[libvirt] [PATCH v8 00/11] Add support for Veritas HyperScale (VxHS) block device protocol
v7: https://www.redhat.com/archives/libvir-list/2017-September/msg00035.html Patches 1-4 are already ACK'd, but are presented again for completeness Differences: * Former patch1 already pushed (QEMU 2.10 replies and xml changes) * Patch 5 is new - to split up the server args into a single server JSON object creation helper so that it can be used by VxHS code in patch 6 * Patch 6 uses the new function and alters the .args output to remove the ".0" * Patches 7-10, no change * Patch 11 - adjust the .args output to remove the ".0" Ashish Mittal (9): storage: Introduce VIR_STORAGE_NET_PROTOCOL_VXHS docs: Add schema and docs for Veritas HyperScale (VxHS) util: storage: Add JSON backing volume parse for VxHS qemu: Refactor qemuBlockStorageSourceBuildHostsJSONSocketAddress qemu: Add qemu command line generation for a VxHS block device conf: Introduce TLS options for VxHS block device clients util: Add TLS attributes to virStorageSource util: Add virstoragetest to parse/format a tls='yes' qemu: Add TLS support for Veritas HyperScale (VxHS) John Ferlan (2): qemu: Detect support for vxhs qemu: Introduce qemuDomainPrepareDiskSource docs/formatdomain.html.in | 45 +++++-- docs/schemas/domaincommon.rng | 18 +++ src/conf/domain_conf.c | 28 +++- src/libxl/libxl_conf.c | 1 + src/qemu/libvirtd_qemu.aug | 4 + src/qemu/qemu.conf | 34 +++++ src/qemu/qemu_block.c | 150 ++++++++++++++++----- src/qemu/qemu_capabilities.c | 4 + src/qemu/qemu_capabilities.h | 3 + src/qemu/qemu_command.c | 38 ++++++ src/qemu/qemu_conf.c | 16 +++ src/qemu/qemu_conf.h | 3 + src/qemu/qemu_domain.c | 71 ++++++++++ src/qemu/qemu_domain.h | 11 ++ src/qemu/qemu_driver.c | 3 + src/qemu/qemu_hotplug.c | 73 ++++++++++ src/qemu/qemu_parse_command.c | 15 +++ src/qemu/qemu_process.c | 33 +++++ src/qemu/test_libvirtd_qemu.aug.in | 2 + src/util/virstoragefile.c | 58 +++++++- src/util/virstoragefile.h | 14 ++ src/xenconfig/xen_xl.c | 1 + tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 + ...-disk-drive-network-tlsx509-multidisk-vxhs.args | 43 ++++++ ...v-disk-drive-network-tlsx509-multidisk-vxhs.xml | 50 +++++++ ...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 30 +++++ ...emuxml2argv-disk-drive-network-tlsx509-vxhs.xml | 32 +++++ .../qemuxml2argv-disk-drive-network-vxhs.args | 27 ++++ .../qemuxml2argv-disk-drive-network-vxhs.xml | 32 +++++ tests/qemuxml2argvtest.c | 8 ++ ...uxml2xmlout-disk-drive-network-tlsx509-vxhs.xml | 34 +++++ .../qemuxml2xmlout-disk-drive-network-vxhs.xml | 34 +++++ tests/qemuxml2xmltest.c | 2 + tests/virstoragetest.c | 23 ++++ 34 files changed, 893 insertions(+), 48 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-vxhs.xml -- 2.13.5
Using the query-qmp-schema introspection - look for the 'vxhs' blockdevOptions type. NB: This is a "best effort" type situation as there is not a mechanism to determine whether the running QEMU has been built with '--enable-vxhs'. All we can do is check if the option to use vxhs for a blockdev-add exists in the command infrastructure which does not take that into account when building its table of commands and options. