[libvirt] [RFC 0/3] Master secret key support
by John Ferlan
Posted as RFC primarily to make sure there's buyin for something that
will become the basis for more patches to add support for using the
master secret to encrypt sensitive data using objects. This work is
related to the QEMU 2.6 commit 'ac1d8878' (not a libvirt commit, rather
a qemu.git commit id). Hopefully I've properly read the qemu checkin
notes as they relate to key generation.
One thing of note that differs from other descriptions for a master secret.
Most bz's where it's described indicate using /var/lib/libvirt/qemu/
$GUEST-master.key; whereas, these patches chose a slightly different
tact using the generated libDir (/var/lib/libvirt/qemu/domain-#-$GUEST/
master.key). This file will be generated in qemu process launch regardless
of whether the emulator supports it or not (because we have the domain
private object to access the masterKey, but not in qemuBuildCommandLine).
The only odd part for me was the realizing that libDir is created after
successfully completing qemuBuildCommandLine - so checking if the file
exists before adding it to the command line wasn't possible, but it
seems that's no different to other libDir usages.
Internally, the I chose to store the secret to be used as a base64
value since 1. it's going to be saved in the domain objects XML output
(for libvirtd restart) and 2. it's easy enough to decode if we do need
to later on. Not sure it's appropriate to store the non encoded secret
in the domain object XML file.
One extra area I need help on is the capabilitiesdata setup... That is how
to generate the tests/qemucapabilitiesdata/caps_2.6.0-1.replies so that
the 'secret' object exists and so that if I add "<flag name='secret'>"
to the .caps file I won't get a test failure since the existing one doesn't
list the secrets object.
I've done a bit of testing locally... Starting with running domains (both
persistent and transient) then restarting libvirtd and with starting
the same domains with the code running. I didn't update my qemu locally
to see the -object on the command line, but the test added does show
the -object added (although I it took a double take and some thinking
whether /tmp/lib/domain--1-$NAME/ should be used - note the /tmp and the
domain--# prefix).
John Ferlan (3):
qemu: Create domain master key
qemu: Add capability bit for qemu secret object
qemu: Introduce qemuBuildMasterKeyCommandLine
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 67 ++++++++
src/qemu/qemu_domain.c | 175 +++++++++++++++++++++
src/qemu/qemu_domain.h | 11 ++
src/qemu/qemu_process.c | 13 ++
.../qemuxml2argvdata/qemuxml2argv-master-key.args | 23 +++
tests/qemuxml2argvdata/qemuxml2argv-master-key.xml | 30 ++++
tests/qemuxml2argvtest.c | 2 +
9 files changed, 324 insertions(+)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-master-key.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-master-key.xml
--
2.5.0
8 years, 8 months
[libvirt] nwfilter and ipset
by Vasiliy Tolstov
Hi!
I found, that nwfilter supports ipset, does it possible to fill ipset
via libvirt with some values?
--
Vasiliy Tolstov,
e-mail: v.tolstov(a)selfip.ru
8 years, 8 months
[libvirt] [RFC PATCH 0/4] Implementation of a dependency relation between domains
by Valentin BOUSSON
This patch series adds a feature that enables libvirt domains to have other
domains as dependencies.
One possible target is the simulation of a complex computing system composed of
multiple CPUs, each of which represented by a different libvirt domain. CPUs in
this example are virtualized separately, by a dedicated QEMU instance, because
all of them are booting independently. Moreover, if those CPU must share some
physical property (for example power supply or ACPI), it is meaningful to
consider them as a group.
Another possible target is Asymmetric Multi Processor (AMP) systems. Where a
master processor uses one or more slave processors to offload computation.
Master and slave have often different architectures. This patch series makes
possible to define the slave domains as dependencies of the master domain. And
the whole system to be booted with one single libvirt command.
A use-case for this libvirt extension are the recent patch series in QEMU that
enable modeling an AMP-like system with multiple QEMU instances.
[RFC v2 0/6] SDM Interface
[RFC v2 0/6] QEMU shared-memory-backend
[RFC v2 1/1] backend: multi-client-socket
Features :
----------
- When a domain A depends on a domain B (A=>B), signals are
forward-propagated from A to B. So, when a user asks the domain A to be:
- instantiated
- destroyed
- suspended
- resumed
domain B will automatically receive the same signal.
- Single-level dependency:
By construction domain dependencies are restricted to one single level,
so to avoid wrong recursive (infinite) domain dependencies. This is also
because there is no clear benefit in supporting multiple level of
dependencies between domains.
More specifically, given to domains, A and B, if A depends on B
(A=>B), then B can not have any dependency (B => C is forbidden).
