From nobody Wed May 14 20:16:40 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1527684222909446.032864386577;
 Wed, 30 May 2018 05:43:42 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com
 [10.5.11.27])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 47F7CCCB60;
	Wed, 30 May 2018 12:43:41 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id DF03F98F5D;
	Wed, 30 May 2018 12:43:40 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 785EF41F72;
	Wed, 30 May 2018 12:43:40 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
	[10.11.54.6])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id w4UCgBZA027714 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 30 May 2018 08:42:11 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 50700217B40A; Wed, 30 May 2018 12:42:11 +0000 (UTC)
Received: from angien.brq.redhat.com (unknown [10.43.2.136])
	by smtp.corp.redhat.com (Postfix) with ESMTP id E98BD217B409
	for <libvir-list@redhat.com>; Wed, 30 May 2018 12:42:10 +0000 (UTC)
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Date: Wed, 30 May 2018 14:41:34 +0200
Message-Id: 
 <5e9a230237b6c3dae9c28daaf7c99ffc1cbd7adf.1527683836.git.pkrempa@redhat.com>
In-Reply-To: <cover.1527683835.git.pkrempa@redhat.com>
References: <cover.1527683835.git.pkrempa@redhat.com>
In-Reply-To: <cover.1527683835.git.pkrempa@redhat.com>
References: <cover.1527683835.git.pkrempa@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH 38/38] qemu: domain: Add support for TLS for NBD
	with default TLS env
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]);
 Wed, 30 May 2018 12:43:42 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Use the default TLS env if TLS is required for NBD. The rest of the
implementation is rather simple since all pieces were in place.

Note that separate configuration knobs in qemu.conf can be added later
if it's desired to configure them.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: J=EF=BF=BDn Tomko <jtomko@redhat.com>
---
 docs/schemas/domaincommon.rng                      |  5 ++++
 src/qemu/qemu_command.c                            |  5 ++++
 src/qemu/qemu_domain.c                             | 33 ++++++++++++++++++=
++--
 .../disk-drive-network-tlsx509.args                |  9 +++++-
 .../disk-drive-network-tlsx509.xml                 |  8 ++++++
 tests/qemuxml2argvtest.c                           |  2 +-
 .../disk-drive-network-tlsx509.xml                 |  8 ++++++
 7 files changed, 66 insertions(+), 4 deletions(-)

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 703a1bb6f8..ce2d1e91e0 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1706,6 +1706,11 @@
       <optional>
         <attribute name=3D"name"/>
       </optional>
+      <optional>
+        <attribute name=3D"tls">
+          <ref name=3D"virYesNo"/>
+        </attribute>
+      </optional>
       <ref name=3D"diskSourceNetworkHost"/>
       <optional>
         <ref name=3D"encryption"/>
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 134e1a3a20..07fa35c6b3 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1392,6 +1392,11 @@ qemuDiskSourceNeedsProps(virStorageSourcePtr src,
         virQEMUCapsGet(qemuCaps, QEMU_CAPS_ISCSI_PASSWORD_SECRET))
         return true;

+    if (actualType =3D=3D VIR_STORAGE_TYPE_NETWORK &&
+        src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_NBD &&
+        src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES)
+        return true;
+
     return false;
 }

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index e329cdf958..db7884a9a1 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -9937,6 +9937,29 @@ qemuProcessPrepareStorageSourceTlsVxhs(virStorageSou=
rcePtr src,
 }


+static int
+qemuProcessPrepareStorageSourceTlsNbd(virStorageSourcePtr src,
+                                      virQEMUDriverConfigPtr cfg,
+                                      virQEMUCapsPtr qemuCaps)
+{
+    /* XXX: for NBD we don't have the qemu.conf knobs for private TLS env =
*/
+    if (src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES) {
+        if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_NBD_TLS)) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                           _("this qemu does not support TLS transport for=
 nbd"));
+            return -1;
+        }
+
+        if (VIR_STRDUP(src->tlsCertdir, cfg->defaultTLSx509certdir) < 0)
+            return -1;
+
+        src->tlsVerify =3D true;
+    }
+
+    return 0;
+}
+
+
 /* qemuProcessPrepareStorageSourceTLS:
  * @source: source for a disk
  * @cfg: driver configuration
@@ -9951,7 +9974,8 @@ qemuProcessPrepareStorageSourceTlsVxhs(virStorageSour=
cePtr src,
 static int
 qemuDomainPrepareStorageSourceTLS(virStorageSourcePtr src,
                                   virQEMUDriverConfigPtr cfg,
-                                  const char *parentAlias)
+                                  const char *parentAlias,
+                                  virQEMUCapsPtr qemuCaps)
 {
     if (virStorageSourceGetActualType(src) !=3D VIR_STORAGE_TYPE_NETWORK)
         return 0;
@@ -9963,6 +9987,10 @@ qemuDomainPrepareStorageSourceTLS(virStorageSourcePt=
r src,
         break;

     case VIR_STORAGE_NET_PROTOCOL_NBD:
+        if (qemuProcessPrepareStorageSourceTlsNbd(src, cfg, qemuCaps) < 0)
+            return -1;
+        break;
+
     case VIR_STORAGE_NET_PROTOCOL_RBD:
     case VIR_STORAGE_NET_PROTOCOL_SHEEPDOG:
     case VIR_STORAGE_NET_PROTOCOL_GLUSTER:
@@ -12505,7 +12533,8 @@ qemuDomainPrepareDiskSourceLegacy(virDomainDiskDefP=
tr disk,
     if (qemuDomainPrepareStorageSourcePR(disk->src, priv, disk->info.alias=
) < 0)
         return -1;

