7:51 a.m.
v7: https://www.redhat.com/archives/libvir-list/2017-September/msg00035.html
Patches 1-4 are already ACK'd, but are presented again for completeness
Differences:
* Former patch1 already pushed (QEMU 2.10 replies and xml changes)
* Patch 5 is new - to split up the server args into a single server
JSON object creation helper so that it can be used by VxHS code in
patch 6
* Patch 6 uses the new function and alters the .args output to remove
the ".0"
* Patches 7-10, no change
* Patch 11 - adjust the .args output to remove the ".0"
Ashish Mittal (9):
storage: Introduce VIR_STORAGE_NET_PROTOCOL_VXHS
docs: Add schema and docs for Veritas HyperScale (VxHS)
util: storage: Add JSON backing volume parse for VxHS
qemu: Refactor qemuBlockStorageSourceBuildHostsJSONSocketAddress
qemu: Add qemu command line generation for a VxHS block device
conf: Introduce TLS options for VxHS block device clients
util: Add TLS attributes to virStorageSource
util: Add virstoragetest to parse/format a tls='yes'
qemu: Add TLS support for Veritas HyperScale (VxHS)
John Ferlan (2):
qemu: Detect support for vxhs
qemu: Introduce qemuDomainPrepareDiskSource
docs/formatdomain.html.in | 45 +++++--
docs/schemas/domaincommon.rng | 18 +++
src/conf/domain_conf.c | 28 +++-
src/libxl/libxl_conf.c | 1 +
src/qemu/libvirtd_qemu.aug | 4 +
src/qemu/qemu.conf | 34 +++++
src/qemu/qemu_block.c | 150 ++++++++++++++++-----
src/qemu/qemu_capabilities.c | 4 +
src/qemu/qemu_capabilities.h | 3 +
src/qemu/qemu_command.c | 38 ++++++
src/qemu/qemu_conf.c | 16 +++
src/qemu/qemu_conf.h | 3 +
src/qemu/qemu_domain.c | 71 ++++++++++
src/qemu/qemu_domain.h | 11 ++
src/qemu/qemu_driver.c | 3 +
src/qemu/qemu_hotplug.c | 73 ++++++++++
src/qemu/qemu_parse_command.c | 15 +++
src/qemu/qemu_process.c | 33 +++++
src/qemu/test_libvirtd_qemu.aug.in | 2 +
src/util/virstoragefile.c | 58 +++++++-
src/util/virstoragefile.h | 14 ++
src/xenconfig/xen_xl.c | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 +
...-disk-drive-network-tlsx509-multidisk-vxhs.args | 43 ++++++
...v-disk-drive-network-tlsx509-multidisk-vxhs.xml | 50 +++++++
...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 30 +++++
...emuxml2argv-disk-drive-network-tlsx509-vxhs.xml | 32 +++++
.../qemuxml2argv-disk-drive-network-vxhs.args | 27 ++++
.../qemuxml2argv-disk-drive-network-vxhs.xml | 32 +++++
tests/qemuxml2argvtest.c | 8 ++
...uxml2xmlout-disk-drive-network-tlsx509-vxhs.xml | 34 +++++
.../qemuxml2xmlout-disk-drive-network-vxhs.xml | 34 +++++
tests/qemuxml2xmltest.c | 2 +
tests/virstoragetest.c | 23 ++++
34 files changed, 893 insertions(+), 48 deletions(-)
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.xml
create mode 100644
tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml
create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-vxhs.xml
--
2.13.5
7:51 a.m.
New subject: [libvirt] [PATCH v8 01/11] qemu: Detect support for vxhs
Using the query-qmp-schema introspection - look for the 'vxhs'
blockdevOptions type.
NB: This is a "best effort" type situation as there is not a
mechanism to determine whether the running QEMU has been
built with '--enable-vxhs'. All we can do is check if the
option to use vxhs for a blockdev-add exists in the command
infrastructure which does not take that into account when
building its table of commands and options.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 4 ++++
src/qemu/qemu_capabilities.h | 3 +++
tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 +
3 files changed, 8 insertions(+)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index c690cb349..2486d2015 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -439,6 +439,9 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
"virtio-net.tx_queue_size",
"chardev-reconnect",
"virtio-gpu.max_outputs",
+
+ /* 270 */
+ "vxhs",
);
@@ -1810,6 +1813,7 @@ static struct virQEMUCapsStringFlags
virQEMUCapsObjectPropsIntelIOMMU[] = {
static struct virQEMUCapsStringFlags virQEMUCapsQMPSchemaQueries[] = {
{ "blockdev-add/arg-type/options/+gluster/debug-level",
QEMU_CAPS_GLUSTER_DEBUG_LEVEL},
{ "blockdev-add/arg-type/+gluster/debug", QEMU_CAPS_GLUSTER_DEBUG_LEVEL},
+ { "blockdev-add/arg-type/+vxhs", QEMU_CAPS_VXHS},
};
struct virQEMUCapsObjectTypeProps {
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 85c390abf..2a0e9c743 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -426,6 +426,9 @@ typedef enum {
QEMU_CAPS_CHARDEV_RECONNECT, /* -chardev reconnect */
QEMU_CAPS_VIRTIO_GPU_MAX_OUTPUTS, /* -device virtio-(vga|gpu-*),max-outputs= */
+ /* 270 */
+ QEMU_CAPS_VXHS, /* -drive file.driver=vxhs via query-qmp-schema */
+
QEMU_CAPS_LAST /* this must always be the last item */
} virQEMUCapsFlags;
diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml
index 604921122..8a31431c0 100644
--- a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml
@@ -222,6 +222,7 @@
<flag name='virtio-net.tx_queue_size'/>
<flag name='chardev-reconnect'/>
<flag name='virtio-gpu.max_outputs'/>
+ <flag name='vxhs'/>
<version>2010000</version>
<kvmVersion>0</kvmVersion>
<package> (v2.10.0)</package>
--
2.13.5
7:51 a.m.
New subject: [libvirt] [PATCH v8 02/11] storage: Introduce VIR_STORAGE_NET_PROTOCOL_VXHS
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Add a new virStorageNetProtocol for Veritas HyperScale (VxHS) disks
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/libxl/libxl_conf.c | 1 +
src/qemu/qemu_block.c | 1 +
src/qemu/qemu_command.c | 1 +
src/qemu/qemu_driver.c | 3 +++
src/qemu/qemu_parse_command.c | 1 +
src/util/virstoragefile.c | 5 ++++-
src/util/virstoragefile.h | 1 +
src/xenconfig/xen_xl.c | 1 +
8 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c
index 4416a09dd..34233a955 100644
--- a/src/libxl/libxl_conf.c
+++ b/src/libxl/libxl_conf.c
@@ -666,6 +666,7 @@ libxlMakeNetworkDiskSrcStr(virStorageSourcePtr src,
case VIR_STORAGE_NET_PROTOCOL_GLUSTER:
case VIR_STORAGE_NET_PROTOCOL_SHEEPDOG:
case VIR_STORAGE_NET_PROTOCOL_SSH:
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_LAST:
case VIR_STORAGE_NET_PROTOCOL_NONE:
virReportError(VIR_ERR_NO_SUPPORT,
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 7fb12ea5a..d07269f4e 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -522,6 +522,7 @@ qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src)
case VIR_STORAGE_NET_PROTOCOL_FTPS:
case VIR_STORAGE_NET_PROTOCOL_TFTP:
case VIR_STORAGE_NET_PROTOCOL_SSH:
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_NONE:
case VIR_STORAGE_NET_PROTOCOL_LAST:
break;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index d553df57f..720530daa 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -999,6 +999,7 @@ qemuBuildNetworkDriveStr(virStorageSourcePtr src,
_("'ssh' protocol is not yet supported"));
goto cleanup;
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_LAST:
case VIR_STORAGE_NET_PROTOCOL_NONE:
virReportError(VIR_ERR_INTERNAL_ERROR,
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index b334cf20b..d299938c5 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -13838,6 +13838,7 @@
qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk)
case VIR_STORAGE_NET_PROTOCOL_FTPS:
case VIR_STORAGE_NET_PROTOCOL_TFTP:
case VIR_STORAGE_NET_PROTOCOL_SSH:
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_LAST:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("external inactive snapshots are not supported on
"
@@ -13901,6 +13902,7 @@
qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr d
case VIR_STORAGE_NET_PROTOCOL_FTPS:
case VIR_STORAGE_NET_PROTOCOL_TFTP:
case VIR_STORAGE_NET_PROTOCOL_SSH:
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_LAST:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("external active snapshots are not supported on "
@@ -14046,6 +14048,7 @@ qemuDomainSnapshotPrepareDiskInternal(virConnectPtr conn,
case VIR_STORAGE_NET_PROTOCOL_FTPS:
case VIR_STORAGE_NET_PROTOCOL_TFTP:
case VIR_STORAGE_NET_PROTOCOL_SSH:
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_LAST:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("internal inactive snapshots are not supported on
"
diff --git a/src/qemu/qemu_parse_command.c b/src/qemu/qemu_parse_command.c
index 8cb96a24a..9190a37ba 100644
--- a/src/qemu/qemu_parse_command.c
+++ b/src/qemu/qemu_parse_command.c
@@ -2026,6 +2026,7 @@ qemuParseCommandLine(virCapsPtr caps,
case VIR_STORAGE_NET_PROTOCOL_FTPS:
case VIR_STORAGE_NET_PROTOCOL_TFTP:
case VIR_STORAGE_NET_PROTOCOL_SSH:
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_LAST:
case VIR_STORAGE_NET_PROTOCOL_NONE:
/* ignored for now */
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index e94ad32f0..ca306c27b 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -85,7 +85,8 @@ VIR_ENUM_IMPL(virStorageNetProtocol, VIR_STORAGE_NET_PROTOCOL_LAST,
"ftp",
"ftps",
"tftp",
- "ssh")
+ "ssh",
+ "vxhs")
VIR_ENUM_IMPL(virStorageNetHostTransport, VIR_STORAGE_NET_HOST_TRANS_LAST,
"tcp",
@@ -2712,6 +2713,7 @@ virStorageSourceParseBackingColon(virStorageSourcePtr src,
case VIR_STORAGE_NET_PROTOCOL_ISCSI:
case VIR_STORAGE_NET_PROTOCOL_GLUSTER:
case VIR_STORAGE_NET_PROTOCOL_SSH:
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("malformed backing store path for protocol %s"),
protocol);
@@ -3992,6 +3994,7 @@ virStorageSourceNetworkDefaultPort(virStorageNetProtocol protocol)
/* we don't provide a default for RBD */
return 0;
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_LAST:
case VIR_STORAGE_NET_PROTOCOL_NONE:
return 0;
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index 6c388b1a5..f7e897f25 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -134,6 +134,7 @@ typedef enum {
VIR_STORAGE_NET_PROTOCOL_FTPS,
VIR_STORAGE_NET_PROTOCOL_TFTP,
VIR_STORAGE_NET_PROTOCOL_SSH,
+ VIR_STORAGE_NET_PROTOCOL_VXHS,
VIR_STORAGE_NET_PROTOCOL_LAST
} virStorageNetProtocol;
diff --git a/src/xenconfig/xen_xl.c b/src/xenconfig/xen_xl.c
index d168d3fa4..8acbfe3f6 100644
--- a/src/xenconfig/xen_xl.c
+++ b/src/xenconfig/xen_xl.c
@@ -1024,6 +1024,7 @@ xenFormatXLDiskSrcNet(virStorageSourcePtr src)
case VIR_STORAGE_NET_PROTOCOL_GLUSTER:
case VIR_STORAGE_NET_PROTOCOL_SHEEPDOG:
case VIR_STORAGE_NET_PROTOCOL_SSH:
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_LAST:
case VIR_STORAGE_NET_PROTOCOL_NONE:
virReportError(VIR_ERR_NO_SUPPORT,
--
2.13.5
7:51 a.m.
New subject: [libvirt] [PATCH v8 03/11] docs: Add schema and docs for Veritas HyperScale (VxHS)
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Alter the schema to allow a VxHS block device. Sample XML is:
<disk type='network' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc251'>
<host name='192.168.0.1' port='9999'/>
</source>
<target dev='vda' bus='virtio'/>
<serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
</disk>
Update the html docs to describe the capability for VxHS.
