9:39 a.m.
Until now libvirt didn't allow using encrypted TLS key for disk clients.
Add fields for configuring the secret and propagate defaults.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/libvirtd_qemu.aug | 2 ++
src/qemu/qemu.conf | 19 +++++++++++++++++++
src/qemu/qemu_conf.c | 13 +++++++++----
src/qemu/qemu_conf.h | 2 ++
src/qemu/test_libvirtd_qemu.aug.in | 2 ++
5 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 7a6a33c77c..c19a086c38 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -61,9 +61,11 @@ module Libvirtd_qemu =
let vxhs_entry = bool_entry "vxhs_tls"
| str_entry "vxhs_tls_x509_cert_dir"
+ | str_entry "vxhs_tls_x509_secret_uuid"
let nbd_entry = bool_entry "nbd_tls"
| str_entry "nbd_tls_x509_cert_dir"
+ | str_entry "nbd_tls_x509_secret_uuid"
let nogfx_entry = bool_entry "nographics_allow_host_audio"
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 9b04c8534b..ab403c21ac 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -303,6 +303,15 @@
#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
# Enable use of TLS encryption for all NBD disk devices that don't
# specifically disable it.
@@ -337,6 +346,16 @@
#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
# In order to override the default TLS certificate location for migration
# certificates, supply a valid path to the certificate directory. If the
# provided path does not exist, libvirtd will fail to start. If the path is
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index b9b90e853f..6e673e8f62 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -339,7 +339,10 @@ static void virQEMUDriverConfigDispose(void *obj)
VIR_FREE(cfg->chardevTLSx509secretUUID);
VIR_FREE(cfg->vxhsTLSx509certdir);
+ VIR_FREE(cfg->vxhsTLSx509secretUUID);
+
VIR_FREE(cfg->nbdTLSx509certdir);
+ VIR_FREE(cfg->nbdTLSx509secretUUID);
VIR_FREE(cfg->migrateTLSx509certdir);
VIR_FREE(cfg->migrateTLSx509secretUUID);
@@ -477,12 +480,8 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,
if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0)
return -1;
- if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir",
&cfg->vxhsTLSx509certdir) < 0)
- return -1;
if (virConfGetValueBool(conf, "nbd_tls", &cfg->nbdTLS) < 0)
return -1;
- if (virConfGetValueString(conf, "nbd_tls_x509_cert_dir",
&cfg->nbdTLSx509certdir) < 0)
- return -1;
if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) <
0)
return -1;
@@ -512,6 +511,10 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,
GET_CONFIG_TLS_CERTINFO_COMMON(migrate);
GET_CONFIG_TLS_CERTINFO_SERVER(migrate);
+ GET_CONFIG_TLS_CERTINFO_COMMON(vxhs);
+
+ GET_CONFIG_TLS_CERTINFO_COMMON(nbd);
+
#undef GET_CONFIG_TLS_CERTINFO_COMMON
#undef GET_CONFIG_TLS_CERTINFO_SERVER
return 0;
@@ -1186,6 +1189,8 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
SET_TLS_SECRET_UUID_DEFAULT(vnc);
SET_TLS_SECRET_UUID_DEFAULT(chardev);
SET_TLS_SECRET_UUID_DEFAULT(migrate);
+ SET_TLS_SECRET_UUID_DEFAULT(vxhs);
+ SET_TLS_SECRET_UUID_DEFAULT(nbd);
#undef SET_TLS_SECRET_UUID_DEFAULT
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 4f54c136db..6193a7111c 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -146,9 +146,11 @@ struct _virQEMUDriverConfig {
bool vxhsTLS;
char *vxhsTLSx509certdir;
+ char *vxhsTLSx509secretUUID;
bool nbdTLS;
char *nbdTLSx509certdir;
+ char *nbdTLSx509secretUUID;
unsigned int remotePortMin;
unsigned int remotePortMax;
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index e533b9f551..db125bf352 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -28,8 +28,10 @@ module Test_libvirtd_qemu =
{ "chardev_tls_x509_secret_uuid" =
"00000000-0000-0000-0000-000000000000" }
{ "vxhs_tls" = "1" }
{ "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
+{ "vxhs_tls_x509_secret_uuid" =
"00000000-0000-0000-0000-000000000000" }
{ "nbd_tls" = "1" }
{ "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" }
+{ "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000"
}
{ "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
{ "migrate_tls_x509_verify" = "1" }
{ "migrate_tls_x509_secret_uuid" =
"00000000-0000-0000-0000-000000000000" }
--
2.26.2