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_capabilities.c | 4 ++++ src/qemu/qemu_capabilities.h | 3 +++ tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 + 3 files changed, 8 insertions(+) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index c690cb349..2486d2015 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -439,6 +439,9 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST, "virtio-net.tx_queue_size", "chardev-reconnect", "virtio-gpu.max_outputs", + + /* 270 */ + "vxhs", ); @@ -1810,6 +1813,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsIntelIOMMU[] = { static struct virQEMUCapsStringFlags virQEMUCapsQMPSchemaQueries[] = { { "blockdev-add/arg-type/options/+gluster/debug-level", QEMU_CAPS_GLUSTER_DEBUG_LEVEL}, { "blockdev-add/arg-type/+gluster/debug", QEMU_CAPS_GLUSTER_DEBUG_LEVEL}, + { "blockdev-add/arg-type/+vxhs", QEMU_CAPS_VXHS}, }; struct virQEMUCapsObjectTypeProps { diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index 85c390abf..2a0e9c743 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -426,6 +426,9 @@ typedef enum { QEMU_CAPS_CHARDEV_RECONNECT, /* -chardev reconnect */ QEMU_CAPS_VIRTIO_GPU_MAX_OUTPUTS, /* -device virtio-(vga|gpu-*),max-outputs= */ + /* 270 */ + QEMU_CAPS_VXHS, /* -drive file.driver=vxhs via query-qmp-schema */ + QEMU_CAPS_LAST /* this must always be the last item */ } virQEMUCapsFlags; diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml index 604921122..8a31431c0 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml @@ -222,6 +222,7 @@ <flag name='virtio-net.tx_queue_size'/> <flag name='chardev-reconnect'/> <flag name='virtio-gpu.max_outputs'/> + <flag name='vxhs'/> <version>2010000</version> <kvmVersion>0</kvmVersion> <package> (v2.10.0)</package> -- 2.13.5
From: Ashish Mittal <Ashish.Mittal@veritas.com> Add a new virStorageNetProtocol for Veritas HyperScale (VxHS) disks Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/libxl/libxl_conf.c | 1 + src/qemu/qemu_block.c | 1 + src/qemu/qemu_command.c | 1 + src/qemu/qemu_driver.c | 3 +++ src/qemu/qemu_parse_command.c | 1 + src/util/virstoragefile.c | 5 ++++- src/util/virstoragefile.h | 1 + src/xenconfig/xen_xl.c | 1 + 8 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c index 4416a09dd..34233a955 100644 --- a/src/libxl/libxl_conf.c +++ b/src/libxl/libxl_conf.c @@ -666,6 +666,7 @@ libxlMakeNetworkDiskSrcStr(virStorageSourcePtr src, case VIR_STORAGE_NET_PROTOCOL_GLUSTER: case VIR_STORAGE_NET_PROTOCOL_SHEEPDOG: case VIR_STORAGE_NET_PROTOCOL_SSH: + case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_LAST: case VIR_STORAGE_NET_PROTOCOL_NONE: virReportError(VIR_ERR_NO_SUPPORT, diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index 7fb12ea5a..d07269f4e 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -522,6 +522,7 @@ qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src) case VIR_STORAGE_NET_PROTOCOL_FTPS: case VIR_STORAGE_NET_PROTOCOL_TFTP: case VIR_STORAGE_NET_PROTOCOL_SSH: + case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_NONE: case VIR_STORAGE_NET_PROTOCOL_LAST: break; diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index d553df57f..720530daa 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -999,6 +999,7 @@ qemuBuildNetworkDriveStr(virStorageSourcePtr src, _("'ssh' protocol is not yet supported")); goto cleanup; + case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_LAST: case VIR_STORAGE_NET_PROTOCOL_NONE: virReportError(VIR_ERR_INTERNAL_ERROR, diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index b334cf20b..d299938c5 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -13838,6 +13838,7 @@ qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk) case VIR_STORAGE_NET_PROTOCOL_FTPS: case VIR_STORAGE_NET_PROTOCOL_TFTP: case VIR_STORAGE_NET_PROTOCOL_SSH: + case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_LAST: virReportError(VIR_ERR_INTERNAL_ERROR, _("external inactive snapshots are not supported on " @@ -13901,6 +13902,7 @@ qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr d