From nobody Mon Dec 15 04:49:59 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1504177373171102.91423082380823; Thu, 31 Aug 2017 04:02:53 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 166403B725; Thu, 31 Aug 2017 11:02:51 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E32029D5F5; Thu, 31 Aug 2017 11:02:50 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 858B41808874; Thu, 31 Aug 2017 11:02:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7VB26VC032316 for ; Thu, 31 Aug 2017 07:02:06 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0FE62B32AC; Thu, 31 Aug 2017 11:02:06 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-88.phx2.redhat.com [10.3.116.88]) by smtp.corp.redhat.com (Postfix) with ESMTP id BD54AB32AE; Thu, 31 Aug 2017 11:02:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 166403B725 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: John Ferlan To: libvir-list@redhat.com, ashmit602@gmail.com Date: Thu, 31 Aug 2017 07:01:54 -0400 Message-Id: <20170831110156.11549-12-jferlan@redhat.com> In-Reply-To: <20170831110156.11549-1-jferlan@redhat.com> References: <20170831110156.11549-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v6 11/13] qemu: Add TLS support for Veritas HyperScale (VxHS) X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 31 Aug 2017 11:02:51 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Ashish Mittal Alter qemu command line generation in order to possibly add TLS for a suitably configured domain. Sample TLS args generated by libvirt - -object tls-creds-x509,id=3Dobjvirtio-disk0_tls0,dir=3D/etc/pki/qemu,\ endpoint=3Dclient,verify-peer=3Dyes \ -drive file.driver=3Dvxhs,file.tls-creds=3Dobjvirtio-disk0_tls0,\ file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.0.type=3Dtcp,file.server.0.host=3D192.168.0.1,\ file.server.0.port=3D9999,format=3Draw,if=3Dnone,\ id=3Ddrive-virtio-disk0,cache=3Dnone \ -device virtio-blk-pci,bus=3Dpci.0,addr=3D0x4,drive=3Ddrive-virtio-disk= 0,\ id=3Dvirtio-disk0 Update the qemuxml2argvtest with a simple example. Signed-off-by: Ashish Mittal Signed-off-by: John Ferlan --- This is the remainder of v5 patch5 - the src/qemu/qemu_*.c changes in order to add the TLS information to the command line. Changes include: * Alteration of the alias name to be used. We cannot use a static "vxhs" since there will be more than one disk possible. Instead, we'll use the disk->info.alias (e.g. virtio-disk0). The diskN will always change, so we can be assured of unique alias generation. * Do less in qemuBlockStorageSourceGetVxHSProps - make use of the fact that proving "S:address" to virJSONValueObjectCreate will only add the field if the address is not NULL. * qemuBuildDiskTLSx509CommandLine was shortened since the code that was in qemuBuildDiskVxHSTLSinfoCommandLine has moved. * Since we need the disk->info.alias, we have to pass it in qemuBlockStorageSourceGetBackendProps. * Cleaned up the *.args output in order to match expectations of all the new code. * Made sure to use the QEMU_CAPS_VXHS in qemuxml2argvtest src/qemu/qemu_block.c | 29 ++++++++++++++++++= -- src/qemu/qemu_block.h | 3 +- src/qemu/qemu_command.c | 32 ++++++++++++++++++= +++- ...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 30 ++++++++++++++++++= ++ tests/qemuxml2argvtest.c | 5 ++++ 5 files changed, 94 insertions(+), 5 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-= tlsx509-vxhs.args diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index cb765ab..5e65692 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -18,6 +18,7 @@ =20 #include =20 +#include "qemu_alias.h" #include "qemu_block.h" #include "qemu_domain.h" =20 @@ -484,9 +485,12 @@ qemuBlockStorageSourceGetGlusterProps(virStorageSource= Ptr src) =20 static virJSONValuePtr qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src, - virQEMUCapsPtr qemuCaps) + virQEMUCapsPtr qemuCaps, + const char *diskAlias) + { const char *protocol =3D virStorageNetProtocolTypeToString(src->protoc= ol); + char *objalias =3D NULL; virJSONValuePtr server =3D NULL; virJSONValuePtr ret =3D NULL; =20 @@ -506,17 +510,34 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePt= r src, if (!(server =3D qemuBlockStorageSourceBuildHostsJSONSocketAddress(src= , true))) return NULL; =20 + if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES) { + if (!diskAlias) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("disk does not have an alias")); + return NULL; + } + + if (!