[libvirt] [PATCH 00/38] qemu: Refactor secret/TLS setup and add TLS for nbd

Wednesday, 30 May 2018

This series consists of the following changes:

1) refactors to handling of the TLS object and secret alias
2) storage of 'secret' object aliases in the status XML
3) fix of disk-unplug with TLS after libvirtd restart
4) Adding support for TLS for NBD disks (originally used to reproduce
                                         problem with detach of TLS
                                         object after libvirtd restart)

Few parts could be considered separate but since the end of the series
builds up on the various pieces it would be very unpleasant to post
separately.

Peter Krempa (38):
  qemu: domain: Add helper to check if encrypted secrets can be used
    with a VM
  qemu: domain: Reuse code when preparing hostdev auth secrets
  qemu: domain: Rename qemuDomainSecretDiskCapable
  qemu: domain: Rename and fix docs for qemuDomainSecretInfoNew
  qemu: domain: Add new function to set up encrypted secrets only
  qemu: domain: Setup disk encryption password secret via new helper
  qemu: domain: Use qemuDomainSecretInfoNewPlain only for unencrypted
    secrets
  qemu: domain: Add helpers for partially clearing
    qemuDomainSecretInfoPtr
  qemu: domain: Don't delete aliases of secret objects associated with
    disks
  qemu: Store and parse disk authentication and encryption secret alias
  tests: qemustatusxml2xml: Add test data for re-generating LUKS/auth
    aliases
  qemu: domain: Regenerate auth/enc secret aliases when restoring status
    XML
  qemu: hotplug: Don't try to infer secret object alias/presence
  qemu: hotplug: Use 'tlsAlias' to see whether to detach the disk
  qemu: domain: Store and restore TLS object alias of a disk
  qemu: domain: Regenerate alias for the TLS x509 credential object
  qemu: domain: Properly setup data relevant for top disk image
  qemu: domain: don't loop through images in
    qemuDomainPrepareDiskSourceChain
  qemu: domain: Split validation and setup of the virStorageSource
  qemu: domain: aggregate setup of disk drive options for -drive
  qemu: domain: Separate setup of TLS for VXHS disks from
    qemuDomainPrepareDiskSourceTLS
  qemu: domain: Use switch statement in qemuDomainPrepareDiskSourceTLS
  qemu: domain: Process only one object in
    qemuDomainPrepareDiskSourceTLS
  qemu: domain: Forbid TLS setup for disk protocols not supporting it
  conf: Don't encode matrix of storage protocols supporting TLS in the
    parser
  qemu: hotplug: Don't mandate passing of 'secAlias' in
    qemuDomainGetTLSObjects
  qemu: hotplug: Allow passing in NULL 'tlsAlias' to
    qemuDomainGetTLSObjects
  qemu: domain: Set up disk TLS alias when preparing TLS setup
  qemu: command: Don't generate alias for TLS private key password
    secret
  qemu: command: Pass in alias for TLS object to
    qemuBuildTLSx509CommandLine
  qemu: command: Always setup TLS environment if src->haveTLS is on
  qemu: migration: Don't pass around secAlias
  qemu: hotplug: Pass around existing secret object alias from
    qemuDomainAddChardevTLSObjects
  qemu: hotplug: Remove misleading comment in qemuDomainGetTLSObjects
  qemu: hotplug: Drop 'secAlias' output parameter from
    qemuDomainGetTLSObjects
  qemu: hotplug: Remove TLS alias generation from
    qemuDomainGetTLSObjects
  tests: qemu: Rename disk-drive-network-tlsx509-vxhs test
  qemu: domain: Add support for TLS for NBD with default TLS env

 docs/schemas/domaincommon.rng                      |   5 +
 src/conf/domain_conf.c                             |  14 +-
 src/qemu/qemu_command.c                            |  75 ++-
 src/qemu/qemu_domain.c                             | 658 +++++++++++++++------
 src/qemu/qemu_domain.h                             |  20 +-
 src/qemu/qemu_hotplug.c                            |  95 ++-
 src/qemu/qemu_hotplug.h                            |   5 +-
 src/qemu/qemu_migration.c                          |   8 +-
 src/qemu/qemu_migration_params.c                   |  23 +-
 src/qemu/qemu_migration_params.h                   |   1 -
 tests/qemublocktest.c                              |   9 +-
 .../disk-secinfo-upgrade-in.xml                    | 517 ++++++++++++++++
 .../disk-secinfo-upgrade-out.xml                   | 538 +++++++++++++++++
 tests/qemustatusxml2xmldata/modern-in.xml          |   5 +
 ...9-vxhs.args => disk-drive-network-tlsx509.args} |   9 +-
 ...509-vxhs.xml => disk-drive-network-tlsx509.xml} |   8 +
 tests/qemuxml2argvtest.c                           |   4 +-
 ...509-vxhs.xml => disk-drive-network-tlsx509.xml} |   8 +
 tests/qemuxml2xmltest.c                            |   3 +-
 19 files changed, 1663 insertions(+), 342 deletions(-)
 create mode 100644 tests/qemustatusxml2xmldata/disk-secinfo-upgrade-in.xml
 create mode 100644 tests/qemustatusxml2xmldata/disk-secinfo-upgrade-out.xml
 rename tests/qemuxml2argvdata/{disk-drive-network-tlsx509-vxhs.args =>
disk-drive-network-tlsx509.args} (82%)
 rename tests/qemuxml2argvdata/{disk-drive-network-tlsx509-vxhs.xml =>
disk-drive-network-tlsx509.xml} (85%)
 rename tests/qemuxml2xmloutdata/{disk-drive-network-tlsx509-vxhs.xml =>
disk-drive-network-tlsx509.xml} (86%)

-- 
2.16.2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH 00/38] qemu: Refactor secret/TLS setup and add TLS for nbd