case VIR_STORAGE_NET_PROTOCOL_FTPS: case VIR_STORAGE_NET_PROTOCOL_TFTP: case VIR_STORAGE_NET_PROTOCOL_SSH: + case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_LAST: virReportError(VIR_ERR_INTERNAL_ERROR, _("external active snapshots are not supported on " @@ -14046,6 +14048,7 @@ qemuDomainSnapshotPrepareDiskInternal(virConnectPtr conn, case VIR_STORAGE_NET_PROTOCOL_FTPS: case VIR_STORAGE_NET_PROTOCOL_TFTP: case VIR_STORAGE_NET_PROTOCOL_SSH: + case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_LAST: virReportError(VIR_ERR_INTERNAL_ERROR, _("internal inactive snapshots are not supported on " diff --git a/src/qemu/qemu_parse_command.c b/src/qemu/qemu_parse_command.c index 8cb96a24a..9190a37ba 100644 --- a/src/qemu/qemu_parse_command.c +++ b/src/qemu/qemu_parse_command.c @@ -2026,6 +2026,7 @@ qemuParseCommandLine(virCapsPtr caps, case VIR_STORAGE_NET_PROTOCOL_FTPS: case VIR_STORAGE_NET_PROTOCOL_TFTP: case VIR_STORAGE_NET_PROTOCOL_SSH: + case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_LAST: case VIR_STORAGE_NET_PROTOCOL_NONE: /* ignored for now */ diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index e94ad32f0..ca306c27b 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -85,7 +85,8 @@ VIR_ENUM_IMPL(virStorageNetProtocol, VIR_STORAGE_NET_PROTOCOL_LAST, "ftp", "ftps", "tftp", - "ssh") + "ssh", + "vxhs") VIR_ENUM_IMPL(virStorageNetHostTransport, VIR_STORAGE_NET_HOST_TRANS_LAST, "tcp", @@ -2712,6 +2713,7 @@ virStorageSourceParseBackingColon(virStorageSourcePtr src, case VIR_STORAGE_NET_PROTOCOL_ISCSI: case VIR_STORAGE_NET_PROTOCOL_GLUSTER: case VIR_STORAGE_NET_PROTOCOL_SSH: + case VIR_STORAGE_NET_PROTOCOL_VXHS: virReportError(VIR_ERR_INTERNAL_ERROR, _("malformed backing store path for protocol %s"), protocol); @@ -3992,6 +3994,7 @@ virStorageSourceNetworkDefaultPort(virStorageNetProtocol protocol) /* we don't provide a default for RBD */ return 0; + case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_LAST: case VIR_STORAGE_NET_PROTOCOL_NONE: return 0; diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h index 6c388b1a5..f7e897f25 100644 --- a/src/util/virstoragefile.h +++ b/src/util/virstoragefile.h @@ -134,6 +134,7 @@ typedef enum { VIR_STORAGE_NET_PROTOCOL_FTPS, VIR_STORAGE_NET_PROTOCOL_TFTP, VIR_STORAGE_NET_PROTOCOL_SSH, + VIR_STORAGE_NET_PROTOCOL_VXHS, VIR_STORAGE_NET_PROTOCOL_LAST } virStorageNetProtocol; diff --git a/src/xenconfig/xen_xl.c b/src/xenconfig/xen_xl.c index d168d3fa4..8acbfe3f6 100644 --- a/src/xenconfig/xen_xl.c +++ b/src/xenconfig/xen_xl.c @@ -1024,6 +1024,7 @@ xenFormatXLDiskSrcNet(virStorageSourcePtr src) case VIR_STORAGE_NET_PROTOCOL_GLUSTER: case VIR_STORAGE_NET_PROTOCOL_SHEEPDOG: case VIR_STORAGE_NET_PROTOCOL_SSH: + case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_LAST: case VIR_STORAGE_NET_PROTOCOL_NONE: virReportError(VIR_ERR_NO_SUPPORT, -- 2.13.5
From: Ashish Mittal <Ashish.Mittal@veritas.com> Alter the schema to allow a VxHS block device. Sample XML is: <disk type='network' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251'> <host name='192.168.0.1' port='9999'/> </source> <target dev='vda' bus='virtio'/> <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </disk> Update the html docs to describe the capability for VxHS. Alter the qemuxml2xmltest to validate the formatting. Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- docs/formatdomain.html.in | 15 ++++++++-- docs/schemas/domaincommon.rng | 13 +++++++++ .../qemuxml2argv-disk-drive-network-vxhs.xml | 32 ++++++++++++++++++++ .../qemuxml2xmlout-disk-drive-network-vxhs.xml | 34 ++++++++++++++++++++++ tests/qemuxml2xmltest.c | 1 + 5 files changed, 92 insertions(+), 3 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-vxhs.