Alter the qemuxml2xmltest to validate the formatting.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
docs/formatdomain.html.in | 15 ++++++++--
docs/schemas/domaincommon.rng | 13 +++++++++
.../qemuxml2argv-disk-drive-network-vxhs.xml | 32 ++++++++++++++++++++
.../qemuxml2xmlout-disk-drive-network-vxhs.xml | 34 ++++++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
5 files changed, 92 insertions(+), 3 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.xml
create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-vxhs.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 8ca7637a4..446ffff4c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2520,9 +2520,9 @@
<dd>
The <code>protocol</code> attribute specifies the protocol to
access to the requested image. Possible values are "nbd",
- "iscsi", "rbd", "sheepdog" or
"gluster". If the
- <code>protocol</code> attribute is "rbd",
"sheepdog" or
- "gluster", an additional attribute <code>name</code>
is
+ "iscsi", "rbd", "sheepdog",
"gluster" or "vxhs". If the
+ <code>protocol</code> attribute is "rbd",
"sheepdog", "gluster"
+ or "vxhs", an additional attribute <code>name</code>
is
mandatory to specify which volume/image will be used. For "nbd",
the <code>name</code> attribute is optional. For
"iscsi"
(<span class="since">since 1.0.4</span>), the
<code>name</code>
@@ -2530,6 +2530,9 @@
target's name by a slash (e.g.,
<code>iqn.2013-07.com.example:iscsi-pool/1</code>). If not
specified, the default LUN is zero.
+ For "vxhs" (<span class="since">since
3.8.0</span>), the
+ <code>name</code> is the UUID of the volume, assigned by the
+ HyperScale server.
<span class="since">Since 0.8.7</span>
</dd>
<dt><code>volume</code></dt>
@@ -2632,6 +2635,12 @@
<td> one or more (<span class="since">Since
2.1.0</span>), just one prior to that </td>
<td> 24007 </td>
</tr>
+ <tr>
+ <td> vxhs </td>
+ <td> a server running Veritas HyperScale daemon </td>
+ <td> only one </td>
+ <td> 9999 </td>
+ </tr>
</table>
<p>
gluster supports "tcp", "rdma", "unix" as valid
values for the
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index c9a4f7a9a..76852abb3 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1636,6 +1636,18 @@
</element>
</define>
+ <define name="diskSourceNetworkProtocolVxHS">
+ <element name="source">
+ <attribute name="protocol">
+ <choice>
+ <value>vxhs</value>
+ </choice>
+ </attribute>
+ <attribute name="name"/>
+ <ref name="diskSourceNetworkHost"/>
+ </element>
+ </define>
+
<define name="diskSourceNetwork">
<attribute name="type">
<value>network</value>
@@ -1646,6 +1658,7 @@
<ref name="diskSourceNetworkProtocolRBD"/>
<ref name="diskSourceNetworkProtocolHTTP"/>
<ref name="diskSourceNetworkProtocolSimple"/>
+ <ref name="diskSourceNetworkProtocolVxHS"/>
</choice>
</define>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.xml
b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.xml
new file mode 100644
index 000000000..4f4df2f9e
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.xml
@@ -0,0 +1,32 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc251'>
+ <host name='192.168.0.1' port='9999'/>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-vxhs.xml
b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-vxhs.xml
new file mode 100644
index 000000000..160ed8d5f
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-vxhs.xml
@@ -0,0 +1,34 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc251'>
+ <host name='192.168.0.1' port='9999'/>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 0a87cedf2..8b7577fd3 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -474,6 +474,7 @@ mymain(void)
DO_TEST("disk-drive-network-rbd-ipv6", NONE);
DO_TEST("disk-drive-network-rbd-ceph-env", NONE);
DO_TEST("disk-drive-network-sheepdog", NONE);
+ DO_TEST("disk-drive-network-vxhs", NONE);
DO_TEST("disk-scsi-device",
QEMU_CAPS_NODEFCONFIG, QEMU_CAPS_SCSI_LSI);
DO_TEST("disk-scsi-vscsi", NONE);
--
2.13.5
7:51 a.m.
New subject: [libvirt] [PATCH v8 04/11] util: storage: Add JSON backing volume parse for VxHS
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Add the backing parse and a test case to verify parsing of VxHS
backing storage.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/util/virstoragefile.c | 37 +++++++++++++++++++++++++++++++++++++
tests/virstoragetest.c | 11 +++++++++++
2 files changed, 48 insertions(+)
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index ca306c27b..ba2045369 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -3212,6 +3212,40 @@ virStorageSourceParseBackingJSONRaw(virStorageSourcePtr src,
return virStorageSourceParseBackingJSONInternal(src, json);
}
+
+static int
+virStorageSourceParseBackingJSONVxHS(virStorageSourcePtr src,
+ virJSONValuePtr json,
+ int opaque ATTRIBUTE_UNUSED)
+{
+ const char *vdisk_id = virJSONValueObjectGetString(json, "vdisk-id");
+ virJSONValuePtr server = virJSONValueObjectGetObject(json, "server");
+
+ if (!vdisk_id || !server) {
+ virReportError(VIR_ERR_INVALID_ARG, "%s",
+ _("missing 'vdisk-id' or 'server' attribute
in "
+ "JSON backing definition for VxHS volume"));
+ return -1;
+ }
+
+ src->type = VIR_STORAGE_TYPE_NETWORK;
+ src->protocol = VIR_STORAGE_NET_PROTOCOL_VXHS;
+
+ if (VIR_STRDUP(src->path, vdisk_id) < 0)
+ return -1;
+
+ if (VIR_ALLOC_N(src->hosts, 1) < 0)
+ return -1;
+ src->nhosts = 1;
+
+ if (virStorageSourceParseBackingJSONInetSocketAddress(src->hosts,
+ server) < 0)
+ return -1;
+
+ return 0;
+}
+
+
struct virStorageSourceJSONDriverParser {
const char *drvname;
int (*func)(virStorageSourcePtr src, virJSONValuePtr json, int opaque);
@@ -3234,6 +3268,7 @@ static const struct virStorageSourceJSONDriverParser jsonParsers[] =
{
{"ssh", virStorageSourceParseBackingJSONSSH, 0},
{"rbd", virStorageSourceParseBackingJSONRBD, 0},
{"raw", virStorageSourceParseBackingJSONRaw, 0},
+ {"vxhs", virStorageSourceParseBackingJSONVxHS, 0},
};
@@ -3995,6 +4030,8 @@ virStorageSourceNetworkDefaultPort(virStorageNetProtocol protocol)
return 0;
case VIR_STORAGE_NET_PROTOCOL_VXHS:
+ return 9999;
+
case VIR_STORAGE_NET_PROTOCOL_LAST:
case VIR_STORAGE_NET_PROTOCOL_NONE:
return 0;
diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c
index 60e3164b0..ffebd4dc1 100644
--- a/tests/virstoragetest.c
+++ b/tests/virstoragetest.c
@@ -1592,6 +1592,17 @@ mymain(void)
"<source protocol='sheepdog'
name='Alice'>\n"
" <host name='10.10.10.10'
port='7000'/>\n"
"</source>\n");
+
TEST_BACKING_PARSE("json:{\"file\":{\"driver\":\"vxhs\","
+
"\"vdisk-id\":\"c6718f6b-0401-441d-a8c3-1f0064d75ee0\","
+ "\"server\": {
\"type\":\"tcp\","
+
"\"host\":\"example.com\","
+
"\"port\":\"9999\""
+ "}"
+ "}"
+ "}",
+ "<source protocol='vxhs'
name='c6718f6b-0401-441d-a8c3-1f0064d75ee0'>\n"
+ " <host name='example.com'
port='9999'/>\n"
+ "</source>\n");
#endif /* WITH_YAJL */
cleanup:
--
2.13.5
7:51 a.m.
New subject: [libvirt] [PATCH v8 05/11] qemu: Refactor qemuBlockStorageSourceBuildHostsJSONSocketAddress
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Extract out the "guts" of building a server entry into it's own
separately callable/usable function in order to allow building
a server entry for a consumer with src->nhosts == 1.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/qemu_block.c | 106 +++++++++++++++++++++++++++++++++-----------------
1 file changed, 70 insertions(+), 36 deletions(-)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index d07269f4e..c97b787c5 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -380,6 +380,74 @@ qemuBlockGetNodeData(virJSONValuePtr data)
/**
+ * qemuBlockStorageSourceBuildJSONSocketAddress
+ * @host: the virStorageNetHostDefPtr definition to build
+ * @legacy: use 'tcp' instead of 'inet' for compatibility reasons
+ *
+ * Formats @hosts into a json object conforming to the 'SocketAddress' type
+ * in qemu.
+ *
+ * This function can be used when only 1 src->nhosts is expected in order
+ * to build a command without the array indices after "server.". That is
+ * to see "server.type", "server.host", and "server.port"
instead of
+ * "server.#.type", "server.#.host", and "server.#.port".
+ *
+ * Returns a virJSONValuePtr for a single server.
+ */
+static virJSONValuePtr
+qemuBlockStorageSourceBuildJSONSocketAddress(virStorageNetHostDefPtr host,
+ bool legacy)
+{
+ virJSONValuePtr server = NULL;
+ virJSONValuePtr ret = NULL;
+ const char *transport;
+ char *port = NULL;
+
+ switch ((virStorageNetHostTransport) host->transport) {
+ case VIR_STORAGE_NET_HOST_TRANS_TCP:
+ if (legacy)
+ transport = "tcp";
+ else
+ transport = "inet";
+
+ if (virAsprintf(&port, "%u", host->port) < 0)
+ goto cleanup;
+
+ if (virJSONValueObjectCreate(&server,
+ "s:type", transport,
+ "s:host", host->name,
+ "s:port", port,
+ NULL) < 0)
+ goto cleanup;
+ break;
+
+ case VIR_STORAGE_NET_HOST_TRANS_UNIX:
+ if (virJSONValueObjectCreate(&server,
+ "s:type", "unix",
+ "s:socket", host->socket,
+ NULL) < 0)
+ goto cleanup;
+ break;
+
+ case VIR_STORAGE_NET_HOST_TRANS_RDMA:
+ case VIR_STORAGE_NET_HOST_TRANS_LAST:
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("transport protocol '%s' is not yet
supported"),
+ virStorageNetHostTransportTypeToString(host->transport));
+ goto cleanup;
+ }
+
+ VIR_STEAL_PTR(ret, server);
+
+ cleanup:
+ VIR_FREE(port);
+ virJSONValueFree(server);
+
+ return ret;
+}
+
+
+/**
* qemuBlockStorageSourceBuildHostsJSONSocketAddress:
* @src: disk storage source
* @legacy: use 'tcp' instead of 'inet' for compatibility reasons
@@ -395,8 +463,6 @@ qemuBlockStorageSourceBuildHostsJSONSocketAddress(virStorageSourcePtr
src,
virJSONValuePtr server = NULL;
virJSONValuePtr ret = NULL;
virStorageNetHostDefPtr host;
- const char *transport;
- char *port = NULL;
size_t i;
if (!(servers = virJSONValueNewArray()))
@@ -405,39 +471,8 @@ qemuBlockStorageSourceBuildHostsJSONSocketAddress(virStorageSourcePtr
src,
for (i = 0; i < src->nhosts; i++) {
host = src->hosts + i;
- switch ((virStorageNetHostTransport) host->transport) {
- case VIR_STORAGE_NET_HOST_TRANS_TCP:
- if (legacy)
- transport = "tcp";
- else
- transport = "inet";
-
- if (virAsprintf(&port, "%u", host->port) < 0)
- goto cleanup;
-
- if (virJSONValueObjectCreate(&server,
- "s:type", transport,
- "s:host", host->name,
- "s:port", port,
- NULL) < 0)
- goto cleanup;
- break;
-
- case VIR_STORAGE_NET_HOST_TRANS_UNIX:
- if (virJSONValueObjectCreate(&server,
- "s:type", "unix",
- "s:socket", host->socket,
- NULL) < 0)
- goto cleanup;
- break;
-
- case VIR_STORAGE_NET_HOST_TRANS_RDMA:
- case VIR_STORAGE_NET_HOST_TRANS_LAST:
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("transport protocol '%s' is not yet
supported"),
- virStorageNetHostTransportTypeToString(host->transport));
- goto cleanup;
- }
+ if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(host, legacy)))
+ goto cleanup;
if (virJSONValueArrayAppend(servers, server) < 0)
goto cleanup;
@@ -450,7 +485,6 @@ qemuBlockStorageSourceBuildHostsJSONSocketAddress(virStorageSourcePtr
src,
cleanup:
virJSONValueFree(servers);
virJSONValueFree(server);
- VIR_FREE(port);
return ret;
}
--
2.13.5
8:28 a.m.
