On Mon, Jun 10, 2024 at 01:57:17PM +0200, Michal Prívozník wrote:
On 6/7/24 16:26, Daniel P. Berrangé wrote:
This was driven by the complaint that libvirt pulls in gnutls-utils
https://src.fedoraproject.org/rpms/virt-viewer/pull-request/4
but also it lets us remove more usage of Shell code from libvirt, as well as improving the consistency of certificate checks vs the runtime checks we do.
Daniel P. Berrangé (9): rpc: split out helpers for TLS cert path location rpc: refactor method for checking session certificates rpc: split TLS cert validation into separate file docs: fix author credit for virt-pki-validate tool tools: split off common helpers for host validate tool tools: drop unused --version argument tools: stop checking init scripts & iptables config tools: reimplement virt-pki-validate in C tools: support validating user/custom PKI certs
docs/manpages/virt-pki-validate.rst | 9 +- libvirt.spec.in | 2 - po/POTFILES | 3 + src/rpc/meson.build | 7 +- src/rpc/virnettlscert.c | 553 ++++++++++++++++++++++++++ src/rpc/virnettlscert.h | 42 ++ src/rpc/virnettlsconfig.c | 202 ++++++++++ src/rpc/virnettlsconfig.h | 68 ++++ src/rpc/virnettlscontext.c | 586 +--------------------------- tools/meson.build | 31 +- tools/virt-host-validate-ch.c | 12 +- tools/virt-host-validate-common.c | 308 ++++++--------- tools/virt-host-validate-common.h | 48 +-- tools/virt-host-validate-lxc.c | 18 +- tools/virt-host-validate-qemu.c | 30 +- tools/virt-host-validate.c | 2 +- tools/virt-login-shell-helper.c | 2 +- tools/virt-pki-query-dn.c | 2 +- tools/virt-pki-validate.c | 424 ++++++++++++++++++++ tools/virt-pki-validate.in | 323 --------------- tools/virt-validate-common.c | 110 ++++++ tools/virt-validate-common.h | 57 +++ 22 files changed, 1670 insertions(+), 1169 deletions(-) create mode 100644 src/rpc/virnettlscert.c create mode 100644 src/rpc/virnettlscert.h create mode 100644 src/rpc/virnettlsconfig.c create mode 100644 src/rpc/virnettlsconfig.h create mode 100644 tools/virt-pki-validate.c delete mode 100644 tools/virt-pki-validate.in create mode 100644 tools/virt-validate-common.c create mode 100644 tools/virt-validate-common.h
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Shoving this through CI highlighted that I forgot to test non-Linux portability. Here are the resulting fixes, including your feedback, that I'll be including before pushing, to get a clean build in CI: diff --git a/libvirt.spec.in b/libvirt.spec.in index 2570c2458a..9bff6ef6db 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -2511,7 +2511,7 @@ exit 0 %{mingw32_bindir}/virt-admin.exe %{mingw32_bindir}/virt-xml-validate %{mingw32_bindir}/virt-pki-query-dn.exe -%{mingw32_bindir}/virt-pki-validate +%{mingw32_bindir}/virt-pki-validate.exe %{mingw32_bindir}/libvirt-lxc-0.dll %{mingw32_bindir}/libvirt-qemu-0.dll %{mingw32_bindir}/libvirt-admin-0.dll @@ -2570,7 +2570,7 @@ exit 0 %{mingw64_bindir}/virt-admin.exe %{mingw64_bindir}/virt-xml-validate %{mingw64_bindir}/virt-pki-query-dn.exe -%{mingw64_bindir}/virt-pki-validate +%{mingw64_bindir}/virt-pki-validate.exe %{mingw64_bindir}/libvirt-lxc-0.dll %{mingw64_bindir}/libvirt-qemu-0.dll %{mingw64_bindir}/libvirt-admin-0.dll diff --git a/src/rpc/meson.build b/src/rpc/meson.build index 8bdbf5c88f..68aaf24b2a 100644 --- a/src/rpc/meson.build +++ b/src/rpc/meson.build @@ -1,9 +1,9 @@ gendispatch_prog = find_program('gendispatch.pl') -tlsconfig_sources = [ - files('virnettlsconfig.c'), - files('virnettlscert.c'), -] +tlsconfig_sources = files( + 'virnettlsconfig.c', + 'virnettlscert.c', +) socket_sources = tlsconfig_sources + [ 'virnettlscontext.c', diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c index 2e1e4c56d5..1befbe06bc 100644 --- a/src/rpc/virnettlscert.c +++ b/src/rpc/virnettlscert.c @@ -20,6 +20,8 @@ #include <config.h> +#include <unistd.h> + #include "virnettlscert.h" #include "viralloc.h" diff --git a/tools/virt-host-validate-bhyve.c b/tools/virt-host-validate-bhyve.c index adb5ae1717..d7a409db9d 100644 --- a/tools/virt-host-validate-bhyve.c +++ b/tools/virt-host-validate-bhyve.c @@ -28,21 +28,21 @@ #include "virt-host-validate-common.h" #define MODULE_STATUS(mod, err_msg, err_code) \ - virHostMsgCheck("BHYVE", _("Checking for %1$s module"), #mod); \ + virValidateCheck("BHYVE", _("Checking for %1$s module"), #mod); \ if (mod ## _loaded) { \ - virHostMsgPass(); \ + virValidatePass(); \ } else { \ - virHostMsgFail(err_code, \ - _("%1$s module is not loaded, " err_msg), \ + virValidateFail(err_code, \ + _("%1$s module is not loaded, " err_msg), \ #mod); \ ret = -1; \ } #define MODULE_STATUS_FAIL(mod, err_msg) \ - MODULE_STATUS(mod, err_msg, VIR_HOST_VALIDATE_FAIL) + MODULE_STATUS(mod, err_msg, VIR_VALIDATE_FAIL) #define MODULE_STATUS_WARN(mod, err_msg) \ - MODULE_STATUS(mod, err_msg, VIR_HOST_VALIDATE_WARN) + MODULE_STATUS(mod, err_msg, VIR_VALIDATE_WARN) int virHostValidateBhyve(void) diff --git a/tools/virt-validate-common.c b/tools/virt-validate-common.c index 88c10e846f..9768fd9208 100644 --- a/tools/virt-validate-common.c +++ b/tools/virt-validate-common.c @@ -21,6 +21,8 @@ #include <config.h> +#include <unistd.h> + #include "virt-validate-common.h" static bool quiet; With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|