From nobody Wed Jul 9 23:09:02 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1498678239183379.46493610582127; Wed, 28 Jun 2017 12:30:39 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B725B7F6A5; Wed, 28 Jun 2017 19:30:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 73D15784AF; Wed, 28 Jun 2017 19:30:36 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6B8D11800C89; Wed, 28 Jun 2017 19:30:35 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v5SJUXVn003489 for ; Wed, 28 Jun 2017 15:30:33 -0400 Received: by smtp.corp.redhat.com (Postfix) id AB2B75DC1D; Wed, 28 Jun 2017 19:30:33 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-36.phx2.redhat.com [10.3.116.36]) by smtp.corp.redhat.com (Postfix) with ESMTP id 73C8F5DD71 for ; Wed, 28 Jun 2017 19:30:33 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B725B7F6A5 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B725B7F6A5 From: John Ferlan To: libvir-list@redhat.com Date: Wed, 28 Jun 2017 15:30:28 -0400 Message-Id: <20170628193028.5256-3-jferlan@redhat.com> In-Reply-To: <20170628193028.5256-1-jferlan@redhat.com> References: <20170628193028.5256-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/2] qemu: Check for existence of provided *_tls_x509_cert_dir X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Wed, 28 Jun 2017 19:30:37 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.redhat.com/show_bug.cgi?id=3D1458630 Introduce virQEMUDriverConfigSetCertDir which will handle reading the qemu.conf config file specific setting for default, vnc, spice, chardev, and migrate. Then if a setting was provided, validating the existence of the directory and overwriting the default set by virQEMUDriverConfigNew. Also update the qemu.conf description for default to indicate the consequen= ces if the default directory does not exist. Signed-off-by: John Ferlan --- src/qemu/qemu.conf | 9 ++++++++- src/qemu/qemu_conf.c | 42 ++++++++++++++++++++++++++++++++++-------- 2 files changed, 42 insertions(+), 9 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index e6c0832..737fa46 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -3,7 +3,7 @@ # defaults are used. =20 # Use of TLS requires that x509 certificates be issued. The default is -# to keep them in /etc/pki/qemu. This directory must contain +# to keep them in /etc/pki/qemu. This directory must exist and contain: # # ca-cert.pem - the CA master certificate # server-cert.pem - the server certificate signed with ca-cert.pem @@ -13,6 +13,13 @@ # # dh-params.pem - the DH params configuration file # +# If the directory does not exist or does not contain the necessary files, +# QEMU domains will fail to start if they are configured to use TLS. +# +# In order to overwrite the default directory alter the following. If the +# provided directory does not exist, then the setting reverts back to the +# default /etc/pki/qemu. +# #default_tls_x509_cert_dir =3D "/etc/pki/qemu" =20 =20 diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 94e00b2..a52349f 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -440,6 +440,32 @@ virQEMUDriverConfigHugeTLBFSInit(virHugeTLBFSPtr huget= lbfs, } =20 =20 +static int +virQEMUDriverConfigSetCertDir(virConfPtr conf, + const char *setting, + char **value) +{ + char *tlsCertDir =3D NULL; + + if (virConfGetValueString(conf, setting, &tlsCertDir) < 0) + return -1; + + if (!tlsCertDir) + return 0; + + if (!virFileExists(tlsCertDir)) { + VIR_INFO("%s, directory '%s' does not exist, retain default", + setting, tlsCertDir); + VIR_FREE(tlsCertDir); + } else { + VIR_FREE(*value); + VIR_STEAL_PTR(*value, tlsCertDir); + } + + return 0; +} + + int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, const char *filename, bool privileged) @@ -467,8 +493,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr = cfg, if (!(conf =3D virConfReadFile(filename, 0))) goto cleanup; =20 - if (virConfGetValueString(conf, "default_tls_x509_cert_dir", - &cfg->defaultTLSx509certdir) < 0) + if (virQEMUDriverConfigSetCertDir(conf, "default_tls_x509_cert_dir", + &cfg->defaultTLSx509certdir) < 0) goto cleanup; if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0) @@ -487,8 +513,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr = cfg, goto cleanup; if (rv =3D=3D 0) cfg->vncTLSx509verify =3D cfg->defaultTLSx509verify; - if (virConfGetValueString(conf, "vnc_tls_x509_cert_dir", - &cfg->vncTLSx509certdir) < 0) + if (virQEMUDriverConfigSetCertDir(conf, "vnc_tls_x509_cert_dir", + &cfg->vncTLSx509certdir) < 0) goto cleanup; if (virConfGetValueString(conf, "vnc_listen", &cfg->vncListen) < 0) goto cleanup; @@ -532,8 +558,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr = cfg, =20 if (virConfGetValueBool(conf, "spice_tls", &cfg->spiceTLS) < 0) goto cleanup; - if (virConfGetValueString(conf, "spice_tls_x509_cert_dir", - &cfg->spiceTLSx509certdir) < 0) + if (virQEMUDriverConfigSetCertDir(conf, "spice_tls_x509_cert_dir", + &cfg->spiceTLSx509certdir) < 0) goto cleanup; if (virConfGetValueBool(conf, "spice_sasl", &cfg->spiceSASL) < 0) goto cleanup; @@ -554,8 +580,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr = cfg, goto cleanup; = \ if (rv =3D=3D 0) = \ cfg->val## TLSx509verify =3D cfg->defaultTLSx509verify; = \ - if (virConfGetValueString(conf, #val "_tls_x509_cert_dir", = \ - &cfg->val## TLSx509certdir) < 0) = \ + if (virQEMUDriverConfigSetCertDir(conf, #val "_tls_x509_cert_dir",= \ + &cfg->val## TLSx509certdir) < 0)= \ goto cleanup; = \ if (virConfGetValueString(conf, = \ #val "_tls_x509_secret_uuid", = \ --=20 2.9.4 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list