New subject: [libvirt] [PATCH v8 05/11] qemu: Refactor qemuBlockStorageSourceBuildHostsJSONSocketAddress
On Thu, Sep 14, 2017 at 08:51:50 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Extract out the "guts" of building a server entry into it's own
separately callable/usable function in order to allow building
a server entry for a consumer with src->nhosts == 1.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/qemu_block.c | 106 +++++++++++++++++++++++++++++++++-----------------
1 file changed, 70 insertions(+), 36 deletions(-)
ACK
7:51 a.m.
New subject: [libvirt] [PATCH v8 06/11] qemu: Add qemu command line generation for a VxHS block device
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
The VxHS block device will only use the newer formatting options and
avoid the legacy URI syntax.
An excerpt for a sample QEMU command line is:
-drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\
file.server.type=tcp,file.server.host=192.168.0.1,\
file.server.port=9999,format=raw,if=none,id=drive-virtio-disk0,cache=none \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0
Update qemuxml2argvtest with a simple test.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/qemu_block.c | 37 +++++++++++++++++++++-
src/qemu/qemu_command.c | 10 +++++-
src/qemu/qemu_parse_command.c | 16 +++++++++-
src/qemu/qemu_process.c | 29 +++++++++++++++++
.../qemuxml2argv-disk-drive-network-vxhs.args | 27 ++++++++++++++++
tests/qemuxml2argvtest.c | 1 +
6 files changed, 117 insertions(+), 3 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index c97b787c5..ca6e213b4 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -516,6 +516,37 @@ qemuBlockStorageSourceGetGlusterProps(virStorageSourcePtr src)
}
+static virJSONValuePtr
+qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src)
+{
+ const char *protocol = virStorageNetProtocolTypeToString(src->protocol);
+ virJSONValuePtr server = NULL;
+ virJSONValuePtr ret = NULL;
+
+ if (src->nhosts != 1) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("VxHS protocol accepts only one host"));
+ return NULL;
+ }
+
+ if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true)))
+ return NULL;
+
+ /* VxHS disk specification example:
+ * { driver:"vxhs",
+ * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251",
+ * server:[{type:"tcp", host:"1.2.3.4", port:9999}]}
+ */
+ if (virJSONValueObjectCreate(&ret,
+ "s:driver", protocol,
+ "s:vdisk-id", src->path,
+ "a:server", server, NULL) < 0)
+ virJSONValueFree(server);
+
+ return ret;
+}
+
+
/**
* qemuBlockStorageSourceGetBackendProps:
* @src: disk source
@@ -546,6 +577,11 @@ qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src)
goto cleanup;
break;
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
+ if (!(fileprops = qemuBlockStorageSourceGetVxHSProps(src)))
+ goto cleanup;
+ break;
+
case VIR_STORAGE_NET_PROTOCOL_NBD:
case VIR_STORAGE_NET_PROTOCOL_RBD:
case VIR_STORAGE_NET_PROTOCOL_SHEEPDOG:
@@ -556,7 +592,6 @@ qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src)
case VIR_STORAGE_NET_PROTOCOL_FTPS:
case VIR_STORAGE_NET_PROTOCOL_TFTP:
case VIR_STORAGE_NET_PROTOCOL_SSH:
- case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_NONE:
case VIR_STORAGE_NET_PROTOCOL_LAST:
break;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 720530daa..0a3278510 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -994,12 +994,16 @@ qemuBuildNetworkDriveStr(virStorageSourcePtr src,
ret = virBufferContentAndReset(&buf);
break;
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("VxHS protocol does not support URI syntax"));
+ goto cleanup;
+
case VIR_STORAGE_NET_PROTOCOL_SSH:
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("'ssh' protocol is not yet supported"));
goto cleanup;
- case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_LAST:
case VIR_STORAGE_NET_PROTOCOL_NONE:
virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1329,6 +1333,10 @@ qemuDiskSourceNeedsProps(virStorageSourcePtr src)
src->nhosts > 1)
return true;
+ if (actualType == VIR_STORAGE_TYPE_NETWORK &&
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS)
+ return true;
+
return false;
}
diff --git a/src/qemu/qemu_parse_command.c b/src/qemu/qemu_parse_command.c
index 9190a37ba..6286c2e7a 100644
--- a/src/qemu/qemu_parse_command.c
+++ b/src/qemu/qemu_parse_command.c
@@ -736,6 +736,11 @@ qemuParseCommandLineDisk(virDomainXMLOptionPtr xmlopt,
if (VIR_STRDUP(def->src->path, vdi) < 0)
goto error;
}
+ } else if (STRPREFIX(def->src->path, "vxhs:")) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("VxHS protocol does not support URI syntax
'%s'"),
+ def->src->path);
+ goto error;
} else {
def->src->type = VIR_STORAGE_TYPE_FILE;
}
@@ -1944,6 +1949,10 @@ qemuParseCommandLine(virCapsPtr caps,
disk->src->type = VIR_STORAGE_TYPE_NETWORK;
disk->src->protocol = VIR_STORAGE_NET_PROTOCOL_SHEEPDOG;
val += strlen("sheepdog:");
+ } else if (STRPREFIX(val, "vxhs:")) {
+ disk->src->type = VIR_STORAGE_TYPE_NETWORK;
+ disk->src->protocol = VIR_STORAGE_NET_PROTOCOL_VXHS;
+ val += strlen("vxhs:");
} else {
disk->src->type = VIR_STORAGE_TYPE_FILE;
}
@@ -2020,13 +2029,18 @@ qemuParseCommandLine(virCapsPtr caps,
goto error;
break;
+ case VIR_STORAGE_NET_PROTOCOL_VXHS:
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("VxHS protocol does not support URI "
+ "syntax '%s'"),
disk->src->path);
+ goto error;
+ break;
case VIR_STORAGE_NET_PROTOCOL_HTTP:
case VIR_STORAGE_NET_PROTOCOL_HTTPS:
case VIR_STORAGE_NET_PROTOCOL_FTP:
case VIR_STORAGE_NET_PROTOCOL_FTPS:
case VIR_STORAGE_NET_PROTOCOL_TFTP:
case VIR_STORAGE_NET_PROTOCOL_SSH:
- case VIR_STORAGE_NET_PROTOCOL_VXHS:
case VIR_STORAGE_NET_PROTOCOL_LAST:
case VIR_STORAGE_NET_PROTOCOL_NONE:
/* ignored for now */
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 7e9b406b6..099a770e9 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -4578,6 +4578,32 @@ qemuProcessStartValidateShmem(virDomainObjPtr vm)
static int
+qemuProcessStartValidateDisks(virDomainObjPtr vm,
+ virQEMUCapsPtr qemuCaps)
+{
+ size_t i;
+
+ for (i = 0; i < vm->def->ndisks; i++) {
+ virStorageSourcePtr src = vm->def->disks[i]->src;
+
+ /* This is a best effort check as we can only check if the command
+ * option exists, but we cannot determine whether the running QEMU
+ * was build with '--enable-vxhs'. */
+ if (src->type == VIR_STORAGE_TYPE_NETWORK &&
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS &&
+ !virQEMUCapsGet(qemuCaps, QEMU_CAPS_VXHS)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("VxHS protocol is not supported with this "
+ "QEMU binary"));
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+
+static int
qemuProcessStartValidateXML(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virQEMUCapsPtr qemuCaps,
@@ -4659,6 +4685,9 @@ qemuProcessStartValidate(virQEMUDriverPtr driver,
if (qemuProcessStartValidateShmem(vm) < 0)
return -1;
+ if (qemuProcessStartValidateDisks(vm, qemuCaps) < 0)
+ return -1;
+
VIR_DEBUG("Checking for any possible (non-fatal) issues");
qemuProcessStartWarnShmem(vm);
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
new file mode 100644
index 000000000..b62ace3de
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
@@ -0,0 +1,27 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-x86_64 \
+-name QEMUGuest1 \
+-S \
+-M pc \
+-cpu qemu32 \
+-m 214 \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-nographic \
+-nodefaults \
+-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\
+server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=readline \
+-no-acpi \
+-boot c \
+-usb \
+-drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\
+file.server.type=tcp,file.server.host=192.168.0.1,file.server.port=9999,\
+format=raw,if=none,id=drive-virtio-disk0,cache=none \
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
+id=virtio-disk0
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 2c040e4c0..01a518eff 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -931,6 +931,7 @@ mymain(void)
# endif
DO_TEST("disk-drive-network-rbd-ipv6", NONE);
DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE);
+ DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS);
DO_TEST("disk-drive-no-boot",
QEMU_CAPS_BOOTINDEX);
DO_TEST_PARSE_ERROR("disk-device-lun-type-invalid",
--
2.13.5
8:37 a.m.
New subject: [libvirt] [PATCH v8 06/11] qemu: Add qemu command line generation for a VxHS block device
On Thu, Sep 14, 2017 at 08:51:51 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
The VxHS block device will only use the newer formatting options and
avoid the legacy URI syntax.
An excerpt for a sample QEMU command line is:
-drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\
file.server.type=tcp,file.server.host=192.168.0.1,\
file.server.port=9999,format=raw,if=none,id=drive-virtio-disk0,cache=none \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0
Update qemuxml2argvtest with a simple test.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/qemu_block.c | 37 +++++++++++++++++++++-
src/qemu/qemu_command.c | 10 +++++-
src/qemu/qemu_parse_command.c | 16 +++++++++-
src/qemu/qemu_process.c | 29 +++++++++++++++++
.../qemuxml2argv-disk-drive-network-vxhs.args | 27 ++++++++++++++++
tests/qemuxml2argvtest.c | 1 +
6 files changed, 117 insertions(+), 3 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index c97b787c5..ca6e213b4 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -516,6 +516,37 @@ qemuBlockStorageSourceGetGlusterProps(virStorageSourcePtr src)
}
+static virJSONValuePtr
+qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src)
+{
+ const char *protocol = virStorageNetProtocolTypeToString(src->protocol);
+ virJSONValuePtr server = NULL;
+ virJSONValuePtr ret = NULL;
+
+ if (src->nhosts != 1) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("VxHS protocol accepts only one host"));
+ return NULL;
+ }
+
+ if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true)))
+ return NULL;
This creates a json object ...
+
+ /* VxHS disk specification example:
+ * { driver:"vxhs",
+ * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251",
+ * server:[{type:"tcp", host:"1.2.3.4", port:9999}]}
... which is appended below as the 'server' field, while this example
shows an array of objects. So, which one is correct? Is this a hack to
force the JSON->commandline generator to compy? If it's so then we need
to change that and not this, since then QMP commands like 'blockdev-add'
will not accept it and thus this will be useless for expansion.
+ */
+ if (virJSONValueObjectCreate(&ret,
+ "s:driver", protocol,
+ "s:vdisk-id", src->path,
+ "a:server", server, NULL) < 0)
+ virJSONValueFree(server);
+
+ return ret;
+}
+
+
/**
* qemuBlockStorageSourceGetBackendProps:
* @src: disk source
Rest looks okay
9:15 a.m.
New subject: [libvirt] [PATCH v8 06/11] qemu: Add qemu command line generation for a VxHS block device
On 09/19/2017 09:37 AM, Peter Krempa wrote:
On Thu, Sep 14, 2017 at 08:51:51 -0400, John Ferlan wrote:
> From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
>
> The VxHS block device will only use the newer formatting options and
> avoid the legacy URI syntax.
>
> An excerpt for a sample QEMU command line is:
>
> -drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\
> file.server.type=tcp,file.server.host=192.168.0.1,\
> file.server.port=9999,format=raw,if=none,id=drive-virtio-disk0,cache=none \
> -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
> id=virtio-disk0
>
> Update qemuxml2argvtest with a simple test.
