6:50 p.m.
On 07/12/2017 06:09 PM, ashish mittal wrote:
On Fri, Jun 30, 2017 at 1:29 PM, John Ferlan
<jferlan(a)redhat.com> wrote:
>
>
> On 06/29/2017 10:02 PM, Ashish Mittal wrote:
>> From: Ashish Mittal <ashish.mittal(a)veritas.com>
>>
>> Add a new TLS X.509 certificate type - "vxhs". This will handle the
>> creation of a TLS certificate capability for properly configured
>> VxHS network block device clients.
>>
>> Signed-off-by: Ashish Mittal <ashish.mittal(a)veritas.com>
>> ---
>> Changelog:
>>
>> (1) Add two new options in /etc/libvirt/qemu.conf
>> to control TLS behavior with VxHS block devices
>> "vxhs_tls" and "vxhs_tls_x509_cert_dir".
>> (2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable
>> TLS for VxHS block devices.
>> (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the
>> TLS certificates and keys are saved. If this value is missing,
>> the "default_tls_x509_cert_dir" will be used instead.
>>
>> src/qemu/libvirtd_qemu.aug | 4 ++++
>> src/qemu/qemu.conf | 23 +++++++++++++++++++++++
>> src/qemu/qemu_conf.c | 7 +++++++
>> src/qemu/qemu_conf.h | 3 +++
>> src/qemu/test_libvirtd_qemu.aug.in | 2 ++
>> 5 files changed, 39 insertions(+)
>>
>
> FWIW: I have another patch upstream:
>
> https://www.redhat.com/archives/libvir-list/2017-June/msg01341.html
>
> Which is making some textual and code changes to qemu.conf and
> qemu_conf.c - just so you are aware.
>
>
>> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
>> index e1983d1..c19bf3a 100644
>> --- a/src/qemu/libvirtd_qemu.aug
>> +++ b/src/qemu/libvirtd_qemu.aug
>> @@ -115,6 +115,9 @@ module Libvirtd_qemu =
>>
>> let memory_entry = str_entry "memory_backing_dir"
>>
>> + let vxhs_entry = bool_entry "vxhs_tls"
>> + | str_entry "vxhs_tls_x509_cert_dir"
>> +
>> (* Each entry in the config is one of the following ... *)
>> let entry = default_tls_entry
>> | vnc_entry
>> @@ -133,6 +136,7 @@ module Libvirtd_qemu =
>> | nvram_entry
>> | gluster_debug_level_entry
>> | memory_entry
>> + | vxhs_entry
>>
>> let comment = [ label "#comment" . del /#[ \t]*/ "# " .
store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
>> let empty = [ label "#empty" . eol ]
>> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
>> index e6c0832..83c2377 100644
>> --- a/src/qemu/qemu.conf
>> +++ b/src/qemu/qemu.conf
>> @@ -250,6 +250,29 @@
>> #chardev_tls_x509_secret_uuid =
"00000000-0000-0000-0000-000000000000"
>>
>>
>> +# Enable use of TLS encryption on the VxHS network block devices.
>> +#
>> +# When the VxHS network block device server is set up appropriately,
>> +# x509 certificates are used for authentication between the clients
>> +# (qemu processes) and the remote VxHS server.
>> +#
>> +# It is necessary to setup CA and issue client and server certificates
>> +# before enabling this.
>> +#
>> +#vxhs_tls = 1
>> +
>> +
>> +# In order to override the default TLS certificate location for VxHS
>> +# device TCP certificates, supply a valid path to the certificate directory.
>> +# This is used to authenticate the VxHS block device clients to the VxHS
>> +# server.
>> +#
>> +# If the provided path does not exist then the default_tls_x509_cert_dir
>> +# path will be used.
>> +#
>> +#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
>> +
>> +
>> # In order to override the default TLS certificate location for migration
>> # certificates, supply a valid path to the certificate directory. If the
>> # provided path does not exist then the default_tls_x509_cert_dir path
>
> In patch 3, the call to qemuBuildTLSx509CommandLine has a @verifypeer
> parameter = true, thus it's always going to expect to verify the client
> rather than making that determination using *_tls_x509_verify. So that
> means you have to describe the environment as requiring the
> client-cert.pem and client-key.pem files (like the description for default).
>
> Since you set the @addpasswordid to false on input, that just means the
> certificate server-key.pem file cannot be encrypted - something else
> that would need to be described.