How to test this patch series :
-------------------------------
The source code can be downloaded by:
git clone https://git.virtualopensystems.com/dev/libvirt.git \
-b domain-dependency
Note: The patch series relies on the commit 95ca4fe, but with the patch
proposed by Michal Privoznik,
"[PATCH]qemuBuildVideoCommandLine: Don't access def->videos without check"
that resolves a critical bug.
To add a dependency between two domains (for example between domaninA
and domainB), it suffices to add in the XML description of the first one:
domainA.xml:
<devices>
...
<domaindependency> /absolute/path/to/the/domainB.xml </domaindependency>
...
</devices>
Note: The two domains mus be virtualized thanks to QEMU, and be hosted
on the same filesystem.
Finally, instanciate domainA with the command:
virsh create domainA.xml
And observe that both domains are running in the same time with:
virsh list
You can trigger the implemented signals and check that both domains
are working as one:
virsh suspend domainA
virsh resume domainA
virsh destroy domainA
Note: as mentioned, all signals are forward-propagated, so if you manipulate
the domainB directly, domainA will not be affected.
This work has been sponsored by Huawei Technologies Duesseldorf GmbH.
Valentin BOUSSON (4):
Add XML description of the new dependency device
Add the inner structure managing dependency devices
Add primitives for manipulation of dependency structures
Implement signal propagation to dependancy domains
docs/schemas/domaincommon.rng | 5 ++
src/conf/domain_conf.c | 83 +++++++++++++++++++++++++-
src/conf/domain_conf.h | 18 ++++++
src/qemu/qemu_driver.c | 135 ++++++++++++++++++++++++++++++++++++++++--
src/qemu/qemu_hotplug.c | 1 +
5 files changed, 237 insertions(+), 5 deletions(-)
--
1.9.1
8 years, 8 months
[libvirt] [PATCH] qemuxml2argv: Mock virSCSIDeviceGetSgName
by Michal Privoznik
When constructing SCSI hostdev command line for qemu, the
/sys/bus/scsi/devices/... dir is scanned. Unfortunately, even in
the tests. This is needed to determine the name of SCSI device to
passthrough to qemu, because in the domain XML we were given its
address instead. Anyway, we should not be touching live system
data in our test suite as it produced unpredictable results. The
test is regressing from 1e9a083742efe on.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
tests/qemuxml2argvmock.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/tests/qemuxml2argvmock.c b/tests/qemuxml2argvmock.c
index 8426108..b7dfebb 100644
--- a/tests/qemuxml2argvmock.c
+++ b/tests/qemuxml2argvmock.c
@@ -26,6 +26,7 @@
#include "virutil.h"
#include "virstring.h"
#include "virtpm.h"
+#include "virscsi.h"
#include <time.h>
#include <unistd.h>
@@ -84,3 +85,16 @@ virMemoryMaxValue(bool capped ATTRIBUTE_UNUSED)
{
return LLONG_MAX;
}
+
+char *
+virSCSIDeviceGetSgName(const char *sysfs_prefix ATTRIBUTE_UNUSED,
+ const char *adapter ATTRIBUTE_UNUSED,
+ unsigned int bus ATTRIBUTE_UNUSED,
+ unsigned int target ATTRIBUTE_UNUSED,
+ unsigned long long unit ATTRIBUTE_UNUSED)
+{
+ char *ret;
+
+ ignore_value(VIR_STRDUP(ret, "sg0"));
+ return ret;
+}
--
2.7.3
8 years, 8 months
[libvirt] [libvirt-sandbox PATCH] Ignore generated file
by Guido Günther
---
.gitignore | 1 +
1 file changed, 1 insertion(+)
diff --git a/.gitignore b/.gitignore
index 390d65c..83831bb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,6 +31,7 @@ po/stamp-it
po/libvirt-sandbox.pot
po/*.gmo
stamp-h1
+build-aux/test-driver
INSTALL
libvirt-sandbox-1.0.pc
libvirt-sandbox.spec
--
2.8.0.rc3
8 years, 8 months
[libvirt] [PATCH 1/3 trivial] fix typo in virt-aa-helper helptext
by Serge Hallyn
it's --dryrun not --dry-run
Signed-off-by: Serge Hallyn <serge.hallyn(a)ubuntu.com>
---
src/security/virt-aa-helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index a2d7226..b466626 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -107,7 +107,7 @@ vah_usage(void)
" Options:\n"
" -a | --add load profile\n"
" -c | --create create profile from template\n"
- " -d | --dry-run dry run\n"
+ " -d | --dryrun dry run\n"
" -D | --delete unload and delete profile\n"
" -f | --add-file <file> add file to profile\n"
" -F | --append-file <file> append file to profile\n"
--
2.7.0
8 years, 8 months
[libvirt] [libvirt-sandbox PATCH] Allow to switch to a specific user id
by Guido Günther
Useful if you want to run programs as the same user than outside the
sandbox.