(objalias =3D qemuAliasTLSObjFromSrcAlias(diskAlias))) { + virJSONValueFree(server); + return NULL; + } + } + /* VxHS disk specification example: * { driver:"vxhs", + * [tls-creds:"objvirtio-disk0_tls0",] * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", * server:[{type:"tcp", host:"1.2.3.4", port:9999}]} */ if (virJSONValueObjectCreate(&ret, "s:driver", protocol, + "S:tls-creds", objalias, "s:vdisk-id", src->path, "a:server", server, NULL) < 0) virJSONValueFree(server); =20 + VIR_FREE(objalias); + return ret; } =20 @@ -530,7 +551,8 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr = src, */ virJSONValuePtr qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src, - virQEMUCapsPtr qemuCaps) + virQEMUCapsPtr qemuCaps, + const char *diskAlias) { int actualType =3D virStorageSourceGetActualType(src); virJSONValuePtr fileprops =3D NULL; @@ -553,7 +575,8 @@ qemuBlockStorageSourceGetBackendProps(virStorageSourceP= tr src, break; =20 case VIR_STORAGE_NET_PROTOCOL_VXHS: - if (!(fileprops =3D qemuBlockStorageSourceGetVxHSProps(src, qe= muCaps))) + if (!(fileprops =3D qemuBlockStorageSourceGetVxHSProps(src, qe= muCaps, + diskAlias= ))) goto cleanup; break; =20 diff --git a/src/qemu/qemu_block.h b/src/qemu/qemu_block.h index 90f78e3..3ed1789 100644 --- a/src/qemu/qemu_block.h +++ b/src/qemu/qemu_block.h @@ -55,6 +55,7 @@ qemuBlockGetNodeData(virJSONValuePtr data); =20 virJSONValuePtr qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src, - virQEMUCapsPtr qemuCaps); + virQEMUCapsPtr qemuCaps, + const char *diskAlias); =20 #endif /* __QEMU_BLOCK_H__ */ diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 3205a59..b94ed11 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -791,6 +791,32 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd, } =20 =20 +/* qemuBuildDiskTLSx509CommandLine: + * + * Add TLS object if the disk uses a secure communication channel + * + * Returns 0 on success, -1 w/ error on some sort of failure. + */ +static int +qemuBuildDiskTLSx509CommandLine(virCommandPtr cmd, + virQEMUDriverConfigPtr cfg, + virDomainDiskDefPtr disk, + virQEMUCapsPtr qemuCaps) +{ + virStorageSourcePtr src =3D disk->src; + + /* other protocols may be added later */ + if (src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS && + disk->src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES) { + return qemuBuildTLSx509CommandLine(cmd, cfg->vxhsTLSx509certdir, + false, true, false, + disk->info.alias, qemuCaps); + } + + return 0; +} + + static char * qemuBuildNetworkDriveURI(virStorageSourcePtr src, qemuDomainSecretInfoPtr secinfo) @@ -1353,7 +1379,8 @@ qemuBuildDriveSourceStr(virDomainDiskDefPtr disk, int ret =3D -1; =20 if (qemuDiskSourceNeedsProps(disk->src) && - !(srcprops =3D qemuBlockStorageSourceGetBackendProps(disk->src, qe= muCaps))) + !(srcprops =3D qemuBlockStorageSourceGetBackendProps(disk->src, qe= muCaps, + disk->info.alia= s))) goto cleanup; =20 if (!srcprops && @@ -2218,6 +2245,9 @@ qemuBuildDiskDriveCommandLine(virCommandPtr cmd, if (qemuBuildDiskSecinfoCommandLine(cmd, encinfo) < 0) return -1; =20 + if (qemuBuildDiskTLSx509CommandLine(cmd, cfg, disk, qemuCaps) < 0) + return -1; + virCommandAddArg(cmd, "-drive"); =20 if (!(optstr =3D qemuBuildDriveStr(disk, cfg, driveBoot, qemuCaps)= )) diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509= -vxhs.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509= -vxhs.args new file mode 100644 index 0000000..5308a16 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.a= rgs @@ -0,0 +1,30 @@ +LC_ALL=3DC \ +PATH=3D/bin \ +HOME=3D/home/test \ +USER=3Dtest \ +LOGNAME=3Dtest \ +QEMU_AUDIO_DRV=3Dnone \ +/usr/bin/qemu-system-x86_64 \ +-name QEMUGuest1 \ +-S \ +-M pc \ +-cpu qemu32 \ +-m 214 \ +-smp 1,sockets=3D1,cores=3D1,threads=3D1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-nographic \ +-nodefaults \ +-chardev socket,id=3Dcharmonitor,path=3D/tmp/lib/domain--1-QEMUGuest1/moni= tor.sock,\ +server,nowait \ +-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dreadline \ +-no-acpi \ +-boot c \ +-usb \ +-object tls-creds-x509,id=3Dobjvirtio-disk0_tls0,dir=3D/etc/pki/qemu,\ +endpoint=3Dclient,verify-peer=3Dyes \ +-drive file.driver=3Dvxhs,file.tls-creds=3Dobjvirtio-disk0_tls0,\ +file.vdisk-id=3Deb90327c-8302-4725-9e1b-4e85ed4dc251,file.server.0.type=3D= tcp,\ +file.server.0.host=3D192.168.0.1,file.server.0.port=3D9999,format=3Draw,if= =3Dnone,\ +id=3Ddrive-virtio-disk0,cache=3Dnone \ +-device virtio-blk-pci,bus=3Dpci.0,addr=3D0x4,drive=3Ddrive-virtio-disk0,\ +id=3Dvirtio-disk0 diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index b92ded8..7be8bf8 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -932,6 +932,11 @@ mymain(void) DO_TEST("disk-drive-network-rbd-ipv6", NONE); DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE); DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS); + driver.config->vxhsTLS =3D 1; + DO_TEST("disk-drive-network-tlsx509-vxhs", QEMU_CAPS_VXHS, + QEMU_CAPS_OBJECT_TLS_CREDS_X509); + driver.config->vxhsTLS =3D 0; + VIR_FREE(driver.config->vxhsTLSx509certdir); DO_TEST("disk-drive-no-boot", QEMU_CAPS_BOOTINDEX); DO_TEST_PARSE_ERROR("disk-device-lun-type-invalid", --=20 2.9.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list