>
> Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
> Signed-off-by: John Ferlan <jferlan(a)redhat.com>
> ---
> src/qemu/qemu_block.c | 37 +++++++++++++++++++++-
> src/qemu/qemu_command.c | 10 +++++-
> src/qemu/qemu_parse_command.c | 16 +++++++++-
> src/qemu/qemu_process.c | 29 +++++++++++++++++
> .../qemuxml2argv-disk-drive-network-vxhs.args | 27 ++++++++++++++++
> tests/qemuxml2argvtest.c | 1 +
> 6 files changed, 117 insertions(+), 3 deletions(-)
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
>
> diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
> index c97b787c5..ca6e213b4 100644
> --- a/src/qemu/qemu_block.c
> +++ b/src/qemu/qemu_block.c
> @@ -516,6 +516,37 @@ qemuBlockStorageSourceGetGlusterProps(virStorageSourcePtr src)
> }
>
>
> +static virJSONValuePtr
> +qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src)
> +{
> + const char *protocol = virStorageNetProtocolTypeToString(src->protocol);
> + virJSONValuePtr server = NULL;
> + virJSONValuePtr ret = NULL;
> +
> + if (src->nhosts != 1) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("VxHS protocol accepts only one host"));
> + return NULL;
> + }
> +
> + if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts,
true)))
> + return NULL;
This creates a json object ...
> +
> + /* VxHS disk specification example:
> + * { driver:"vxhs",
> + * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251",
> + * server:[{type:"tcp", host:"1.2.3.4", port:9999}]}
... which is appended below as the 'server' field, while this example
shows an array of objects. So, which one is correct? Is this a hack to
force the JSON->commandline generator to compy? If it's so then we need
to change that and not this, since then QMP commands like 'blockdev-add'
will not accept it and thus this will be useless for expansion.
Oh right, the [ ] is wrong as this isn't an array it's just a single
server element (as seen in patch 4)
I can remove the [ ] and I think that answers your concern. The VxHS
qemu code only likes the "server.type, server.host, and server.port"
syntax and fails on the "server.0.type", "server.0.host", and
"server.0.port" syntax.
John
> + */
> + if (virJSONValueObjectCreate(&ret,
> + "s:driver", protocol,
> + "s:vdisk-id", src->path,
> + "a:server", server, NULL) < 0)
> + virJSONValueFree(server);
> +
> + return ret;
> +}
> +
> +
> /**
> * qemuBlockStorageSourceGetBackendProps:
> * @src: disk source
Rest looks okay
9:41 a.m.
New subject: [libvirt] [PATCH v8 06/11] qemu: Add qemu command line generation for a VxHS block device
On Tue, Sep 19, 2017 at 10:15:38 -0400, John Ferlan wrote:
On 09/19/2017 09:37 AM, Peter Krempa wrote:
> On Thu, Sep 14, 2017 at 08:51:51 -0400, John Ferlan wrote:
>> From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
>>
>> The VxHS block device will only use the newer formatting options and
>> avoid the legacy URI syntax.
>>
>> An excerpt for a sample QEMU command line is:
>>
>> -drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\
>> file.server.type=tcp,file.server.host=192.168.0.1,\
>> file.server.port=9999,format=raw,if=none,id=drive-virtio-disk0,cache=none \
>> -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
>> id=virtio-disk0
>>
>> Update qemuxml2argvtest with a simple test.
>>
>> Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
>> Signed-off-by: John Ferlan <jferlan(a)redhat.com>
>> ---
>> src/qemu/qemu_block.c | 37 +++++++++++++++++++++-
>> src/qemu/qemu_command.c | 10 +++++-
>> src/qemu/qemu_parse_command.c | 16 +++++++++-
>> src/qemu/qemu_process.c | 29 +++++++++++++++++
>> .../qemuxml2argv-disk-drive-network-vxhs.args | 27 ++++++++++++++++
>> tests/qemuxml2argvtest.c | 1 +
>> 6 files changed, 117 insertions(+), 3 deletions(-)
>> create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
>>
>> diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
>> index c97b787c5..ca6e213b4 100644
>> --- a/src/qemu/qemu_block.c
>> +++ b/src/qemu/qemu_block.c
>> @@ -516,6 +516,37 @@ qemuBlockStorageSourceGetGlusterProps(virStorageSourcePtr
src)
>> }
>>
>>
>> +static virJSONValuePtr
>> +qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src)
>> +{
>> + const char *protocol =
virStorageNetProtocolTypeToString(src->protocol);
>> + virJSONValuePtr server = NULL;
>> + virJSONValuePtr ret = NULL;
>> +
>> + if (src->nhosts != 1) {
>> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
>> + _("VxHS protocol accepts only one host"));
>> + return NULL;
>> + }
>> +
>> + if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts,
true)))
>> + return NULL;
>
> This creates a json object ...
>
>> +
>> + /* VxHS disk specification example:
>> + * { driver:"vxhs",
>> + * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251",
>> + * server:[{type:"tcp", host:"1.2.3.4", port:9999}]}
>
> ... which is appended below as the 'server' field, while this example
> shows an array of objects. So, which one is correct? Is this a hack to
> force the JSON->commandline generator to compy? If it's so then we need
> to change that and not this, since then QMP commands like 'blockdev-add'
> will not accept it and thus this will be useless for expansion.
>
Oh right, the [ ] is wrong as this isn't an array it's just a single
server element (as seen in patch 4)
I can remove the [ ] and I think that answers your concern. The VxHS
qemu code only likes the "server.type, server.host, and server.port"
syntax and fails on the "server.0.type", "server.0.host", and
"server.0.port" syntax.
Okay, cool. ACK with the docs fixed.
7:51 a.m.
New subject: [libvirt] [PATCH v8 07/11] conf: Introduce TLS options for VxHS block device clients
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Add a new TLS X.509 certificate type - "vxhs". This will handle the
creation of a TLS certificate capability for properly configured
VxHS network block device clients.
The following describes the behavior of TLS for VxHS block device:
(1) Two new options have been added in /etc/libvirt/qemu.conf
to control TLS behavior with VxHS block devices
"vxhs_tls" and "vxhs_tls_x509_cert_dir".
(2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable
TLS for VxHS block devices.
(3) "vxhs_tls_x509_cert_dir" can be set to the full path where the
TLS CA certificate and the client certificate and keys are saved.
If this value is missing, the "default_tls_x509_cert_dir" will be
used instead. If the environment is not configured properly the
authentication to the VxHS server will fail.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/libvirtd_qemu.aug | 4 ++++
src/qemu/qemu.conf | 34 ++++++++++++++++++++++++++++++++++
src/qemu/qemu_conf.c | 16 ++++++++++++++++
src/qemu/qemu_conf.h | 3 +++
src/qemu/test_libvirtd_qemu.aug.in | 2 ++
5 files changed, 59 insertions(+)
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index e1983d1fd..c19bf3a43 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -115,6 +115,9 @@ module Libvirtd_qemu =
let memory_entry = str_entry "memory_backing_dir"
+ let vxhs_entry = bool_entry "vxhs_tls"
+ | str_entry "vxhs_tls_x509_cert_dir"
+
(* Each entry in the config is one of the following ... *)
let entry = default_tls_entry
| vnc_entry
@@ -133,6 +136,7 @@ module Libvirtd_qemu =
| nvram_entry
| gluster_debug_level_entry
| memory_entry
+ | vxhs_entry
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store
/([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
let empty = [ label "#empty" . eol ]
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index f977e3b71..2d20d790b 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -258,6 +258,40 @@
#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Enable use of TLS encryption for all VxHS network block devices that
+# don't specifically disable.
+#
+# When the VxHS network block device server is set up appropriately,
+# x509 certificates are required for authentication between the clients
+# (qemu processes) and the remote VxHS server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#vxhs_tls = 1
+
+
+# In order to override the default TLS certificate location for VxHS
+# device TCP certificates, supply a valid path to the certificate directory.
+# This is used to authenticate the VxHS block device clients to the VxHS
+# server.
+#
+# If the provided path does not exist then the default_tls_x509_cert_dir
+# path will be used.
+#
+# VxHS block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA master certificate.
+# If using the default environment, default_tls_x509_verify must be configured.
+# The server key as well as secret UUID that would decrypt it is not used.
+# Thus a VxHS directory must contain the following:
+#
+# ca-cert.pem - the CA master certificate
+# client-cert.pem - the client certificate signed with the ca-cert.pem
+# client-key.pem - the client private key
+#
+#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
+
+
# In order to override the default TLS certificate location for migration
# certificates, supply a valid path to the certificate directory. If the
# provided path does not exist then the default_tls_x509_cert_dir path
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index ab5f7cc59..bcf798d08 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -283,6 +283,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
SET_TLS_X509_CERT_DEFAULT(spice);
SET_TLS_X509_CERT_DEFAULT(chardev);
SET_TLS_X509_CERT_DEFAULT(migrate);
+ SET_TLS_X509_CERT_DEFAULT(vxhs);
#undef SET_TLS_X509_CERT_DEFAULT
@@ -380,6 +381,8 @@ static void virQEMUDriverConfigDispose(void *obj)
VIR_FREE(cfg->chardevTLSx509certdir);
VIR_FREE(cfg->chardevTLSx509secretUUID);
+ VIR_FREE(cfg->vxhsTLSx509certdir);
+
VIR_FREE(cfg->migrateTLSx509certdir);
VIR_FREE(cfg->migrateTLSx509secretUUID);
@@ -457,6 +460,7 @@ virQEMUDriverConfigTLSDirResetDefaults(virQEMUDriverConfigPtr cfg)
CHECK_RESET_CERT_DIR_DEFAULT(spice);
CHECK_RESET_CERT_DIR_DEFAULT(chardev);
CHECK_RESET_CERT_DIR_DEFAULT(migrate);
+ CHECK_RESET_CERT_DIR_DEFAULT(vxhs);
return 0;
}
@@ -556,6 +560,10 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
goto cleanup;
if (virConfGetValueBool(conf, "spice_auto_unix_socket",
&cfg->spiceAutoUnixSocket) < 0)
goto cleanup;
+ if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0)
+ goto cleanup;
+ if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir",
&cfg->vxhsTLSx509certdir) < 0)
+ goto cleanup;
#define GET_CONFIG_TLS_CERTINFO(val) \
do { \
@@ -976,6 +984,14 @@ virQEMUDriverConfigValidate(virQEMUDriverConfigPtr cfg)
return -1;
}
+ if (STRNEQ(cfg->vxhsTLSx509certdir, SYSCONFDIR "/pki/qemu") &&
+ !virFileExists(cfg->vxhsTLSx509certdir)) {
+ virReportError(VIR_ERR_CONF_SYNTAX,
+ _("vxhs_tls_x509_cert_dir directory '%s' does not
exist"),
+ cfg->vxhsTLSx509certdir);
+ return -1;
+ }
+
return 0;
}
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index d469b50bd..13b6f818a 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -203,6 +203,9 @@ struct _virQEMUDriverConfig {
unsigned int glusterDebugLevel;
char *memoryBackingDir;
+
+ bool vxhsTLS;
+ char *vxhsTLSx509certdir;
};
/* Main driver state */
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index 676d48cf5..688e5b9fd 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -25,6 +25,8 @@ module Test_libvirtd_qemu =
{ "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" }
{ "chardev_tls_x509_verify" = "1" }
{ "chardev_tls_x509_secret_uuid" =
"00000000-0000-0000-0000-000000000000" }
+{ "vxhs_tls" = "1" }
+{ "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
{ "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
{ "migrate_tls_x509_verify" = "1" }
{ "migrate_tls_x509_secret_uuid" =
"00000000-0000-0000-0000-000000000000" }
--
2.13.5
8:38 a.m.
New subject: [libvirt] [PATCH v8 07/11] conf: Introduce TLS options for VxHS block device clients
On Thu, Sep 14, 2017 at 08:51:52 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Add a new TLS X.509 certificate type - "vxhs". This will handle the
creation of a TLS certificate capability for properly configured
VxHS network block device clients.
The following describes the behavior of TLS for VxHS block device:
(1) Two new options have been added in /etc/libvirt/qemu.conf
to control TLS behavior with VxHS block devices
"vxhs_tls" and "vxhs_tls_x509_cert_dir".
(2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable
TLS for VxHS block devices.
(3) "vxhs_tls_x509_cert_dir" can be set to the full path where the
TLS CA certificate and the client certificate and keys are saved.
If this value is missing, the "default_tls_x509_cert_dir" will be
used instead. If the environment is not configured properly the
authentication to the VxHS server will fail.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/libvirtd_qemu.aug | 4 ++++
src/qemu/qemu.conf | 34 ++++++++++++++++++++++++++++++++++
src/qemu/qemu_conf.c | 16 ++++++++++++++++
src/qemu/qemu_conf.h | 3 +++
src/qemu/test_libvirtd_qemu.aug.in | 2 ++
5 files changed, 59 insertions(+)
ACK
7:51 a.m.
