From nobody Mon Dec 15 04:46:12 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1504177437226558.02423099992; Thu, 31 Aug 2017 04:03:57 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C8D6BC047B70; Thu, 31 Aug 2017 11:03:53 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4E3F293521; Thu, 31 Aug 2017 11:03:53 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 15F923FAD4; Thu, 31 Aug 2017 11:03:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7VB25HE032311 for ; Thu, 31 Aug 2017 07:02:05 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9C3EAB32A9; Thu, 31 Aug 2017 11:02:05 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-88.phx2.redhat.com [10.3.116.88]) by smtp.corp.redhat.com (Postfix) with ESMTP id 54F55B32B6; Thu, 31 Aug 2017 11:02:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com C8D6BC047B70 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: John Ferlan To: libvir-list@redhat.com, ashmit602@gmail.com Date: Thu, 31 Aug 2017 07:01:53 -0400 Message-Id: <20170831110156.11549-11-jferlan@redhat.com> In-Reply-To: <20170831110156.11549-1-jferlan@redhat.com> References: <20170831110156.11549-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v6 10/13] qemu: Introduce qemuDomainPrepareDiskSource X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 31 Aug 2017 11:03:54 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Introduce a function to setup any TLS needs for a disk source. If there's a configuration or other error setting up the disk source for TLS, then cause the domain startup to fail. For VxHS, if cfg->haveTLS is set, then TLS creds will be added automatically to every VxHS disk that didn't specify "tls=3D'no'" in the domain XML. Additionally, if the domain XML has "tls=3D'yes'", but cfg->haveTLS is not set, then issue a configuration error. Signed-off-by: John Ferlan --- This is NEW from v5. This patch adds the infrastructure to the qemuDomainPrepare* family of functions in order to walk the disk list looking for disks that need to be set up properly for TLS. The code is very similar to the chardev model - except that it can cause a failure to start the domain in the event that the vxhsTLS =3D 0, but domain XML haveTLS =3D yes. Essentially pulling in the code from v5 patch5 qemuBuildDiskVxHSTLSinfoCommandLine. src/qemu/qemu_domain.c | 58 +++++++++++++++++++++++++++++++++++++++++++++= ++++ src/qemu/qemu_domain.h | 5 +++++ src/qemu/qemu_process.c | 4 ++++ 3 files changed, 67 insertions(+) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index cbee151..c3eadf3 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -7520,6 +7520,64 @@ qemuDomainPrepareChardevSource(virDomainDefPtr def, } =20 =20 +/* qemuProcessPrepareDiskSourceTLS: + * @source: pointer to host interface data for disk device + * @cfg: driver configuration + * + * Updates host interface TLS encryption setting based on qemu.conf + * for disk devices. This will be presented as "tls=3D'yes|no'" in + * live XML of a guest. + * + * Returns 0 on success, -1 on bad config/failure + */ +static int +qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src, + virQEMUDriverConfigPtr cfg) +{ + + /* VxHS doesn't utilize a password protected server certificate, + * so no need to add a secinfo for a secret UUID. */ + if (src->type =3D=3D VIR_STORAGE_TYPE_NETWORK && + src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS) { + + if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES && !cfg->vxhsTLS) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("VxHS TLS protocol is configured in XML, but " + "TLS for VxHS is disabled in qemu.conf")); + return -1; + } + + if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_ABSENT && cfg->vxhsTLS) + src->haveTLS =3D VIR_TRISTATE_BOOL_YES; + } + + return 0; +} + + +/* qemuProcessPrepareDiskSource: + * @def: live domain definition + * @driver: qemu driver + * + * Iterate through all disk devices to setup/check any that would be + * using TLS. + * + * Returns 0 on success, -1 on failure + */ +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) +{ + size_t i; + + for (i =3D 0; i < def->ndisks; i++) { + if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src, cfg) < 0) + return -1; + } + + return 0; +} + =20 int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem) diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index f93b09b..f701287 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -841,6 +841,11 @@ void qemuDomainPrepareChardevSourceTLS(virDomainChrSou= rceDefPtr source, virQEMUDriverConfigPtr cfg) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); =20 +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); + void qemuDomainPrepareChardevSource(virDomainDefPtr def, virQEMUDriverPtr driver) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 364c359..7978ef3 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -5326,6 +5326,10 @@ qemuProcessPrepareDomain(virConnectPtr conn, if (qemuDomainMasterKeyCreate(vm) < 0) goto cleanup; =20 + VIR_DEBUG("Prepare disk source backends for TLS"); + if (qemuDomainPrepareDiskSource(vm->def, cfg) < 0) + goto cleanup; + VIR_DEBUG("Prepare chardev source backends for TLS"); qemuDomainPrepareChardevSource(vm->def, driver); =20 --=20 2.9.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list