---
bin/virt-sandbox.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
index 4c400d5..9495e85 100644
--- a/bin/virt-sandbox.c
+++ b/bin/virt-sandbox.c
@@ -24,6 +24,8 @@
#include <libvirt-sandbox/libvirt-sandbox.h>
#include <glib/gi18n.h>
+#include <sys/types.h>
+#include <pwd.h>
static gboolean do_close(GVirSandboxConsole *con G_GNUC_UNUSED,
gboolean error G_GNUC_UNUSED,
@@ -92,6 +94,7 @@ int main(int argc, char **argv) {
gchar *kernver = NULL;
gchar *kernpath = NULL;
gchar *kmodpath = NULL;
+ gchar *switchto = NULL;
gboolean verbose = FALSE;
gboolean debug = FALSE;
gboolean shell = FALSE;
@@ -126,6 +129,8 @@ int main(int argc, char **argv) {
N_("security properties"), "PATH", },
{ "privileged", 'p', 0, G_OPTION_ARG_NONE, &privileged,
N_("run the command privileged"), NULL },
+ { "switchto", 'S', 0, G_OPTION_ARG_STRING, &switchto,
+ N_("swith to the given user"), "USER" },
{ "shell", 'l', 0, G_OPTION_ARG_NONE, &shell,
N_("start a shell"), NULL, },
{ "kernver", 0, 0, G_OPTION_ARG_STRING, &kernver,
@@ -139,6 +144,7 @@ int main(int argc, char **argv) {
{ NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL, NULL }
};
const char *help_msg = N_("Run 'virt-sandbox --help' to see a full list of available command line options");
+ struct passwd *pw;
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
@@ -198,10 +204,25 @@ int main(int argc, char **argv) {
if (kmodpath)
gvir_sandbox_config_set_kmodpath(cfg, kmodpath);
+ if (privileged && switchto) {
+ g_printerr(_("'switchto' and 'privileged' are incompatible options\n"));
+ goto cleanup;
+ }
+
if (privileged) {
gvir_sandbox_config_set_userid(cfg, 0);
gvir_sandbox_config_set_groupid(cfg, 0);
gvir_sandbox_config_set_username(cfg, "root");
+ } else if (switchto) {
+ pw = getpwnam(switchto);
+ if (!pw) {
+ g_printerr(_("Failed to resolve user %s\n"), switchto);
+ goto cleanup;
+ }
+ gvir_sandbox_config_set_userid(cfg, pw->pw_uid);
+ gvir_sandbox_config_set_groupid(cfg, pw->pw_gid);
+ gvir_sandbox_config_set_username(cfg, pw->pw_name);
+ gvir_sandbox_config_set_homedir(cfg, pw->pw_dir);
}
if (envs &&
@@ -541,6 +562,11 @@ to this path to locate the modules.
Retain root privileges inside the sandbox, rather than dropping privileges
to match the current user identity.
+=item B<-S USER>, B<--switchto=USER>
+
+Swith to the given user inside the sandbox and setup $HOME
+accordingly.
+
=item B<-l>, B<--shell>
Launch an interactive shell on a secondary console device
--
2.8.0.rc3
8 years, 8 months
[libvirt] [PATCH] nss: use more strict check for automatic enabling
by Roman Bogorodskiy
Currently nss plugin is automatically enabled if nss.h header exists and
--without-nss-plugin is not specified. However, presence of the nss.h
header does not guarantee a compatible interface, so check for struct
gaih_addrtuple to make sure it's enabled only on platforms where it
could be built.
---
m4/virt-nss.m4 | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/m4/virt-nss.m4 b/m4/virt-nss.m4
index 3fa4ad3..bc054db 100644
--- a/m4/virt-nss.m4
+++ b/m4/virt-nss.m4
@@ -25,12 +25,14 @@ AC_DEFUN([LIBVIRT_CHECK_NSS],[
fail=0
if test "x$with_nss_plugin" != "xno" ; then
- AC_CHECK_HEADERS([nss.h], [
+ AC_CHECK_TYPE([struct gaih_addrtuple], [
with_nss_plugin=yes
],[
if test "x$with_nss_plugin" = "xyes" ; then
fail = 1
fi
+ ],[
+ #include <nss.h>
])
if test $fail = 1 ; then
--
2.4.6
8 years, 8 months