New subject: [libvirt] [PATCH v8 08/11] util: Add TLS attributes to virStorageSource
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Add an optional virTristateBool haveTLS to virStorageSource to
manage whether a storage source will be using TLS.
Sample XML for a VxHS disk:
<disk type='network' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251'
tls='yes'>
<host name='192.168.0.1' port='9999'/>
</source>
<target dev='vda' bus='virtio'/>
</disk>
Additionally add a tlsFromConfig boolean to control whether the TLS
setting was due to domain configuration or qemu.conf global setting
in order to decide whether to Format the haveTLS setting for either
a live or saved domain configuration file.
Update the qemuxml2xmltest in order to add a test to show the proper
parsing.
Also update the docs to describe the tls attribute plus clean up the
description in the surrounding area to make the information a bit more
readable rather than one winding paragraph.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
docs/formatdomain.html.in | 40 ++++++++++++++++------
docs/schemas/domaincommon.rng | 5 +++
src/conf/domain_conf.c | 28 +++++++++++++--
src/util/virstoragefile.c | 2 ++
src/util/virstoragefile.h | 7 ++++
...emuxml2argv-disk-drive-network-tlsx509-vxhs.xml | 32 +++++++++++++++++
...uxml2xmlout-disk-drive-network-tlsx509-vxhs.xml | 34 ++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
8 files changed, 137 insertions(+), 12 deletions(-)
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml
create mode 100644
tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 446ffff4c..26c00674a 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2520,19 +2520,39 @@
<dd>
The <code>protocol</code> attribute specifies the protocol to
access to the requested image. Possible values are "nbd",
- "iscsi", "rbd", "sheepdog",
"gluster" or "vxhs". If the
- <code>protocol</code> attribute is "rbd",
"sheepdog", "gluster"
- or "vxhs", an additional attribute <code>name</code>
is
- mandatory to specify which volume/image will be used. For "nbd",
- the <code>name</code> attribute is optional. For
"iscsi"
- (<span class="since">since 1.0.4</span>), the
<code>name</code>
- attribute may include a logical unit number, separated from the
- target's name by a slash (e.g.,
+ "iscsi", "rbd", "sheepdog",
"gluster" or "vxhs".
+
+ <p>If the <code>protocol</code> attribute is
"rbd", "sheepdog",
+ "gluster", or "vxhs", an additional attribute
<code>name</code>
+ is mandatory to specify which volume/image will be used.
+ </p>
+
+ <p>For "nbd", the <code>name</code> attribute
is optional.
+ </p>
+
+ <p>For "iscsi" (<span class="since">since
1.0.4</span>), the
+ <code>name</code> attribute may include a logical unit number,
+ separated from the target's name by a slash (e.g.,
<code>iqn.2013-07.com.example:iscsi-pool/1</code>). If not
specified, the default LUN is zero.
- For "vxhs" (<span class="since">since
3.8.0</span>), the
+ </p>
+
+ <p>For "vxhs" (<span class="since">since
3.8.0</span>), the
<code>name</code> is the UUID of the volume, assigned by the
- HyperScale server.
+ HyperScale server. Additionally, an optional attribute
+ <code>tls</code> (QEMU only) can be used to control whether a
+ VxHS block device would utilize a hypervisor configured TLS
+ X.509 certificate environment in order to encrypt the data
+ channel. For the QEMU hypervisor, usage of a TLS environment can
+ also be globally controlled on the host by the
+ <code>vxhs_tls</code> and
<code>vxhs_tls_x509_cert_dir</code> or
+ <code>default_tls_x509_cert_dir</code> settings in the file
+ /etc/libvirt/qemu.conf. If <code>vxhs_tls</code> is enabled,
+ then unless the domain <code>tls</code> attribute is set to
"no",
+ libvirt will use the host configured TLS environment. If the
+ <code>tls</code> attribute is set to "yes", then
regardless of
+ the qemu.conf setting, TLS authentication will be attempted.
+ </p>
<span class="since">Since 0.8.7</span>
</dd>
<dt><code>volume</code></dt>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 76852abb3..bac371ea3 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1644,6 +1644,11 @@
</choice>
</attribute>
<attribute name="name"/>
+ <optional>
+ <attribute name="tls">
+ <ref name="virYesNo"/>
+ </attribute>
+ </optional>
<ref name="diskSourceNetworkHost"/>
</element>
</define>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index a43b25c31..3684454e8 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -8114,6 +8114,7 @@ virDomainDiskSourceParse(xmlNodePtr node,
int ret = -1;
char *protocol = NULL;
xmlNodePtr saveNode = ctxt->node;
+ char *haveTLS = NULL;
ctxt->node = node;
@@ -8147,6 +8148,19 @@ virDomainDiskSourceParse(xmlNodePtr node,
goto cleanup;
}
+ /* Check tls=yes|no domain setting for the block device
+ * At present only VxHS. Other block devices may be added later */
+ if (src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS &&
+ (haveTLS = virXMLPropString(node, "tls"))) {
+ if ((src->haveTLS =
+ virTristateBoolTypeFromString(haveTLS)) <= 0) {
+ virReportError(VIR_ERR_XML_ERROR,
+ _("unknown disk source 'tls' setting
'%s'"),
+ haveTLS);
+ goto cleanup;
+ }
+ }
+
/* for historical reasons the volume name for gluster volume is stored
* as a part of the path. This is hard to work with when dealing with
* relative names. Split out the volume into a separate variable */
@@ -8202,6 +8216,7 @@ virDomainDiskSourceParse(xmlNodePtr node,
cleanup:
VIR_FREE(protocol);
+ VIR_FREE(haveTLS);
ctxt->node = saveNode;
return ret;
}
@@ -21669,7 +21684,8 @@ virDomainSourceDefFormatSeclabel(virBufferPtr buf,
static int
virDomainDiskSourceFormatNetwork(virBufferPtr buf,
- virStorageSourcePtr src)
+ virStorageSourcePtr src,
+ unsigned int flags)
{
size_t n;
char *path = NULL;
@@ -21686,6 +21702,14 @@ virDomainDiskSourceFormatNetwork(virBufferPtr buf,
VIR_FREE(path);
+ if (src->haveTLS != VIR_TRISTATE_BOOL_ABSENT &&
+ !(flags & VIR_DOMAIN_DEF_FORMAT_MIGRATABLE &&
+ src->tlsFromConfig))
+ virBufferAsprintf(buf, " tls='%s'",
+ virTristateBoolTypeToString(src->haveTLS));
+ if (flags & VIR_DOMAIN_DEF_FORMAT_STATUS)
+ virBufferAsprintf(buf, " tlsFromConfig='%d'",
src->tlsFromConfig);
+
if (src->nhosts == 0 && !src->snapshot && !src->configFile)
{
virBufferAddLit(buf, "/>\n");
} else {
@@ -21760,7 +21784,7 @@ virDomainDiskSourceFormatInternal(virBufferPtr buf,
break;
case VIR_STORAGE_TYPE_NETWORK:
- if (virDomainDiskSourceFormatNetwork(buf, src) < 0)
+ if (virDomainDiskSourceFormatNetwork(buf, src, flags) < 0)
goto error;
break;
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index ba2045369..35f468e35 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2039,6 +2039,8 @@ virStorageSourceCopy(const virStorageSource *src,
ret->physical = src->physical;
ret->readonly = src->readonly;
ret->shared = src->shared;
+ ret->haveTLS = src->haveTLS;
+ ret->tlsFromConfig = src->tlsFromConfig;
/* storage driver metadata are not copied */
ret->drv = NULL;
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index f7e897f25..4817090fc 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -281,6 +281,13 @@ struct _virStorageSource {
/* metadata that allows identifying given storage source */
char *nodeformat; /* name of the format handler object */
char *nodestorage; /* name of the storage object */
+
+ /* An optional setting to enable usage of TLS for the storage source */
+ int haveTLS; /* enum virTristateBool */
+
+ /* Indication whether the haveTLS value was altered due to qemu.conf
+ * setting when haveTLS is missing from the domain config file */
+ bool tlsFromConfig;
};
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml
b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml
new file mode 100644
index 000000000..61b5e2e79
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml
@@ -0,0 +1,32 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc251' tls='yes'>
+ <host name='192.168.0.1' port='9999'/>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml
b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml
new file mode 100644
index 000000000..16f0883e0
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml
@@ -0,0 +1,34 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc251' tls='yes'>
+ <host name='192.168.0.1' port='9999'/>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 8b7577fd3..f005163c4 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -475,6 +475,7 @@ mymain(void)
DO_TEST("disk-drive-network-rbd-ceph-env", NONE);
DO_TEST("disk-drive-network-sheepdog", NONE);
DO_TEST("disk-drive-network-vxhs", NONE);
+ DO_TEST("disk-drive-network-tlsx509-vxhs", NONE);
DO_TEST("disk-scsi-device",
QEMU_CAPS_NODEFCONFIG, QEMU_CAPS_SCSI_LSI);
DO_TEST("disk-scsi-vscsi", NONE);
--
2.13.5
8:44 a.m.
New subject: [libvirt] [PATCH v8 08/11] util: Add TLS attributes to virStorageSource
On Thu, Sep 14, 2017 at 08:51:53 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Add an optional virTristateBool haveTLS to virStorageSource to
manage whether a storage source will be using TLS.
Sample XML for a VxHS disk:
<disk type='network' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251'
tls='yes'>
<host name='192.168.0.1' port='9999'/>
</source>
<target dev='vda' bus='virtio'/>
</disk>
Additionally add a tlsFromConfig boolean to control whether the TLS
setting was due to domain configuration or qemu.conf global setting
in order to decide whether to Format the haveTLS setting for either
a live or saved domain configuration file.
I guess it's unpleasant to do it any other way...
ACK
7:51 a.m.
New subject: [libvirt] [PATCH v8 09/11] qemu: Introduce qemuDomainPrepareDiskSource
Introduce a function to setup any TLS needs for a disk source.
If there's a configuration or other error setting up the disk source
for TLS, then cause the domain startup to fail.
For VxHS, follow the chardevTLS model where if the src->haveTLS hasn't
been configured, then take the system/global cfg->haveTLS setting for
the storage source *and* mark that we've done so via the tlsFromConfig
setting in storage source.
Next, if we are using TLS, then generate an alias into a virStorageSource
'tlsAlias' field that will be used to create the TLS object and added to
the disk object in order to link the two together for QEMU.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/qemu_domain.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++
src/qemu/qemu_domain.h | 11 ++++++++
src/qemu/qemu_process.c | 4 +++
src/util/virstoragefile.c | 5 +++-
src/util/virstoragefile.h | 6 ++++
5 files changed, 96 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 05f8e9488..b93b7de63 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -7550,6 +7550,77 @@ qemuDomainPrepareChardevSource(virDomainDefPtr def,
}
+/* qemuProcessPrepareDiskSourceTLS:
+ * @source: pointer to host interface data for disk device
+ * @diskAlias: alias use for the disk device
+ * @cfg: driver configuration
+ *
+ * Updates host interface TLS encryption setting based on qemu.conf
+ * for disk devices. This will be presented as "tls='yes|no'" in
+ * live XML of a guest.
+ *
+ * Returns 0 on success, -1 on bad config/failure
+ */
+int
+qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src,
+ const char *diskAlias,
+ virQEMUDriverConfigPtr cfg)
+{
+
+ /* VxHS doesn't utilize a password protected server certificate,
+ * so no need to add a secinfo for a secret UUID. */
+ if (src->type == VIR_STORAGE_TYPE_NETWORK &&
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS) {
+
+ if (src->haveTLS == VIR_TRISTATE_BOOL_ABSENT) {
+ if (cfg->vxhsTLS)
+ src->haveTLS = VIR_TRISTATE_BOOL_YES;
+ else
+ src->haveTLS = VIR_TRISTATE_BOOL_NO;
+ src->tlsFromConfig = true;
+ }
+
+ if (src->haveTLS == VIR_TRISTATE_BOOL_YES) {
+ if (!diskAlias) {
+ virReportError(VIR_ERR_INVALID_ARG, "%s",
+ _("disk does not have an alias"));
+ return -1;
+ }
+
+ if (!(src->tlsAlias = qemuAliasTLSObjFromSrcAlias(diskAlias)))
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+
+/* qemuProcessPrepareDiskSource:
+ * @def: live domain definition
+ * @driver: qemu driver
+ *
+ * Iterate through all disk devices to setup/check any that would be
+ * using TLS.