>
During the QEMU discussions on VxHS support for TLS, it was a agreed
that it was not necessary to encrypt the cert files.
> Based on these two configuration settings, that means if vxhs_tls=1,
> then vxhs_tls_x509_cert_dir must be set to something other than the
> default environment. IOW: both must be defined and that would need to be
> validated during config read and cause failure (e.g. vxhsTLSx509certdir
> != defaultTLSx509certdir
>
> IOW: You're essentially *requiring* someone to set this up and don't
> handle the/a default environment. Hopefully this makes sense, it's
> Friday afternoon and I have a TLS migraine ;-).
>
The ideal way is for VxHS to be able to use the default TLS
environment. These settings are for the VxHS client i.e. QEMU. VxHS
server would be running on a remote host and would have it's own
configuration settings.
Could you please give me some pointers on what changes would be
required to reuse the default TLS environment? I am hoping these would
not necessitate any change in the qemu vxhs code.
The reality is - I don't believe you have to do anything other than
describe if the default environment is using a password, then the
consumer must create their own vxhs certificate environment that doesn't
require a password/secret to decrypt the certificate.
Of course this is all predicated on the thought that the certificate
being used is not validating libvirt<->qemu, rather its validating
qemu<->vxhs-server. There's a bit of black magic that happens that I
haven't dug into. I'm assuming that you'd be testing both a cert and
non-cert environment... Add to your testing a 'what-if' someone provides
a default environment *and* that environment required the secret. In
that case, you should expect a failure.
Thanks,
Ashish
> John
>
>> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
>> index 73c33d6..f3813d4 100644
>> --- a/src/qemu/qemu_conf.c
>> +++ b/src/qemu/qemu_conf.c
>> @@ -280,6 +280,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool
privileged)
>> SET_TLS_X509_CERT_DEFAULT(spice);
>> SET_TLS_X509_CERT_DEFAULT(chardev);
>> SET_TLS_X509_CERT_DEFAULT(migrate);
>> + SET_TLS_X509_CERT_DEFAULT(vxhs);
>>
>> #undef SET_TLS_X509_CERT_DEFAULT
>>
>> @@ -395,6 +396,8 @@ static void virQEMUDriverConfigDispose(void *obj)
>> VIR_FREE(cfg->chardevTLSx509certdir);
>> VIR_FREE(cfg->chardevTLSx509secretUUID);
>>
>> + VIR_FREE(cfg->vxhsTLSx509certdir);
>> +
>> VIR_FREE(cfg->migrateTLSx509certdir);
>> VIR_FREE(cfg->migrateTLSx509secretUUID);
>>
>> @@ -533,6 +536,10 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
>> goto cleanup;
>> if (virConfGetValueBool(conf, "spice_auto_unix_socket",
&cfg->spiceAutoUnixSocket) < 0)
>> goto cleanup;
>> + if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS)
< 0)
>> + goto cleanup;
>> + if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir",
&cfg->vxhsTLSx509certdir) < 0)
>> + goto cleanup;
>>
>> #define GET_CONFIG_TLS_CERTINFO(val) \
>> do { \
>> diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
>> index 1407eef..96c0225 100644
>> --- a/src/qemu/qemu_conf.h
>> +++ b/src/qemu/qemu_conf.h
>> @@ -201,6 +201,9 @@ struct _virQEMUDriverConfig {
>> unsigned int glusterDebugLevel;
>>
>> char *memoryBackingDir;
>> +
>> + bool vxhsTLS;
>> + char *vxhsTLSx509certdir;
>> };
>>
>> /* Main driver state */
>> diff --git a/src/qemu/test_libvirtd_qemu.aug.in
b/src/qemu/test_libvirtd_qemu.aug.in
>> index 3e317bc..dfe88f4 100644
>> --- a/src/qemu/test_libvirtd_qemu.aug.in
>> +++ b/src/qemu/test_libvirtd_qemu.aug.in
>> @@ -25,6 +25,8 @@ module Test_libvirtd_qemu =
>> { "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev"
}
>> { "chardev_tls_x509_verify" = "1" }
>> { "chardev_tls_x509_secret_uuid" =
"00000000-0000-0000-0000-000000000000" }
>> +{ "vxhs_tls" = "1" }
>> +{ "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
>> { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate"
}
>> { "migrate_tls_x509_verify" = "1" }
>> { "migrate_tls_x509_secret_uuid" =
"00000000-0000-0000-0000-000000000000" }
>>