From nobody Thu May 15 19:23:01 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 150428682476752.43880829634804;
 Fri, 1 Sep 2017 10:27:04 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 55AACC9D25;
	Fri,  1 Sep 2017 17:27:03 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 32EE67821A;
	Fri,  1 Sep 2017 17:27:03 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id EFAEE1806109;
	Fri,  1 Sep 2017 17:27:02 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
	[10.5.11.13])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v81HABSf021753 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 1 Sep 2017 13:10:11 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 405427821A; Fri,  1 Sep 2017 17:10:11 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-116-88.phx2.redhat.com
	[10.3.116.88])
	by smtp.corp.redhat.com (Postfix) with ESMTP id EEA1E7821B;
	Fri,  1 Sep 2017 17:10:10 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 55AACC9D25
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com;
 spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com
From: John Ferlan <jferlan@redhat.com>
To: libvir-list@redhat.com
Date: Fri,  1 Sep 2017 13:09:53 -0400
Message-Id: <20170901170955.20281-10-jferlan@redhat.com>
In-Reply-To: <20170901170955.20281-1-jferlan@redhat.com>
References: <20170901170955.20281-1-jferlan@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-loop: libvir-list@redhat.com
Cc: ashmit602@gmail.com
Subject: [libvirt] [PATCH v7 09/11] qemu: Introduce
	qemuDomainPrepareDiskSource
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]);
 Fri, 01 Sep 2017 17:27:03 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Introduce a function to setup any TLS needs for a disk source.

If there's a configuration or other error setting up the disk source
for TLS, then cause the domain startup to fail.

For VxHS, follow the chardevTLS model where if the src->haveTLS hasn't
been configured, then take the system/global cfg->haveTLS setting for
the storage source *and* mark that we've done so via the tlsFromConfig
setting in storage source.

Next, if we are using TLS, then generate an alias into a virStorageSource
'tlsAlias' field that will be used to create the TLS object and added to
the disk object in order to link the two together for QEMU.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_domain.c    | 71 +++++++++++++++++++++++++++++++++++++++++++=
++++
 src/qemu/qemu_domain.h    | 11 ++++++++
 src/qemu/qemu_process.c   |  4 +++
 src/util/virstoragefile.c |  5 +++-
 src/util/virstoragefile.h |  6 ++++
 5 files changed, 96 insertions(+), 1 deletion(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index b98ffff..c955000 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -7520,6 +7520,77 @@ qemuDomainPrepareChardevSource(virDomainDefPtr def,
 }
=20
=20
+/* qemuProcessPrepareDiskSourceTLS:
+ * @source: pointer to host interface data for disk device
+ * @diskAlias: alias use for the disk device
+ * @cfg: driver configuration
+ *
+ * Updates host interface TLS encryption setting based on qemu.conf
+ * for disk devices.  This will be presented as "tls=3D'yes|no'" in
+ * live XML of a guest.
+ *
+ * Returns 0 on success, -1 on bad config/failure
+ */
+int
+qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src,
+                               const char *diskAlias,
+                               virQEMUDriverConfigPtr cfg)
+{
+
+    /* VxHS doesn't utilize a password protected server certificate,
+     * so no need to add a secinfo for a secret UUID. */
+    if (src->type =3D=3D VIR_STORAGE_TYPE_NETWORK &&
+        src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_VXHS) {
+
+        if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_ABSENT) {
+            if (cfg->vxhsTLS)
+                src->haveTLS =3D VIR_TRISTATE_BOOL_YES;
+            else
+                src->haveTLS =3D VIR_TRISTATE_BOOL_NO;
+            src->tlsFromConfig =3D true;
+        }
+
+        if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES) {
+            if (!diskAlias) {
+                virReportError(VIR_ERR_INVALID_ARG, "%s",
+                               _("disk does not have an alias"));
+                return -1;
+            }
+
+            if (!(src->tlsAlias =3D qemuAliasTLSObjFromSrcAlias(diskAlias)=
))
+                return -1;
+        }
+    }
+
+    return 0;
+}
+
+
+/* qemuProcessPrepareDiskSource:
+ * @def: live domain definition
+ * @driver: qemu driver
+ *
+ * Iterate through all disk devices to setup/check any that would be
+ * using TLS.
+ *
+ * Returns 0 on success, -1 on failure
+ */
+int
+qemuDomainPrepareDiskSource(virDomainDefPtr def,
+                            virQEMUDriverConfigPtr cfg)
+{
+    size_t i;
+
+    for (i =3D 0; i < def->ndisks; i++) {
+        if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src,
+                                           def->disks[i]->info.alias,
+                                           cfg) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
=20
 int
 qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem)
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index f93b09b..cec9704 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -845,6 +845,17 @@ void qemuDomainPrepareChardevSource(virDomainDefPtr de=
f,
                                     virQEMUDriverPtr driver)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
=20
+int
+qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src,
+                               const char *diskAlias,
+                               virQEMUDriverConfigPtr cfg)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3);
+
+int
+qemuDomainPrepareDiskSource(virDomainDefPtr def,
+                            virQEMUDriverConfigPtr cfg)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
+
 int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem)
     ATTRIBUTE_NONNULL(1);
=20
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 0ed5d04..6d6ea16 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -5355,6 +5355,10 @@ qemuProcessPrepareDomain(virConnectPtr conn,
     if (qemuDomainMasterKeyCreate(vm) < 0)
         goto cleanup;
=20
+    VIR_DEBUG("Prepare disk source backends for TLS");
+    if (qemuDomainPrepareDiskSource(vm->def, cfg) < 0)
+        goto cleanup;
+
     VIR_DEBUG("Prepare chardev source backends for TLS");
     qemuDomainPrepareChardevSource(vm->def, driver);
=20
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index eb312cd..da137f7 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2054,7 +2054,8 @@ virStorageSourceCopy(const virStorageSource *src,
         VIR_STRDUP(ret->configFile, src->configFile) < 0 ||
         VIR_STRDUP(ret->nodeformat, src->nodeformat) < 0 ||
         VIR_STRDUP(ret->nodestorage, src->nodestorage) < 0 ||
-        VIR_STRDUP(ret->compat, src->compat) < 0)
+        VIR_STRDUP(ret->compat, src->compat) < 0 ||
+        VIR_STRDUP(ret->tlsAlias, src->tlsAlias) < 0)
         goto error;
=20
     if (src->nhosts) {
@@ -2279,6 +2280,8 @@ virStorageSourceClear(virStorageSourcePtr def)
=20
     virStorageSourceBackingStoreClear(def);
=20
+    VIR_FREE(def->tlsAlias);
+
     memset(def, 0, sizeof(*def));
 }
=20
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index 4817090..eadbcc1 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -288,6 +288,12 @@ struct _virStorageSource {
     /* Indication whether the haveTLS value was altered due to qemu.conf
      * setting when haveTLS is missing from the domain config file */
     bool tlsFromConfig;
+
+    /* If TLS is used, then mgmt of the TLS credentials occurs via an
+     * object that is generated using a specific alias. That alias must
+     * be used when generating the disk object in order to link the
+     * two together. */
+    char *tlsAlias;
 };
=20
=20
--=20
2.9.5

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list