+ *
+ * Returns 0 on success, -1 on failure
+ */
+int
+qemuDomainPrepareDiskSource(virDomainDefPtr def,
+ virQEMUDriverConfigPtr cfg)
+{
+ size_t i;
+
+ for (i = 0; i < def->ndisks; i++) {
+ if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src,
+ def->disks[i]->info.alias,
+ cfg) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
int
qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem)
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index b291dc308..93db23c2b 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -864,6 +864,17 @@ void qemuDomainPrepareChardevSource(virDomainDefPtr def,
virQEMUDriverConfigPtr cfg)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
+int
+qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src,
+ const char *diskAlias,
+ virQEMUDriverConfigPtr cfg)
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3);
+
+int
+qemuDomainPrepareDiskSource(virDomainDefPtr def,
+ virQEMUDriverConfigPtr cfg)
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
+
int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem)
ATTRIBUTE_NONNULL(1);
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 099a770e9..f0691ece6 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -5351,6 +5351,10 @@ qemuProcessPrepareDomain(virConnectPtr conn,
if (qemuDomainMasterKeyCreate(vm) < 0)
goto cleanup;
+ VIR_DEBUG("Prepare disk source backends for TLS");
+ if (qemuDomainPrepareDiskSource(vm->def, cfg) < 0)
+ goto cleanup;
+
VIR_DEBUG("Prepare chardev source backends for TLS");
qemuDomainPrepareChardevSource(vm->def, cfg);
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index 35f468e35..9cd648d36 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2054,7 +2054,8 @@ virStorageSourceCopy(const virStorageSource *src,
VIR_STRDUP(ret->configFile, src->configFile) < 0 ||
VIR_STRDUP(ret->nodeformat, src->nodeformat) < 0 ||
VIR_STRDUP(ret->nodestorage, src->nodestorage) < 0 ||
- VIR_STRDUP(ret->compat, src->compat) < 0)
+ VIR_STRDUP(ret->compat, src->compat) < 0 ||
+ VIR_STRDUP(ret->tlsAlias, src->tlsAlias) < 0)
goto error;
if (src->nhosts) {
@@ -2279,6 +2280,8 @@ virStorageSourceClear(virStorageSourcePtr def)
virStorageSourceBackingStoreClear(def);
+ VIR_FREE(def->tlsAlias);
+
memset(def, 0, sizeof(*def));
}
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index 4817090fc..eadbcc190 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -288,6 +288,12 @@ struct _virStorageSource {
/* Indication whether the haveTLS value was altered due to qemu.conf
* setting when haveTLS is missing from the domain config file */
bool tlsFromConfig;
+
+ /* If TLS is used, then mgmt of the TLS credentials occurs via an
+ * object that is generated using a specific alias. That alias must
+ * be used when generating the disk object in order to link the
+ * two together. */
+ char *tlsAlias;
};
--
2.13.5
8:48 a.m.
New subject: [libvirt] [PATCH v8 09/11] qemu: Introduce qemuDomainPrepareDiskSource
On Thu, Sep 14, 2017 at 08:51:54 -0400, John Ferlan wrote:
Introduce a function to setup any TLS needs for a disk source.
If there's a configuration or other error setting up the disk source
for TLS, then cause the domain startup to fail.
For VxHS, follow the chardevTLS model where if the src->haveTLS hasn't
been configured, then take the system/global cfg->haveTLS setting for
the storage source *and* mark that we've done so via the tlsFromConfig
setting in storage source.
Next, if we are using TLS, then generate an alias into a virStorageSource
'tlsAlias' field that will be used to create the TLS object and added to
the disk object in order to link the two together for QEMU.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/qemu_domain.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++
src/qemu/qemu_domain.h | 11 ++++++++
src/qemu/qemu_process.c | 4 +++
src/util/virstoragefile.c | 5 +++-
src/util/virstoragefile.h | 6 ++++
5 files changed, 96 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 05f8e9488..b93b7de63 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
[...]
+
+/* qemuProcessPrepareDiskSource:
+ * @def: live domain definition
+ * @driver: qemu driver
+ *
+ * Iterate through all disk devices to setup/check any that would be
+ * using TLS.
Don't add this here. This function is generic.
+ *
+ * Returns 0 on success, -1 on failure
+ */
+int
+qemuDomainPrepareDiskSource(virDomainDefPtr def,
+ virQEMUDriverConfigPtr cfg)
+{
+ size_t i;
+
+ for (i = 0; i < def->ndisks; i++) {
+ if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src,
+ def->disks[i]->info.alias,
+ cfg) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
int
qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem)
ACK
9:21 a.m.
New subject: [libvirt] [PATCH v8 09/11] qemu: Introduce qemuDomainPrepareDiskSource
On 09/19/2017 09:48 AM, Peter Krempa wrote:
On Thu, Sep 14, 2017 at 08:51:54 -0400, John Ferlan wrote:
> Introduce a function to setup any TLS needs for a disk source.
>
> If there's a configuration or other error setting up the disk source
> for TLS, then cause the domain startup to fail.
>
> For VxHS, follow the chardevTLS model where if the src->haveTLS hasn't
> been configured, then take the system/global cfg->haveTLS setting for
> the storage source *and* mark that we've done so via the tlsFromConfig
> setting in storage source.
>
> Next, if we are using TLS, then generate an alias into a virStorageSource
> 'tlsAlias' field that will be used to create the TLS object and added to
> the disk object in order to link the two together for QEMU.
>
> Signed-off-by: John Ferlan <jferlan(a)redhat.com>
> ---
> src/qemu/qemu_domain.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++
> src/qemu/qemu_domain.h | 11 ++++++++
> src/qemu/qemu_process.c | 4 +++
> src/util/virstoragefile.c | 5 +++-
> src/util/virstoragefile.h | 6 ++++
> 5 files changed, 96 insertions(+), 1 deletion(-)
>
> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index 05f8e9488..b93b7de63 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
[...]
> +
> +/* qemuProcessPrepareDiskSource:
> + * @def: live domain definition
> + * @driver: qemu driver
> + *
> + * Iterate through all disk devices to setup/check any that would be
> + * using TLS.
Don't add this here. This function is generic.
OK - removed completely.
Tks -
John
> + *
> + * Returns 0 on success, -1 on failure
> + */
> +int
> +qemuDomainPrepareDiskSource(virDomainDefPtr def,
> + virQEMUDriverConfigPtr cfg)
> +{
> + size_t i;
> +
> + for (i = 0; i < def->ndisks; i++) {
> + if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src,
> + def->disks[i]->info.alias,
> + cfg) < 0)
> + return -1;
> + }
> +
> + return 0;
> +}
> +
>
> int
> qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem)
ACK
7:51 a.m.
New subject: [libvirt] [PATCH v8 10/11] util: Add virstoragetest to parse/format a tls='yes'
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Add a test case to verify TLS arguments are parsed correctly for
a VxHS disk. This includes saving off a found tls-creds into the
storage source @tlsAlias field since that's what's used to link
the TLS object for the authentication credentials and the disk.
Test case verifies that XML is generated correctly for a VxHS disk
having TLS enabled.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/util/virstoragefile.c | 9 +++++++++
tests/virstoragetest.c | 12 ++++++++++++
2 files changed, 21 insertions(+)
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index 9cd648d36..1fcd7a028 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -3225,6 +3225,7 @@ virStorageSourceParseBackingJSONVxHS(virStorageSourcePtr src,
{
const char *vdisk_id = virJSONValueObjectGetString(json, "vdisk-id");
virJSONValuePtr server = virJSONValueObjectGetObject(json, "server");
+ const char *haveTLS = virJSONValueObjectGetString(json, "tls-creds");
if (!vdisk_id || !server) {
virReportError(VIR_ERR_INVALID_ARG, "%s",
@@ -3243,6 +3244,14 @@ virStorageSourceParseBackingJSONVxHS(virStorageSourcePtr src,
return -1;
src->nhosts = 1;
+ if (haveTLS) {
+ VIR_FREE(src->tlsAlias);
+ if (VIR_STRDUP(src->tlsAlias, haveTLS) < 0)
+ return -1;
+
+ src->haveTLS = VIR_TRISTATE_BOOL_YES;
+ }
+
if (virStorageSourceParseBackingJSONInetSocketAddress(src->hosts,
server) < 0)
return -1;
diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c
index ffebd4dc1..75ad6330b 100644
--- a/tests/virstoragetest.c
+++ b/tests/virstoragetest.c
@@ -1603,6 +1603,18 @@ mymain(void)
"<source protocol='vxhs'
name='c6718f6b-0401-441d-a8c3-1f0064d75ee0'>\n"
" <host name='example.com'
port='9999'/>\n"
"</source>\n");
+
TEST_BACKING_PARSE("json:{\"file\":{\"driver\":\"vxhs\","
+
"\"vdisk-id\":\"c6718f6b-0401-441d-a8c3-1f0064d75ee0\","
+ "\"server\": {
\"type\":\"tcp\","
+
"\"host\":\"example.com\","
+
"\"port\":\"9999\""
+ "},"
+
"\"tls-creds\":\"objvirtio-disk0_tls0\""
+ "}"
+ "}",
+ "<source protocol='vxhs'
name='c6718f6b-0401-441d-a8c3-1f0064d75ee0' tls='yes'>\n"
+ " <host name='example.com'
port='9999'/>\n"
+ "</source>\n");
#endif /* WITH_YAJL */
cleanup:
--
2.13.5
8:51 a.m.
New subject: [libvirt] [PATCH v8 10/11] util: Add virstoragetest to parse/format a tls='yes'
On Thu, Sep 14, 2017 at 08:51:55 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Add a test case to verify TLS arguments are parsed correctly for
a VxHS disk. This includes saving off a found tls-creds into the
storage source @tlsAlias field since that's what's used to link
the TLS object for the authentication credentials and the disk.
Test case verifies that XML is generated correctly for a VxHS disk
having TLS enabled.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/util/virstoragefile.c | 9 +++++++++
tests/virstoragetest.c | 12 ++++++++++++
2 files changed, 21 insertions(+)
It's useless to parse this from the backign store strings. It might be
useful if we'd parse it from qemu, but we don't.
This needs to be setup each time anyways by libvirt and the alias may
become stale.
NACK
7:51 a.m.
New subject: [libvirt] [PATCH v8 11/11] qemu: Add TLS support for Veritas HyperScale (VxHS)
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Alter qemu command line generation in order to possibly add TLS for
a suitably configured domain.
Sample TLS args generated by libvirt -
-object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\
endpoint=client,verify-peer=yes \
-drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\
file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\
file.server.type=tcp,file.server.host=192.168.0.1,\
file.server.port=9999,format=raw,if=none,\
id=drive-virtio-disk0,cache=none \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0
Update the qemuxml2argvtest with a couple of examples. One for a
simple case and the other a bit more complex where multiple VxHS disks
are added where at least one uses a VxHS that doesn't require TLS
credentials and thus sets the domain disk source attribute "tls =
'no'".
Update the hotplug to be able to handle processing the tlsAlias whether
it's to add the TLS object when hotplugging a disk or to remove the TLS
object when hot unplugging a disk. The hot plug/unplug code is largely
generic, but the addition code does make the VXHS specific checks only
because it needs to grab the correct config directory and generate the
object as the command line would do.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/qemu_block.c | 8 +++
src/qemu/qemu_command.c | 29 +++++++++
src/qemu/qemu_hotplug.c | 73 ++++++++++++++++++++++
...-disk-drive-network-tlsx509-multidisk-vxhs.args | 43 +++++++++++++
...v-disk-drive-network-tlsx509-multidisk-vxhs.xml | 50 +++++++++++++++
...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 30 +++++++++
tests/qemuxml2argvtest.c | 7 +++
7 files changed, 240 insertions(+)
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index ca6e213b4..458b90d8e 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -529,16 +529,24 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src)
return NULL;
}
+ if (src->haveTLS == VIR_TRISTATE_BOOL_YES && !src->tlsAlias) {
+ virReportError(VIR_ERR_INVALID_ARG, "%s",
+ _("VxHS disk does not have TLS alias set"));
+ return NULL;
+ }
+
if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true)))
return NULL;
/* VxHS disk specification example:
* { driver:"vxhs",
+ * [tls-creds:"objvirtio-disk0_tls0",]
* vdisk-id:"eb90327c-8302-4725-4e85ed4dc251",
* server:[{type:"tcp", host:"1.2.3.4", port:9999}]}
*/
if (virJSONValueObjectCreate(&ret,
"s:driver", protocol,
+ "S:tls-creds", src->tlsAlias,
"s:vdisk-id", src->path,
"a:server", server, NULL) < 0)
virJSONValueFree(server);
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 0a3278510..7b98e1947 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -794,6 +794,32 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd,
}
+/* qemuBuildDiskTLSx509CommandLine:
+ *
+ * Add TLS object if the disk uses a secure communication channel
+ *
+ * Returns 0 on success, -1 w/ error on some sort of failure.