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 8ca7637a4..446ffff4c 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -2520,9 +2520,9 @@ <dd> The <code>protocol</code> attribute specifies the protocol to access to the requested image. Possible values are "nbd", - "iscsi", "rbd", "sheepdog" or "gluster". If the - <code>protocol</code> attribute is "rbd", "sheepdog" or - "gluster", an additional attribute <code>name</code> is + "iscsi", "rbd", "sheepdog", "gluster" or "vxhs". If the + <code>protocol</code> attribute is "rbd", "sheepdog", "gluster" + or "vxhs", an additional attribute <code>name</code> is mandatory to specify which volume/image will be used. For "nbd", the <code>name</code> attribute is optional. For "iscsi" (<span class="since">since 1.0.4</span>), the <code>name</code> @@ -2530,6 +2530,9 @@ target's name by a slash (e.g., <code>iqn.2013-07.com.example:iscsi-pool/1</code>). If not specified, the default LUN is zero. + For "vxhs" (<span class="since">since 3.8.0</span>), the + <code>name</code> is the UUID of the volume, assigned by the + HyperScale server. <span class="since">Since 0.8.7</span> </dd> <dt><code>volume</code></dt> @@ -2632,6 +2635,12 @@ <td> one or more (<span class="since">Since 2.1.0</span>), just one prior to that </td> <td> 24007 </td> </tr> + <tr> + <td> vxhs </td> + <td> a server running Veritas HyperScale daemon </td> + <td> only one </td> + <td> 9999 </td> + </tr> </table> <p> gluster supports "tcp", "rdma", "unix" as valid values for the diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index c9a4f7a9a..76852abb3 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -1636,6 +1636,18 @@ </element> </define> + <define name="diskSourceNetworkProtocolVxHS"> + <element name="source"> + <attribute name="protocol"> + <choice> + <value>vxhs</value> + </choice> + </attribute> + <attribute name="name"/> + <ref name="diskSourceNetworkHost"/> + </element> + </define> + <define name="diskSourceNetwork"> <attribute name="type"> <value>network</value> @@ -1646,6 +1658,7 @@ <ref name="diskSourceNetworkProtocolRBD"/> <ref name="diskSourceNetworkProtocolHTTP"/> <ref name="diskSourceNetworkProtocolSimple"/> + <ref name="diskSourceNetworkProtocolVxHS"/> </choice> </define> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.xml new file mode 100644 index 000000000..4f4df2f9e --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.xml @@ -0,0 +1,32 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='network' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251'> + <host name='192.168.0.1' port='9999'/> + </source> + <target dev='vda' bus='virtio'/> + <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </disk> + <controller type='usb' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-vxhs.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-vxhs.xml new file mode 100644 index 000000000..160ed8d5f --- /dev/null +++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-vxhs.xml @@ -0,0 +1,34 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='network' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251'> + <host name='192.168.0.1' port='9999'/> + </source> + <target dev='vda' bus='virtio'/> + <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </disk> + <controller type='usb' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c index 0a87cedf2..8b7577fd3 100644 --- a/tests/qemuxml2xmltest.c +++ b/tests/qemuxml2xmltest.c @@ -474,6 +474,7 @@ mymain(void) DO_TEST("disk-drive-network-rbd-ipv6", NONE); DO_TEST("disk-drive-network-rbd-ceph-env", NONE); DO_TEST("disk-drive-network-sheepdog", NONE); + DO_TEST("disk-drive-network-vxhs", NONE); DO_TEST("disk-scsi-device", QEMU_CAPS_NODEFCONFIG, QEMU_CAPS_SCSI_LSI); DO_TEST("disk-scsi-vscsi", NONE); -- 2.13.5
