From nobody Wed Feb 11 10:16:31 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 148977598344488.41193020756748;
 Fri, 17 Mar 2017 11:39:43 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id DB6EC80515;
	Fri, 17 Mar 2017 18:39:42 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (unknown [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B121E1899B;
	Fri, 17 Mar 2017 18:39:42 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 66A724ED23;
	Fri, 17 Mar 2017 18:39:42 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v2HId7JS025173 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 17 Mar 2017 14:39:07 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id EB6ACBFA73; Fri, 17 Mar 2017 18:39:07 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-76.phx2.redhat.com
	[10.3.116.76])
	by smtp.corp.redhat.com (Postfix) with ESMTP id A9EFA627DD
	for <libvir-list@redhat.com>; Fri, 17 Mar 2017 18:39:07 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com DB6EC80515
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com DB6EC80515
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Fri, 17 Mar 2017 14:38:56 -0400
Message-Id: <20170317183901.5267-3-jferlan@redhat.com>
In-Reply-To: <20170317183901.5267-1-jferlan@redhat.com>
References: <20170317183901.5267-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]);
 Fri, 17 Mar 2017 18:39:43 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Add a new TLS X.509 certificate type - "migrate". This will handle the
creation of a TLS certificate capability (and possibly repository) to
be used for migrations. Similar to chardev's, credentials will be handled
via a libvirt secrets; however, unlike chardev's enablement and usage
will be via a CLI flag instead of a conf flag and a domain XML attribute.
The migrations will also require the client-cert.pem and client-key.pem
files to be present in the clients TLS directory.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/libvirtd_qemu.aug         |  5 +++++
 src/qemu/qemu.conf                 | 37 ++++++++++++++++++++++++++++++++++=
+++
 src/qemu/qemu_conf.c               |  6 ++++++
 src/qemu/qemu_conf.h               |  4 ++++
 src/qemu/test_libvirtd_qemu.aug.in |  3 +++
 5 files changed, 55 insertions(+)

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 82bae9e..e1983d1 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -54,6 +54,10 @@ module Libvirtd_qemu =3D
                  | bool_entry "chardev_tls_x509_verify"
                  | str_entry "chardev_tls_x509_secret_uuid"
=20
+   let migrate_entry =3D str_entry "migrate_tls_x509_cert_dir"
+                 | bool_entry "migrate_tls_x509_verify"
+                 | str_entry "migrate_tls_x509_secret_uuid"
+
    let nogfx_entry =3D bool_entry "nographics_allow_host_audio"
=20
    let remote_display_entry =3D int_entry "remote_display_port_min"
@@ -116,6 +120,7 @@ module Libvirtd_qemu =3D
              | vnc_entry
              | spice_entry
              | chardev_entry
+             | migrate_entry
              | nogfx_entry
              | remote_display_entry
              | security_entry
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 9925ac9..40bcec3 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -13,6 +13,11 @@
 #
 #  dh-params.pem - the DH params configuration file
 #
+# When using TLS for migrations, the directory must also contain
+#
+#  client-cert.pem - the client certificate signed with the ca-cert.pem
+#  client-key.pem - the client private key
+#
 #default_tls_x509_cert_dir =3D "/etc/pki/qemu"
=20
=20
@@ -238,6 +243,38 @@
 #chardev_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000"
=20
=20
+# In order to override the default TLS certificate location for migration
+# certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist then the default_tls_x509_cert_dir path
+# will be used. Once/if a default certificate is enabled/defined, migration
+# will then be able to use the certificate via migration API flags.
+#
+#migrate_tls_x509_cert_dir =3D "/etc/pki/libvirt-migrate"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing a x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem
+#
+#migrate_tls_x509_verify =3D 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#migrate_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000"
+
+
 # By default, if no graphical front end is configured, libvirt will disable
 # QEMU audio output since directly talking to alsa/pulseaudio may not work
 # with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 9db2bc3..4c271cd 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -280,6 +280,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool priv=
ileged)
     SET_TLS_X509_CERT_DEFAULT(vnc);
     SET_TLS_X509_CERT_DEFAULT(spice);
     SET_TLS_X509_CERT_DEFAULT(chardev);
+    SET_TLS_X509_CERT_DEFAULT(migrate);
=20
 #undef SET_TLS_X509_CERT_DEFAULT
=20
@@ -395,6 +396,9 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->chardevTLSx509certdir);
     VIR_FREE(cfg->chardevTLSx509secretUUID);
=20
+    VIR_FREE(cfg->migrateTLSx509certdir);
+    VIR_FREE(cfg->migrateTLSx509secretUUID);
+
     while (cfg->nhugetlbfs) {
         cfg->nhugetlbfs--;
         VIR_FREE(cfg->hugetlbfs[cfg->nhugetlbfs].mnt_dir);
@@ -556,6 +560,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr =
cfg,
         goto cleanup;
     GET_CONFIG_TLS_CERTINFO(chardev);
=20
+    GET_CONFIG_TLS_CERTINFO(migrate);
+
 #undef GET_CONFIG_TLS_CERTINFO
=20
     if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSo=
cketPortMin) < 0)
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index e585f81..1407eef 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -137,6 +137,10 @@ struct _virQEMUDriverConfig {
     bool chardevTLSx509verify;
     char *chardevTLSx509secretUUID;
=20
+    char *migrateTLSx509certdir;
+    bool migrateTLSx509verify;
+    char *migrateTLSx509secretUUID;
+
     unsigned int remotePortMin;
     unsigned int remotePortMax;
=20
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe=
mu.aug.in
index 6f03898..3e317bc 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -25,6 +25,9 @@ module Test_libvirtd_qemu =3D
 { "chardev_tls_x509_cert_dir" =3D "/etc/pki/libvirt-chardev" }
 { "chardev_tls_x509_verify" =3D "1" }
 { "chardev_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000=
" }
+{ "migrate_tls_x509_cert_dir" =3D "/etc/pki/libvirt-migrate" }
+{ "migrate_tls_x509_verify" =3D "1" }
+{ "migrate_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000=
" }
 { "nographics_allow_host_audio" =3D "1" }
 { "remote_display_port_min" =3D "5900" }
 { "remote_display_port_max" =3D "65535" }
--=20
2.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list