6:01 a.m.
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Add an optional virTristateBool haveTLS to virStorageSource to
manage whether a storage source will be using TLS.
Sample XML for a VxHS disk:
<disk type='network' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251'
tls='yes'>
<host name='192.168.0.1' port='9999'/>
</source>
<target dev='vda' bus='virtio'/>
</disk>
Update the qemuxml2xmltest in order to add a test to show the proper
parsing.
Also update the docs to describe the tls attribute plus clean up the
description in the surrounding area to make the information a bit more
readable rather than one winding paragraph.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
This is part of the v5 patch5 that deals with the domain XML changes
to add TLS support, plus the formatdomain.html.in from the previous
patch, and the XML examples taken from v5 patch6 but only for the
qemuxml2xmltest.c needs. Differences here:
* Moved the text in format domain from under the section for the
ports to where it should be in the section desribing the source
element and protocol and disk attributes. Reformatted things a
bit to make it easier to read.
* Altered where the <optional> attribute was placed in the
domaincommon.rng to be before <ref name="diskSourceNetworkHost"/>
since that's where it falls in the domain XML.
* Updated the description of the haveTLS value.
* Remove the addTLS boolean
* Cleaned up the XML examples, generated the output XML, and
added the xml2xml test.
docs/formatdomain.html.in | 41 ++++++++++++++++------
docs/schemas/domaincommon.rng | 5 +++
src/conf/domain_conf.c | 19 ++++++++++
src/util/virstoragefile.c | 12 +++++++
src/util/virstoragefile.h | 3 ++
...emuxml2argv-disk-drive-network-tlsx509-vxhs.xml | 32 +++++++++++++++++
...uxml2xmlout-disk-drive-network-tlsx509-vxhs.xml | 34 ++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
8 files changed, 137 insertions(+), 10 deletions(-)
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml
create mode 100644
tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 446ffff..bf8debb 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2520,19 +2520,40 @@
<dd>
The <code>protocol</code> attribute specifies the protocol to
access to the requested image. Possible values are "nbd",
- "iscsi", "rbd", "sheepdog",
"gluster" or "vxhs". If the
- <code>protocol</code> attribute is "rbd",
"sheepdog", "gluster"
- or "vxhs", an additional attribute <code>name</code>
is
- mandatory to specify which volume/image will be used. For "nbd",
- the <code>name</code> attribute is optional. For
"iscsi"
- (<span class="since">since 1.0.4</span>), the
<code>name</code>
- attribute may include a logical unit number, separated from the
- target's name by a slash (e.g.,
+ "iscsi", "rbd", "sheepdog",
"gluster" or "vxhs".
+
+ <p>If the <code>protocol</code> attribute is
"rbd", "sheepdog",
+ "gluster", or "vxhs", an additional attribute
<code>name</code>
+ is mandatory to specify which volume/image will be used.
+ </p>
+
+ <p>For "nbd", the <code>name</code> attribute
is optional.
+ </p>
+
+ <p>For "iscsi" (<span class="since">since
1.0.4</span>), the
+ <code>name</code> attribute may include a logical unit number,
+ separated from the target's name by a slash (e.g.,
<code>iqn.2013-07.com.example:iscsi-pool/1</code>). If not
specified, the default LUN is zero.
- For "vxhs" (<span class="since">since
3.8.0</span>), the
+ </p>
+
+ <p>For "vxhs" (<span class="since">since
3.8.0</span>), the
<code>name</code> is the UUID of the volume, assigned by the
- HyperScale server.
+ HyperScale server. Additionally, an optional attribute
+ <code>tls</code> (QEMU only) can be used to control whether a
+ VxHS block device would utilize a hypervisor configured TLS
+ X.509 certificate environment in order to encrypt the data
+ channel. For the QEMU hypervisor, usage of a TLS environment can
+ be controlled on the host by the <code>vxhs_tls</code> and
+ <code>vxhs_tls_x509_cert_dir</code> or
+ <code>default_tls_x509_cert_dir</code> settings in the file
+ /etc/libvirt/qemu.conf. If <code>vxhs_tls</code> is enabled,
+ then unless the domain <code>tls</code> attribute is set to
"no",
+ libvirt will use the host configured TLS environment.
+ It will be considered a configuration error if
+ <code>vxhs_tls</code> is disabled, but the
<code>tls</code>
+ attribute is set to "yes".
