qemu: Refactor secret/TLS setup and add TLS for nbd

[libvirt] [PATCH 16/38] qemu: domain: Regenerate alias for the TLS x509 credential object

Posted by Peter Krempa 6 years, 11 months ago

When restarting libvirt would previously lose the alias of the x509
certificate object. Upon unplug we would then not delete the
corresponding objects.

Restore the alias if we know it shoudl be there.

Luckily for disks we don't support encrypted TLS nevironment, so there's
no need to regenerate the 'seceret' alias for decrypting.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_domain.c                                   |  7 +++++++
 tests/qemustatusxml2xmldata/disk-secinfo-upgrade-in.xml  | 10 ++++++++++
 tests/qemustatusxml2xmldata/disk-secinfo-upgrade-out.xml | 15 +++++++++++++++
 3 files changed, 32 insertions(+)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index a98424cc62..99656fcd6d 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -5965,6 +5965,13 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDefPtr disk,
                                                         parseFlags) < 0)
         return -1;

+    /* regenerate TLS alias for old status XMLs */
+    if (parseFlags & VIR_DOMAIN_DEF_PARSE_STATUS &&
+        disk->src->haveTLS == VIR_TRISTATE_BOOL_YES &&
+        !disk->src->tlsAlias &&
+        !(disk->src->tlsAlias = qemuAliasTLSObjFromSrcAlias(disk->info.alias)))
+        return -1;
+
     return 0;
 }

diff --git a/tests/qemustatusxml2xmldata/disk-secinfo-upgrade-in.xml b/tests/qemustatusxml2xmldata/disk-secinfo-upgrade-in.xml
index d364fc7644..ce55a70637 100644
--- a/tests/qemustatusxml2xmldata/disk-secinfo-upgrade-in.xml
+++ b/tests/qemustatusxml2xmldata/disk-secinfo-upgrade-in.xml
@@ -387,6 +387,16 @@
         <alias name='virtio-disk5'/>
         <address type='pci' domain='0x0000' bus='0x00' slot='0x0f' function='0x0'/>
       </disk>
+      <disk type='network' device='disk'>
+        <driver name='qemu' type='raw'/>
+        <source protocol='vxhs' name='rbdpool/rbdimg' tls='yes' tlsFromConfig='0'>
+          <host name='example.org'/>
+        </source>
+        <backingStore/>
+        <target dev='vdg' bus='virtio'/>
+        <alias name='virtio-disk6'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x10' function='0x0'/>
+      </disk>
       <controller type='usb' index='0' model='ich9-ehci1'>
         <alias name='usb'/>
         <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x7'/>
diff --git a/tests/qemustatusxml2xmldata/disk-secinfo-upgrade-out.xml b/tests/qemustatusxml2xmldata/disk-secinfo-upgrade-out.xml
index a554bca99c..e7d2abbb81 100644
--- a/tests/qemustatusxml2xmldata/disk-secinfo-upgrade-out.xml
+++ b/tests/qemustatusxml2xmldata/disk-secinfo-upgrade-out.xml
@@ -403,6 +403,21 @@
         <alias name='virtio-disk5'/>
         <address type='pci' domain='0x0000' bus='0x00' slot='0x0f' function='0x0'/>
       </disk>
+      <disk type='network' device='disk'>
+        <driver name='qemu' type='raw'/>
+        <source protocol='vxhs' name='rbdpool/rbdimg' tls='yes' tlsFromConfig='0'>
+          <host name='example.org' port='9999'/>
+          <privateData>
+            <objects>
+              <tlsX509 alias='objvirtio-disk6_tls0'/>
+            </objects>
+          </privateData>
+        </source>
+        <backingStore/>
+        <target dev='vdg' bus='virtio'/>
+        <alias name='virtio-disk6'/>
+        <address type='pci' domain='0x0000' bus='0x00' slot='0x10' function='0x0'/>
+      </disk>
       <controller type='usb' index='0' model='ich9-ehci1'>
         <alias name='usb'/>
         <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x7'/>
-- 
2.16.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 16/38] qemu: domain: Regenerate alias for the TLS x509 credential object

Posted by Ján Tomko 6 years, 11 months ago

On Wed, May 30, 2018 at 02:41:12PM +0200, Peter Krempa wrote:
>When restarting libvirt would previously lose the alias of the x509
>certificate object. Upon unplug we would then not delete the
>corresponding objects.
>
>Restore the alias if we know it shoudl be there.

should

>
>Luckily for disks we don't support encrypted TLS nevironment, so there's
>no need to regenerate the 'seceret' alias for decrypting.

secret

>
>Signed-off-by: Peter Krempa <pkrempa@redhat.com>
>---
> src/qemu/qemu_domain.c                                   |  7 +++++++
> tests/qemustatusxml2xmldata/disk-secinfo-upgrade-in.xml  | 10 ++++++++++
> tests/qemustatusxml2xmldata/disk-secinfo-upgrade-out.xml | 15 +++++++++++++++
> 3 files changed, 32 insertions(+)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 16/38] qemu: domain: Regenerate alias for the TLS x509 credential object

Posted by John Ferlan 6 years, 11 months ago


On 05/30/2018 08:41 AM, Peter Krempa wrote:
> When restarting libvirt would previously lose the alias of the x509
> certificate object. Upon unplug we would then not delete the
> corresponding objects.
> 
> Restore the alias if we know it shoudl be there.
> 
> Luckily for disks we don't support encrypted TLS nevironment, so there's

environment

> no need to regenerate the 'seceret' alias for decrypting.

decryption (two that Jan missed)


John

> 
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
>  src/qemu/qemu_domain.c                                   |  7 +++++++
>  tests/qemustatusxml2xmldata/disk-secinfo-upgrade-in.xml  | 10 ++++++++++
>  tests/qemustatusxml2xmldata/disk-secinfo-upgrade-out.xml | 15 +++++++++++++++
>  3 files changed, 32 insertions(+)
[...]

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list