Re: [libvirt] [PATCH 38/38] qemu: domain: Add support for TLS for NBD with default TLS env
On 05/30/2018 08:41 AM, Peter Krempa wrote:
Use the default TLS env if TLS is required for NBD. The rest of the
implementation is rather simple since all pieces were in place.
Note that separate configuration knobs in qemu.conf can be added later
if it's desired to configure them.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
docs/schemas/domaincommon.rng | 5 ++++
src/qemu/qemu_command.c | 5 ++++
src/qemu/qemu_domain.c | 33 ++++++++++++++++++++--
.../disk-drive-network-tlsx509.args | 9 +++++-
.../disk-drive-network-tlsx509.xml | 8 ++++++
tests/qemuxml2argvtest.c | 2 +-
.../disk-drive-network-tlsx509.xml | 8 ++++++
7 files changed, 66 insertions(+), 4 deletions(-)
[...]
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index e329cdf958..db7884a9a1 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -9937,6 +9937,29 @@ qemuProcessPrepareStorageSourceTlsVxhs(virStorageSourcePtr src,
}
+static int
+qemuProcessPrepareStorageSourceTlsNbd(virStorageSourcePtr src,
+ virQEMUDriverConfigPtr cfg,
+ virQEMUCapsPtr qemuCaps)
+{
+ /* XXX: for NBD we don't have the qemu.conf knobs for private TLS env */
I believe the thought was to use the migrate ones and not default. That
way we could modify the qemu.conf to note that the migrate environment
would be used for NBD as it made no sense to have/use separate envs.
+ if (src->haveTLS == VIR_TRISTATE_BOOL_YES) {
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_NBD_TLS)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("this qemu does not support TLS transport for
nbd"));
+ return -1;
+ }
+
+ if (VIR_STRDUP(src->tlsCertdir, cfg->defaultTLSx509certdir) < 0)
+ return -1;
+
+ src->tlsVerify = true;
I think this is problematic for the default environment w/r/t since the
right certs won't be present...
John
[...]