+ </p>
<span class="since">Since 0.8.7</span>
</dd>
<dt><code>volume</code></dt>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 7fe4e21..520c235 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1650,6 +1650,11 @@
</choice>
</attribute>
<attribute name="name"/>
+ <optional>
+ <attribute name="tls">
+ <ref name="virYesNo"/>
+ </attribute>
+ </optional>
<ref name="diskSourceNetworkHost"/>
</element>
</define>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index f7574d7..76d1a77 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -8039,6 +8039,7 @@ virDomainDiskSourceParse(xmlNodePtr node,
int ret = -1;
char *protocol = NULL;
xmlNodePtr saveNode = ctxt->node;
+ char *haveTLS = NULL;
ctxt->node = node;
@@ -8072,6 +8073,19 @@ virDomainDiskSourceParse(xmlNodePtr node,
goto cleanup;
}
+ /* Check tls=yes|no domain setting for the block device
+ * At present only VxHS. Other block devices may be added later */
+ if (src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS &&
+ (haveTLS = virXMLPropString(node, "tls"))) {
+ if ((src->haveTLS =
+ virTristateBoolTypeFromString(haveTLS)) <= 0) {
+ virReportError(VIR_ERR_XML_ERROR,
+ _("unknown disk source 'tls' setting
'%s'"),
+ haveTLS);
+ goto cleanup;
+ }
+ }
+
/* for historical reasons the volume name for gluster volume is stored
* as a part of the path. This is hard to work with when dealing with
* relative names. Split out the volume into a separate variable */
@@ -8127,6 +8141,7 @@ virDomainDiskSourceParse(xmlNodePtr node,
cleanup:
VIR_FREE(protocol);
+ VIR_FREE(haveTLS);
ctxt->node = saveNode;
return ret;
}
@@ -21623,6 +21638,10 @@ virDomainDiskSourceFormatNetwork(virBufferPtr buf,
VIR_FREE(path);
+ if (src->haveTLS != VIR_TRISTATE_BOOL_ABSENT)
+ virBufferAsprintf(buf, " tls='%s'",
+ virTristateBoolTypeToString(src->haveTLS));
+
if (src->nhosts == 0 && !src->snapshot && !src->configFile)
{
virBufferAddLit(buf, "/>\n");
} else {
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index f3fe529..bf00d0c 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2039,6 +2039,7 @@ virStorageSourceCopy(const virStorageSource *src,
ret->physical = src->physical;
ret->readonly = src->readonly;
ret->shared = src->shared;
+ ret->haveTLS = src->haveTLS;
/* storage driver metadata are not copied */
ret->drv = NULL;
@@ -3220,6 +3221,7 @@ virStorageSourceParseBackingJSONVxHS(virStorageSourcePtr src,
{
const char *vdisk_id = virJSONValueObjectGetString(json, "vdisk-id");
virJSONValuePtr server = virJSONValueObjectGetObject(json, "server");
+ const char *haveTLS = virJSONValueObjectGetString(json, "tls");
if (!vdisk_id || !server) {
virReportError(VIR_ERR_INVALID_ARG, "%s",
@@ -3228,6 +3230,16 @@ virStorageSourceParseBackingJSONVxHS(virStorageSourcePtr src,
return -1;
}
+ if (haveTLS) {
+ if ((src->haveTLS =
+ virTristateBoolTypeFromString(haveTLS)) <= 0) {
+ virReportError(VIR_ERR_INVALID_ARG,
+ _("unknown VxHS 'tls' setting
'%s'"),
+ haveTLS);
+ return -1;
+ }
+ }
+
src->type = VIR_STORAGE_TYPE_NETWORK;
src->protocol = VIR_STORAGE_NET_PROTOCOL_VXHS;
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index f7e897f..1d63555 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -281,6 +281,9 @@ struct _virStorageSource {
/* metadata that allows identifying given storage source */
char *nodeformat; /* name of the format handler object */
char *nodestorage; /* name of the storage object */
+
+ /* An optional setting to enable usage of TLS for the storage source */
+ int haveTLS; /* enum virTristateBool */
};
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml
b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml
new file mode 100644
index 0000000..61b5e2e
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml
@@ -0,0 +1,32 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc251' tls='yes'>
+ <host name='192.168.0.1' port='9999'/>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml
b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml
new file mode 100644
index 0000000..16f0883
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml
@@ -0,0 +1,34 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc251' tls='yes'>
+ <host name='192.168.0.1' port='9999'/>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 82db8cc..4d1c175 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -475,6 +475,7 @@ mymain(void)
DO_TEST("disk-drive-network-rbd-ceph-env", NONE);
DO_TEST("disk-drive-network-sheepdog", NONE);
DO_TEST("disk-drive-network-vxhs", NONE);
+ DO_TEST("disk-drive-network-tlsx509-vxhs", NONE);
DO_TEST("disk-scsi-device",
QEMU_CAPS_NODEFCONFIG, QEMU_CAPS_SCSI_LSI);
DO_TEST("disk-scsi-vscsi", NONE);
--
2.9.5