-    if (qemuDomainPrepareStorageSourceTLS(disk->src, cfg, disk->info.alias=
) < 0)
+    if (qemuDomainPrepareStorageSourceTLS(disk->src, cfg, disk->info.alias,
+                                          priv->qemuCaps) < 0)
         return -1;

     return 0;
diff --git a/tests/qemuxml2argvdata/disk-drive-network-tlsx509.args b/tests=
/qemuxml2argvdata/disk-drive-network-tlsx509.args
index 91d3a8a70a..970b8a32a6 100644
--- a/tests/qemuxml2argvdata/disk-drive-network-tlsx509.args
+++ b/tests/qemuxml2argvdata/disk-drive-network-tlsx509.args
@@ -43,4 +43,11 @@ id=3Dvirtio-disk1 \
 file.server.host=3D192.168.0.3,file.server.port=3D9999,format=3Draw,if=3Dn=
one,\
 id=3Ddrive-virtio-disk2,serial=3Deb90327c-8302-4725-9e1b-4e85ed4dc252,cach=
e=3Dnone \
 -device virtio-blk-pci,bus=3Dpci.0,addr=3D0x6,drive=3Ddrive-virtio-disk2,\
-id=3Dvirtio-disk2
+id=3Dvirtio-disk2 \
+-object tls-creds-x509,id=3Dobjvirtio-disk3_tls0,dir=3D/etc/pki/qemu,\
+endpoint=3Dclient,verify-peer=3Dyes \
+-drive file.driver=3Dnbd,file.server.type=3Dinet,file.server.host=3Dexampl=
e.com,\
+file.server.port=3D1234,file.tls-creds=3Dobjvirtio-disk3_tls0,format=3Draw=
,if=3Dnone,\
+id=3Ddrive-virtio-disk3,cache=3Dnone \
+-device virtio-blk-pci,bus=3Dpci.0,addr=3D0x7,drive=3Ddrive-virtio-disk3,\
+id=3Dvirtio-disk3
diff --git a/tests/qemuxml2argvdata/disk-drive-network-tlsx509.xml b/tests/=
qemuxml2argvdata/disk-drive-network-tlsx509.xml
index a66e81f065..9f6f298b54 100644
--- a/tests/qemuxml2argvdata/disk-drive-network-tlsx509.xml
+++ b/tests/qemuxml2argvdata/disk-drive-network-tlsx509.xml
@@ -41,6 +41,14 @@
       <serial>eb90327c-8302-4725-9e1b-4e85ed4dc252</serial>
       <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x06' f=
unction=3D'0x0'/>
     </disk>
+    <disk type=3D'network' device=3D'disk'>
+      <driver name=3D'qemu' type=3D'raw' cache=3D'none'/>
+      <source protocol=3D'nbd' tls=3D'yes'>
+        <host name=3D'example.com' port=3D'1234'/>
+      </source>
+      <target dev=3D'vdd' bus=3D'virtio'/>
+      <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x07' f=
unction=3D'0x0'/>
+    </disk>
     <controller type=3D'usb' index=3D'0'/>
     <controller type=3D'pci' index=3D'0' model=3D'pci-root'/>
     <input type=3D'mouse' bus=3D'ps2'/>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index a67d95f471..53b8b31a46 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1051,7 +1051,7 @@ mymain(void)
     DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS);
     driver.config->vxhsTLS =3D 1;
     DO_TEST("disk-drive-network-tlsx509", QEMU_CAPS_VXHS,
-            QEMU_CAPS_OBJECT_TLS_CREDS_X509);
+            QEMU_CAPS_OBJECT_TLS_CREDS_X509, QEMU_CAPS_NBD_TLS);
     driver.config->vxhsTLS =3D 0;
     VIR_FREE(driver.config->vxhsTLSx509certdir);
     DO_TEST("disk-drive-no-boot",
diff --git a/tests/qemuxml2xmloutdata/disk-drive-network-tlsx509.xml b/test=
s/qemuxml2xmloutdata/disk-drive-network-tlsx509.xml
index 7053affd17..a9b8d32646 100644
--- a/tests/qemuxml2xmloutdata/disk-drive-network-tlsx509.xml
+++ b/tests/qemuxml2xmloutdata/disk-drive-network-tlsx509.xml
@@ -41,6 +41,14 @@
       <serial>eb90327c-8302-4725-9e1b-4e85ed4dc252</serial>
       <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x06' f=
unction=3D'0x0'/>
     </disk>
+    <disk type=3D'network' device=3D'disk'>
+      <driver name=3D'qemu' type=3D'raw' cache=3D'none'/>
+      <source protocol=3D'nbd' tls=3D'yes'>
+        <host name=3D'example.com' port=3D'1234'/>
+      </source>
+      <target dev=3D'vdd' bus=3D'virtio'/>
+      <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x07' f=
unction=3D'0x0'/>
+    </disk>
     <controller type=3D'usb' index=3D'0'>
       <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x01' f=
unction=3D'0x2'/>
     </controller>
--=20
2.16.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list