disk uses a secure communication channel + * + * Returns 0 on success, -1 w/ error on some sort of failure. + */ +static int +qemuBuildDiskTLSinfoCommandLine(virCommandPtr cmd, + virQEMUDriverConfigPtr cfg, + virDomainDiskDefPtr disk, + virQEMUCapsPtr qemuCaps) +{ + virStorageSourcePtr src =3D disk->src; + + /* other protocols may be added later */ + if (src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS) + return qemuBuildDiskVxHSTLSinfoCommandLine(cmd, cfg, disk, qemuCap= s); + + return 0; +} + + static char * qemuBuildNetworkDriveURI(virStorageSourcePtr src, qemuDomainSecretInfoPtr secinfo) @@ -2218,6 +2282,9 @@ qemuBuildDiskDriveCommandLine(virCommandPtr cmd, if (qemuBuildDiskSecinfoCommandLine(cmd, encinfo) < 0) return -1; =20 + if (qemuBuildDiskTLSinfoCommandLine(cmd, cfg, disk, qemuCaps) < 0) + return -1; + virCommandAddArg(cmd, "-drive"); =20 if (!(optstr =3D qemuBuildDriveStr(disk, cfg, driveBoot, qemuCaps)= )) diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index e9a59e0..d4f0fdb 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -2039,6 +2039,8 @@ virStorageSourceCopy(const virStorageSource *src, ret->physical =3D src->physical; ret->readonly =3D src->readonly; ret->shared =3D src->shared; + ret->haveTLS =3D src->haveTLS; + ret->addTLS =3D src->addTLS; =20 /* storage driver metadata are not copied */ ret->drv =3D NULL; @@ -3219,6 +3221,7 @@ virStorageSourceParseBackingJSONVxHS(virStorageSource= Ptr src, { const char *vdisk_id =3D virJSONValueObjectGetString(json, "vdisk-id"); virJSONValuePtr server =3D virJSONValueObjectGetObject(json, "server"); + const char *haveTLS =3D virJSONValueObjectGetString(json, "tls"); =20 if (!vdisk_id || !server) { virReportError(VIR_ERR_INVALID_ARG, "%s", @@ -3227,6 +3230,16 @@ virStorageSourceParseBackingJSONVxHS(virStorageSourc= ePtr src, return -1; } =20 + if (haveTLS) { + if ((src->haveTLS =3D + virTristateBoolTypeFromString(haveTLS)) <=3D 0) { + virReportError(VIR_ERR_INVALID_ARG, + _("unknown VxHS 'tls' setting '%s'"), + haveTLS); + return -1; + } + } + src->type =3D VIR_STORAGE_TYPE_NETWORK; src->protocol =3D VIR_STORAGE_NET_PROTOCOL_VXHS; =20 diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h index f7e897f..0f363a7 100644 --- a/src/util/virstoragefile.h +++ b/src/util/virstoragefile.h @@ -281,6 +281,15 @@ struct _virStorageSource { /* metadata that allows identifying given storage source */ char *nodeformat; /* name of the format handler object */ char *nodestorage; /* name of the storage object */ + + /* This is the domain specific setting. + * It may be absent */ + int haveTLS; /* enum virTristateBool */ + + /* This should be set to "true" only when TLS creds are to be added for + * the device. For e.g. this could be based on a combination of + * global conf setting + domain specific setting */ + bool addTLS; }; =20 =20 --=20 2.5.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list