Re: [libvirt] [PATCH v9 3/4] qemu: Introduce qemuDomainPrepareDiskSource
On Tue, Sep 19, 2017 at 21:32:45 -0400, John Ferlan wrote:
Introduce a function to setup any TLS needs for a disk source.
If there's a configuration or other error setting up the disk source
for TLS, then cause the domain startup to fail.
For VxHS, follow the chardevTLS model where if the src->haveTLS hasn't
been configured, then take the system/global cfg->haveTLS setting for
the storage source *and* mark that we've done so via the tlsFromConfig
setting in storage source.
Next, if we are using TLS, then generate an alias into a virStorageSource
'tlsAlias' field that will be used to create the TLS object and added to
the disk object in order to link the two together for QEMU.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/qemu_domain.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++
src/qemu/qemu_domain.h | 11 +++++++
src/qemu/qemu_process.c | 4 +++
src/util/virstoragefile.c | 9 +++++-
src/util/virstoragefile.h | 8 ++++++
5 files changed, 104 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 50b536eec..8080b7fb1 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -7601,6 +7601,79 @@ qemuDomainPrepareChardevSource(virDomainDefPtr def,
}
+/* qemuProcessPrepareDiskSourceTLS:
+ * @source: pointer to host interface data for disk device
+ * @diskAlias: alias use for the disk device
+ * @cfg: driver configuration
+ *
+ * Updates host interface TLS encryption setting based on qemu.conf
+ * for disk devices. This will be presented as "tls='yes|no'" in
+ * live XML of a guest.
+ *
+ * Returns 0 on success, -1 on bad config/failure
+ */
+int
+qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src,
+ const char *diskAlias,
+ virQEMUDriverConfigPtr cfg)
+{
+
+ /* VxHS doesn't utilize a password protected server certificate,
+ * so no need to add a secinfo for a secret UUID. */
It's a client certificate. Is there a technical limitation in the qemu
VxHS driver for not supporting encrypted certificates? AFAIK it should
use the standard x509 impl so this looks like a libvirt impl. limitation
only.
[...]
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index 4817090fc..28cc718a4 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -288,6 +288,14 @@ struct _virStorageSource {
/* Indication whether the haveTLS value was altered due to qemu.conf
* setting when haveTLS is missing from the domain config file */
bool tlsFromConfig;
+
+ /* If TLS is used, then mgmt of the TLS credentials occurs via an
+ * object that is generated using a specific alias for a specific
+ * certificate directory with listen and verify bools. */
+ char *tlsAlias;
+ char *tlsCertdir;
+ bool tlsListen;
I think you inspired yourself too much in the chardev section. 'listen'
does not make much sense with disks.
+ bool tlsVerify;
Rest looks okay, so ACK if you drop the 'listen' attribute.
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)