+ */
+static int
+qemuBuildDiskTLSx509CommandLine(virCommandPtr cmd,
+ virQEMUDriverConfigPtr cfg,
+ virDomainDiskDefPtr disk,
+ virQEMUCapsPtr qemuCaps)
+{
+ virStorageSourcePtr src = disk->src;
+
+ /* other protocols may be added later */
+ if (src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS &&
+ disk->src->haveTLS == VIR_TRISTATE_BOOL_YES) {
+ return qemuBuildTLSx509CommandLine(cmd, cfg->vxhsTLSx509certdir,
+ false, true, false,
+ disk->info.alias, qemuCaps);
+ }
+
+ return 0;
+}
+
+
static char *
qemuBuildNetworkDriveURI(virStorageSourcePtr src,
qemuDomainSecretInfoPtr secinfo)
@@ -2221,6 +2247,9 @@ qemuBuildDiskDriveCommandLine(virCommandPtr cmd,
if (qemuBuildDiskSecinfoCommandLine(cmd, encinfo) < 0)
return -1;
+ if (qemuBuildDiskTLSx509CommandLine(cmd, cfg, disk, qemuCaps) < 0)
+ return -1;
+
virCommandAddArg(cmd, "-drive");
if (!(optstr = qemuBuildDriveStr(disk, cfg, driveBoot, qemuCaps)))
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index b365078ec..e4174af35 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -152,6 +152,55 @@ qemuDomainPrepareDisk(virQEMUDriverPtr driver,
static int
+qemuDomainAddDiskTLSObject(virQEMUDriverPtr driver,
+ virDomainObjPtr vm,
+ virDomainDiskDefPtr disk,
+ char **tlsAlias)
+{
+ int ret = -1;
+ virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+ qemuDomainObjPrivatePtr priv = vm->privateData;
+ virStorageSourcePtr src = disk->src;
+ virJSONValuePtr tlsProps = NULL;
+
+ /* NB: This may alter haveTLS based on cfg */
+ qemuDomainPrepareDiskSourceTLS(src, disk->info.alias, cfg);
+
+ if (src->haveTLS != VIR_TRISTATE_BOOL_YES) {
+ ret = 0;
+ goto cleanup;
+ }
+
+ /* Initial implementation doesn't require/use a secret to decrypt
+ * a server certificate, so there's no need to manage a tlsSecAlias
+ * and tlsSecProps. See qemuDomainAddChardevTLSObjects for the
+ * methodology required to add a secret object. */
+
+ /* For a VxHS environment, create a TLS object for the client to
+ * connect to the VxHS server. */
+ if (src->type == VIR_STORAGE_TYPE_NETWORK &&
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS &&
+ qemuDomainGetTLSObjects(priv->qemuCaps, NULL,
+ cfg->vxhsTLSx509certdir, false, true,
+ disk->info.alias, &tlsProps, tlsAlias,
+ NULL, NULL) < 0)
+ goto cleanup;
+
+ if (qemuDomainAddTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE,
+ NULL, NULL, *tlsAlias, &tlsProps) < 0)
+ goto cleanup;
+
+ ret = 0;
+
+ cleanup:
+ virJSONValueFree(tlsProps);
+ virObjectUnref(cfg);
+
+ return ret;
+}
+
+
+static int
qemuHotplugWaitForTrayEject(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainDiskDefPtr disk,
@@ -315,6 +364,7 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn,
char *devstr = NULL;
char *drivestr = NULL;
char *drivealias = NULL;
+ char *tlsAlias = NULL;
bool releaseaddr = false;
bool driveAdded = false;
bool secobjAdded = false;
@@ -372,6 +422,9 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn,
if (encinfo && qemuBuildSecretInfoProps(encinfo, &encobjProps) < 0)
goto error;
+ if (qemuDomainAddDiskTLSObject(driver, vm, disk, &tlsAlias) < 0)
+ goto error;
+
if (!(drivestr = qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps)))
goto error;
@@ -422,6 +475,7 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn,
ret = 0;
cleanup:
+ VIR_FREE(tlsAlias);
virJSONValueFree(secobjProps);
virJSONValueFree(encobjProps);
qemuDomainSecretDiskDestroy(disk);
@@ -453,6 +507,8 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn,
virDomainAuditDisk(vm, NULL, disk->src, "attach", false);
error:
+ qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, NULL, tlsAlias);
+
if (releaseaddr)
qemuDomainReleaseDeviceAddress(vm, &disk->info, src);
@@ -611,6 +667,7 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
virErrorPtr orig_err;
char *drivestr = NULL;
char *devstr = NULL;
+ char *tlsAlias = NULL;
bool driveAdded = false;
bool encobjAdded = false;
bool secobjAdded = false;
@@ -667,6 +724,9 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
if (!(devstr = qemuBuildDriveDevStr(vm->def, disk, 0, priv->qemuCaps)))
goto error;
+ if (qemuDomainAddDiskTLSObject(driver, vm, disk, &tlsAlias) < 0)
+ goto error;
+
if (!(drivestr = qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps)))
goto error;
@@ -712,6 +772,7 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
ret = 0;
cleanup:
+ VIR_FREE(tlsAlias);
virJSONValueFree(secobjProps);
virJSONValueFree(encobjProps);
qemuDomainSecretDiskDestroy(disk);
@@ -740,6 +801,8 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
virDomainAuditDisk(vm, NULL, disk->src, "attach", false);
error:
+ qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, NULL, tlsAlias);
+
ignore_value(qemuDomainPrepareDisk(driver, vm, disk, NULL, true));
goto cleanup;
}
@@ -756,6 +819,7 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr driver,
char *drivealias = NULL;
char *drivestr = NULL;
char *devstr = NULL;
+ char *tlsAlias = NULL;
bool driveAdded = false;
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
const char *src = virDomainDiskGetSource(disk);
@@ -780,6 +844,9 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr driver,
if (qemuAssignDeviceDiskAlias(vm->def, disk, priv->qemuCaps) < 0)
goto error;
+ if (qemuDomainAddDiskTLSObject(driver, vm, disk, &tlsAlias) < 0)
+ goto error;
+
if (!(drivestr = qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps)))
goto error;
@@ -810,6 +877,7 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr driver,
ret = 0;
cleanup:
+ VIR_FREE(tlsAlias);
if (ret < 0 && releaseaddr)
virDomainUSBAddressRelease(priv->usbaddrs, &disk->info);
VIR_FREE(devstr);
@@ -833,6 +901,8 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr driver,
virDomainAuditDisk(vm, NULL, disk->src, "attach", false);
error:
+ qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, NULL, tlsAlias);
+
ignore_value(qemuDomainPrepareDisk(driver, vm, disk, NULL, true));
goto cleanup;
}
@@ -3710,6 +3780,9 @@ qemuDomainRemoveDiskDevice(virQEMUDriverPtr driver,
ignore_value(qemuMonitorDelObject(priv->mon, encAlias));
VIR_FREE(encAlias);
+ if (disk->src->tlsAlias)
+ ignore_value(qemuMonitorDelObject(priv->mon, disk->src->tlsAlias));
+
if (qemuDomainObjExitMonitor(driver, vm) < 0)
return -1;
diff --git
a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args
b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args
new file mode 100644
index 000000000..572c9f36c
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args
@@ -0,0 +1,43 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-x86_64 \
+-name QEMUGuest1 \
+-S \
+-M pc \
+-cpu qemu32 \
+-m 214 \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-nographic \
+-nodefaults \
+-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\
+server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=readline \
+-no-acpi \
+-boot c \
+-usb \
+-object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\
+endpoint=client,verify-peer=yes \
+-drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\
+file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,file.server.type=tcp,\
+file.server.host=192.168.0.1,file.server.port=9999,format=raw,if=none,\
+id=drive-virtio-disk0,cache=none \
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
+id=virtio-disk0 \
+-object tls-creds-x509,id=objvirtio-disk1_tls0,dir=/etc/pki/qemu,\
+endpoint=client,verify-peer=yes \
+-drive file.driver=vxhs,file.tls-creds=objvirtio-disk1_tls0,\
+file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc252,file.server.type=tcp,\
+file.server.host=192.168.0.2,file.server.port=9999,format=raw,if=none,\
+id=drive-virtio-disk1,cache=none \
+-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,\
+id=virtio-disk1 \
+-drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc253,\
+file.server.type=tcp,file.server.host=192.168.0.3,file.server.port=9999,\
+format=raw,if=none,id=drive-virtio-disk2,cache=none \
+-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk2,\
+id=virtio-disk2
diff --git
a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml
b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml
new file mode 100644
index 000000000..a66e81f06
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml
@@ -0,0 +1,50 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc251'>
+ <host name='192.168.0.1' port='9999'/>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc252'>
+ <host name='192.168.0.2' port='9999'/>
+ </source>
+ <target dev='vdb' bus='virtio'/>
+ <serial>eb90327c-8302-4725-9e1b-4e85ed4dc252</serial>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x05' function='0x0'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc253' tls='no'>
+ <host name='192.168.0.3' port='9999'/>
+ </source>
+ <target dev='vdc' bus='virtio'/>
+ <serial>eb90327c-8302-4725-9e1b-4e85ed4dc252</serial>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x06' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args
b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args
new file mode 100644
index 000000000..aaf88635b
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args
@@ -0,0 +1,30 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-x86_64 \
+-name QEMUGuest1 \
+-S \
+-M pc \
+-cpu qemu32 \
+-m 214 \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-nographic \
+-nodefaults \
+-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\
+server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=readline \
+-no-acpi \
+-boot c \
+-usb \
+-object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\
+endpoint=client,verify-peer=yes \
+-drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\
+file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,file.server.type=tcp,\
+file.server.host=192.168.0.1,file.server.port=9999,format=raw,if=none,\
+id=drive-virtio-disk0,cache=none \
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
+id=virtio-disk0
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 01a518eff..5cdc1a726 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -932,6 +932,13 @@ mymain(void)
DO_TEST("disk-drive-network-rbd-ipv6", NONE);
DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE);
DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS);
+ driver.config->vxhsTLS = 1;
+ DO_TEST("disk-drive-network-tlsx509-vxhs", QEMU_CAPS_VXHS,
+ QEMU_CAPS_OBJECT_TLS_CREDS_X509);
+ DO_TEST("disk-drive-network-tlsx509-multidisk-vxhs", QEMU_CAPS_VXHS,
+ QEMU_CAPS_OBJECT_TLS_CREDS_X509);
+ driver.config->vxhsTLS = 0;
+ VIR_FREE(driver.config->vxhsTLSx509certdir);
DO_TEST("disk-drive-no-boot",
QEMU_CAPS_BOOTINDEX);
DO_TEST_PARSE_ERROR("disk-device-lun-type-invalid",
--
2.13.5
9:02 a.m.
New subject: [libvirt] [PATCH v8 11/11] qemu: Add TLS support for Veritas HyperScale (VxHS)
On Thu, Sep 14, 2017 at 08:51:56 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Alter qemu command line generation in order to possibly add TLS for
a suitably configured domain.
Sample TLS args generated by libvirt -
-object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\
endpoint=client,verify-peer=yes \
-drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\
file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\
file.server.type=tcp,file.server.host=192.168.0.1,\
file.server.port=9999,format=raw,if=none,\
id=drive-virtio-disk0,cache=none \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0
Update the qemuxml2argvtest with a couple of examples. One for a
simple case and the other a bit more complex where multiple VxHS disks
are added where at least one uses a VxHS that doesn't require TLS
credentials and thus sets the domain disk source attribute "tls =
'no'".
Update the hotplug to be able to handle processing the tlsAlias whether
it's to add the TLS object when hotplugging a disk or to remove the TLS
object when hot unplugging a disk. The hot plug/unplug code is largely
generic, but the addition code does make the VXHS specific checks only
because it needs to grab the correct config directory and generate the
object as the command line would do.
Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/qemu_block.c | 8 +++
src/qemu/qemu_command.c | 29 +++++++++
src/qemu/qemu_hotplug.c | 73 ++++++++++++++++++++++
...-disk-drive-network-tlsx509-multidisk-vxhs.args | 43 +++++++++++++
...v-disk-drive-network-tlsx509-multidisk-vxhs.xml | 50 +++++++++++++++
...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 30 +++++++++
tests/qemuxml2argvtest.c | 7 +++
7 files changed, 240 insertions(+)
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index ca6e213b4..458b90d8e 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -529,16 +529,24 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src)
return NULL;
}
+ if (src->haveTLS == VIR_TRISTATE_BOOL_YES && !src->tlsAlias) {
+ virReportError(VIR_ERR_INVALID_ARG, "%s",
+ _("VxHS disk does not have TLS alias set"));
+ return NULL;
+ }
+
if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true)))
return NULL;
/* VxHS disk specification example:
* { driver:"vxhs",
+ * [tls-creds:"objvirtio-disk0_tls0",]
Be careful with square brackets in JSON, they denote an array.
* vdisk-id:"eb90327c-8302-4725-4e85ed4dc251",
* server:[{type:"tcp", host:"1.2.3.4", port:9999}]}
*/
if (virJSONValueObjectCreate(&ret,
"s:driver", protocol,
+ "S:tls-creds", src->tlsAlias,
"s:vdisk-id", src->path,
"a:server", server, NULL) < 0)
virJSONValueFree(server);
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 0a3278510..7b98e1947 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -794,6 +794,32 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd,
}
+/* qemuBuildDiskTLSx509CommandLine:
+ *
+ * Add TLS object if the disk uses a secure communication channel
+ *
+ * Returns 0 on success, -1 w/ error on some sort of failure.
+ */
+static int
+qemuBuildDiskTLSx509CommandLine(virCommandPtr cmd,
+ virQEMUDriverConfigPtr cfg,
+ virDomainDiskDefPtr disk,
+ virQEMUCapsPtr qemuCaps)
+{
+ virStorageSourcePtr src = disk->src;
+
+ /* other protocols may be added later */
+ if (src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS &&
+ disk->src->haveTLS == VIR_TRISTATE_BOOL_YES) {
+ return qemuBuildTLSx509CommandLine(cmd, cfg->vxhsTLSx509certdir,
+ false, true, false,
+ disk->info.alias, qemuCaps);
+ }
+
+ return 0;
+}
+
+
static char *
qemuBuildNetworkDriveURI(virStorageSourcePtr src,
qemuDomainSecretInfoPtr secinfo)
[...]
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index b365078ec..e4174af35 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -152,6 +152,55 @@ qemuDomainPrepareDisk(virQEMUDriverPtr driver,
static int
+qemuDomainAddDiskTLSObject(virQEMUDriverPtr driver,
+ virDomainObjPtr vm,
+ virDomainDiskDefPtr disk,
+ char **tlsAlias)
I don't particularly like this. You set it into the disk object, so
there should be a function which rolls this back for a disk (or
preferably a virStorageSource).
+{
+ int ret = -1;
+ virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+ qemuDomainObjPrivatePtr priv = vm->privateData;
+ virStorageSourcePtr src = disk->src;
+ virJSONValuePtr tlsProps = NULL;
+
+ /* NB: This may alter haveTLS based on cfg */
+ qemuDomainPrepareDiskSourceTLS(src, disk->info.alias, cfg);
This should be executed in the hotplug API function and not in a helper.
+
+ if (src->haveTLS != VIR_TRISTATE_BOOL_YES) {
+ ret = 0;
+ goto cleanup;
+ }
+
+ /* Initial implementation doesn't require/use a secret to decrypt
+ * a server certificate, so there's no need to manage a tlsSecAlias
+ * and tlsSecProps. See qemuDomainAddChardevTLSObjects for the
+ * methodology required to add a secret object. */
+
+ /* For a VxHS environment, create a TLS object for the client to
+ * connect to the VxHS server. */
+ if (src->type == VIR_STORAGE_TYPE_NETWORK &&
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS &&
+ qemuDomainGetTLSObjects(priv->qemuCaps, NULL,
+ cfg->vxhsTLSx509certdir, false, true,
+ disk->info.alias, &tlsProps, tlsAlias,
+ NULL, NULL) < 0)
This looks like another place that extracts qemu-specific stuff, which
need to be duplicated for blockdev add. Can't we make the cert dir part
of virStorageSource?
+ goto cleanup;
+
+ if (qemuDomainAddTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE,
+ NULL, NULL, *tlsAlias, &tlsProps) < 0)
+ goto cleanup;
+
+ ret = 0;
+
+ cleanup:
+ virJSONValueFree(tlsProps);
+ virObjectUnref(cfg);
+
+ return ret;
+}
+
+
+static int
qemuHotplugWaitForTrayEject(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainDiskDefPtr disk,
9:49 a.m.
New subject: [libvirt] [PATCH v8 11/11] qemu: Add TLS support for Veritas HyperScale (VxHS)
On 09/19/2017 10:02 AM, Peter Krempa wrote:
On Thu, Sep 14, 2017 at 08:51:56 -0400, John Ferlan wrote:
> From: Ashish Mittal <Ashish.Mittal(a)veritas.com>
>
> Alter qemu command line generation in order to possibly add TLS for
> a suitably configured domain.
>
> Sample TLS args generated by libvirt -
>
> -object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\
> endpoint=client,verify-peer=yes \
> -drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\
> file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\
> file.server.type=tcp,file.server.host=192.168.0.1,\
> file.server.port=9999,format=raw,if=none,\
> id=drive-virtio-disk0,cache=none \
> -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
> id=virtio-disk0
>
> Update the qemuxml2argvtest with a couple of examples. One for a
> simple case and the other a bit more complex where multiple VxHS disks
> are added where at least one uses a VxHS that doesn't require TLS
> credentials and thus sets the domain disk source attribute "tls =
'no'".
>
> Update the hotplug to be able to handle processing the tlsAlias whether
> it's to add the TLS object when hotplugging a disk or to remove the TLS
> object when hot unplugging a disk. The hot plug/unplug code is largely
> generic, but the addition code does make the VXHS specific checks only
> because it needs to grab the correct config directory and generate the
> object as the command line would do.
>
> Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com>
> Signed-off-by: John Ferlan <jferlan(a)redhat.com>
> ---
> src/qemu/qemu_block.c | 8 +++
> src/qemu/qemu_command.c | 29 +++++++++
> src/qemu/qemu_hotplug.c | 73 ++++++++++++++++++++++
> ...-disk-drive-network-tlsx509-multidisk-vxhs.args | 43 +++++++++++++
> ...v-disk-drive-network-tlsx509-multidisk-vxhs.xml | 50 +++++++++++++++
> ...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 30 +++++++++
> tests/qemuxml2argvtest.c | 7 +++
> 7 files changed, 240 insertions(+)
> create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args
> create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml
> create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args
>
> diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
> index ca6e213b4..458b90d8e 100644
> --- a/src/qemu/qemu_block.c
> +++ b/src/qemu/qemu_block.c
> @@ -529,16 +529,24 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src)
> return NULL;
> }
>
> + if (src->haveTLS == VIR_TRISTATE_BOOL_YES && !src->tlsAlias) {
> + virReportError(VIR_ERR_INVALID_ARG, "%s",
> + _("VxHS disk does not have TLS alias set"));
> + return NULL;
> + }
> +
> if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts,
true)))
> return NULL;
>
> /* VxHS disk specification example:
> * { driver:"vxhs",
> + * [tls-creds:"objvirtio-disk0_tls0",]
Be careful with square brackets in JSON, they denote an array.
OK - I can remove... Obviously it's the "optional" marking that I'm
after...
> * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251",
> * server:[{type:"tcp", host:"1.2.3.4", port:9999}]}
> */
> if (virJSONValueObjectCreate(&ret,
> "s:driver", protocol,
> + "S:tls-creds", src->tlsAlias,
> "s:vdisk-id", src->path,
> "a:server", server, NULL) < 0)
> virJSONValueFree(server);
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 0a3278510..7b98e1947 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -794,6 +794,32 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd,
> }
>
>
> +/* qemuBuildDiskTLSx509CommandLine:
> + *
> + * Add TLS object if the disk uses a secure communication channel
> + *
> + * Returns 0 on success, -1 w/ error on some sort of failure.
> + */
> +static int
> +qemuBuildDiskTLSx509CommandLine(virCommandPtr cmd,
> + virQEMUDriverConfigPtr cfg,
> + virDomainDiskDefPtr disk,
> + virQEMUCapsPtr qemuCaps)
> +{
> + virStorageSourcePtr src = disk->src;
> +
> + /* other protocols may be added later */
> + if (src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS &&
> + disk->src->haveTLS == VIR_TRISTATE_BOOL_YES) {
> + return qemuBuildTLSx509CommandLine(cmd, cfg->vxhsTLSx509certdir,
> + false, true, false,
> + disk->info.alias, qemuCaps);
> + }
> +
> + return 0;
> +}
> +
> +
> static char *
> qemuBuildNetworkDriveURI(virStorageSourcePtr src,
> qemuDomainSecretInfoPtr secinfo)
[...]
> diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
> index b365078ec..e4174af35 100644
> --- a/src/qemu/qemu_hotplug.c
> +++ b/src/qemu/qemu_hotplug.c
> @@ -152,6 +152,55 @@ qemuDomainPrepareDisk(virQEMUDriverPtr driver,
>
>
> static int
> +(virQEMUDriverPtr driver,
> + virDomainObjPtr vm,
> + virDomainDiskDefPtr disk,
> + char **tlsAlias)
I don't particularly like this. You set it into the disk object, so
there should be a function which rolls this back for a disk (or
preferably a virStorageSource).
Sure that's fine - the rollback code is so ugly anyway - this just adds
to its misery.
> +{
> + int ret = -1;
> + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
> + qemuDomainObjPrivatePtr priv = vm->privateData;
> + virStorageSourcePtr src = disk->src;
> + virJSONValuePtr tlsProps = NULL;
> +
> + /* NB: This may alter haveTLS based on cfg */
> + qemuDomainPrepareDiskSourceTLS(src, disk->info.alias, cfg);
This should be executed in the hotplug API function and not in a helper.
I was trying to avoid replication of code for each of the 3 disk types
in the event that at some future point more than one has TLS. I actually
prefer it here.
> +
> + if (src->haveTLS != VIR_TRISTATE_BOOL_YES) {
> + ret = 0;
> + goto cleanup;
> + }
> +
> + /* Initial implementation doesn't require/use a secret to decrypt
> + * a server certificate, so there's no need to manage a tlsSecAlias
> + * and tlsSecProps. See qemuDomainAddChardevTLSObjects for the
> + * methodology required to add a secret object. */
> +
> + /* For a VxHS environment, create a TLS object for the client to
> + * connect to the VxHS server. */
> + if (src->type == VIR_STORAGE_TYPE_NETWORK &&
> + src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS &&
> + qemuDomainGetTLSObjects(priv->qemuCaps, NULL,
> + cfg->vxhsTLSx509certdir, false, true,
> + disk->info.alias, &tlsProps, tlsAlias,
> + NULL, NULL) < 0)
This looks like another place that extracts qemu-specific stuff, which
need to be duplicated for blockdev add. Can't we make the cert dir part
of virStorageSource?
Hmmmmm... I think we can do that... The qemuDomainPrepareDiskSourceTLS
would change to fill in some sort of src->TLSx509certdir based on
src->type and protocol which then would be used by this code.
And the only reason why @disk was passed was to get src and srcalias. I
can adjust that too.
Tks -
John
> + goto cleanup;
> +
> + if (qemuDomainAddTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE,
> + NULL, NULL, *tlsAlias, &tlsProps) < 0)
> + goto cleanup;
> +
> + ret = 0;
> +
> + cleanup:
> + virJSONValueFree(tlsProps);
> + virObjectUnref(cfg);
> +
> + return ret;
> +}
> +
> +
> +static int
> qemuHotplugWaitForTrayEject(virQEMUDriverPtr driver,
> virDomainObjPtr vm,
> virDomainDiskDefPtr disk,
2621
days inactive
2626
days old
22 comments
2 participants
participants (2)
-
John Ferlan -
Peter Krempa