From: Ashish Mittal <Ashish.Mittal@veritas.com> Add the backing parse and a test case to verify parsing of VxHS backing storage. Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/util/virstoragefile.c | 37 +++++++++++++++++++++++++++++++++++++ tests/virstoragetest.c | 11 +++++++++++ 2 files changed, 48 insertions(+) diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index ca306c27b..ba2045369 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -3212,6 +3212,40 @@ virStorageSourceParseBackingJSONRaw(virStorageSourcePtr src, return virStorageSourceParseBackingJSONInternal(src, json); } + +static int +virStorageSourceParseBackingJSONVxHS(virStorageSourcePtr src, + virJSONValuePtr json, + int opaque ATTRIBUTE_UNUSED) +{ + const char *vdisk_id = virJSONValueObjectGetString(json, "vdisk-id"); + virJSONValuePtr server = virJSONValueObjectGetObject(json, "server"); + + if (!vdisk_id || !server) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("missing 'vdisk-id' or 'server' attribute in " + "JSON backing definition for VxHS volume")); + return -1; + } + + src->type = VIR_STORAGE_TYPE_NETWORK; + src->protocol = VIR_STORAGE_NET_PROTOCOL_VXHS; + + if (VIR_STRDUP(src->path, vdisk_id) < 0) + return -1; + + if (VIR_ALLOC_N(src->hosts, 1) < 0) + return -1; + src->nhosts = 1; + + if (virStorageSourceParseBackingJSONInetSocketAddress(src->hosts, + server) < 0) + return -1; + + return 0; +} + + struct virStorageSourceJSONDriverParser { const char *drvname; int (*func)(virStorageSourcePtr src, virJSONValuePtr json, int opaque); @@ -3234,6 +3268,7 @@ static const struct virStorageSourceJSONDriverParser jsonParsers[] = { {"ssh", virStorageSourceParseBackingJSONSSH, 0}, {"rbd", virStorageSourceParseBackingJSONRBD, 0}, {"raw", virStorageSourceParseBackingJSONRaw, 0}, + {"vxhs", virStorageSourceParseBackingJSONVxHS, 0}, }; @@ -3995,6 +4030,8 @@ virStorageSourceNetworkDefaultPort(virStorageNetProtocol protocol) return 0; case VIR_STORAGE_NET_PROTOCOL_VXHS: + return 9999; + case VIR_STORAGE_NET_PROTOCOL_LAST: case VIR_STORAGE_NET_PROTOCOL_NONE: return 0; diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c index 60e3164b0..ffebd4dc1 100644 --- a/tests/virstoragetest.c +++ b/tests/virstoragetest.c @@ -1592,6 +1592,17 @@ mymain(void) "<source protocol='sheepdog' name='Alice'>\n" " <host name='10.10.10.10' port='7000'/>\n" "</source>\n"); + TEST_BACKING_PARSE("json:{\"file\":{\"driver\":\"vxhs\"," + "\"vdisk-id\":\"c6718f6b-0401-441d-a8c3-1f0064d75ee0\"," + "\"server\": { \"type\":\"tcp\"," + "\"host\":\"example.com\"," + "\"port\":\"9999\"" + "}" + "}" + "}", + "<source protocol='vxhs' name='c6718f6b-0401-441d-a8c3-1f0064d75ee0'>\n" + " <host name='example.com' port='9999'/>\n" + "</source>\n"); #endif /* WITH_YAJL */ cleanup: -- 2.13.5
From: Ashish Mittal <Ashish.Mittal@veritas.com> Extract out the "guts" of building a server entry into it's own separately callable/usable function in order to allow building a server entry for a consumer with src->nhosts == 1. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_block.c | 106 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 70 insertions(+), 36 deletions(-) diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index d07269f4e..c97b787c5 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -380,6 +380,74 @@ qemuBlockGetNodeData(virJSONValuePtr data) /** + * qemuBlockStorageSourceBuildJSONSocketAddress + * @host: the virStorageNetHostDefPtr definition to build + * @legacy: use 'tcp' instead of 'inet' for compatibility reasons + * + * Formats @hosts into a json object conforming to the 'SocketAddress' type + * in qemu. + * + * This function can be used when only 1 src->nhosts is expected in order + * to build a command without the array indices after "server.". That is + * to see "server.type", "server.host", and "server.port" instead of + * "server.#.type", "server.#.host", and "server.#.port". + * + * Returns a virJSONValuePtr for a single server. + */ +static virJSONValuePtr +qemuBlockStorageSourceBuildJSONSocketAddress(virStorageNetHostDefPtr host, + bool legacy) +{ + virJSONValuePtr server = NULL; + virJSONValuePtr ret = NULL; + const char *transport; + char *port = NULL; + + switch ((virStorageNetHostTransport) host->transport) { + case VIR_STORAGE_NET_HOST_TRANS_TCP: + if (legacy) + transport = "tcp"; + else + transport = "inet"; + + if (virAsprintf(&port, "%u", host->port) < 0) + goto cleanup; + + if (virJSONValueObjectCreate(&server, + "s:type", transport, + "s:host", host->name, + "s:port", port, + NULL) < 0) + goto cleanup; + break; + + case VIR_STORAGE_NET_HOST_TRANS_UNIX: + if (virJSONValueObjectCreate(&server, + "s:type", "unix", + "s:socket", host->socket, + NULL) < 0) + goto cleanup; + break; + + case VIR_STORAGE_NET_HOST_TRANS_RDMA: + case VIR_STORAGE_NET_HOST_TRANS_LAST: + virReportError(VIR_ERR_INTERNAL_ERROR, + _("transport protocol '%s' is not yet supported"), + virStorageNetHostTransportTypeToString(host->transport)); + goto cleanup; + } + + VIR_STEAL_PTR(ret, server); + + cleanup: + VIR_FREE(port); + virJSONValueFree(server); + + return ret; +} + + +/** * qemuBlockStorageSourceBuildHostsJSONSocketAddress: * @src: disk storage source * @legacy: use 'tcp' instead of 'inet' for compatibility reasons @@ -395,8 +463,6 @@ qemuBlockStorageSourceBuildHostsJSONSocketAddress(virStorageSourcePtr src, virJSONValuePtr server = NULL; virJSONValuePtr ret = NULL; virStorageNetHostDefPtr host; - const char *transport; - char *port = NULL; size_t i; if (!(servers = virJSONValueNewArray())) @@ -405,39 +471,8 @@ qemuBlockStorageSourceBuildHostsJSONSocketAddress(virStorageSourcePtr src, for (i = 0; i < src->nhosts; i++) { host = src->hosts + i; - switch ((virStorageNetHostTransport) host->transport) { - case VIR_STORAGE_NET_HOST_TRANS_TCP: - if (legacy) - transport = "tcp"; - else - transport = "inet"; - - if (virAsprintf(&port, "%u", host->port) < 0) - goto cleanup; - - if (virJSONValueObjectCreate(&server, - "s:type", transport, - "s:host", host->name, - "s:port", port, - NULL) < 0) - goto cleanup; - break; - - case VIR_STORAGE_NET_HOST_TRANS_UNIX: - if (virJSONValueObjectCreate(&server, - "s:type", "unix", - "s:socket", host->socket, - NULL) < 0) - goto cleanup; - break; - - case VIR_STORAGE_NET_HOST_TRANS_RDMA: - case VIR_STORAGE_NET_HOST_TRANS_LAST: - virReportError(VIR_ERR_INTERNAL_ERROR, - _("transport protocol '%s' is not yet supported"), - virStorageNetHostTransportTypeToString(host->transport)); - goto cleanup; - } + if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(host, legacy))) + goto cleanup; if (virJSONValueArrayAppend(servers, server) < 0) goto cleanup; @@ -450,7 +485,6 @@ qemuBlockStorageSourceBuildHostsJSONSocketAddress(virStorageSourcePtr src, cleanup: virJSONValueFree(servers); virJSONValueFree(server); - VIR_FREE(port); return ret; } -- 2.13.5
On Thu, Sep 14, 2017 at 08:51:50 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal@veritas.com>
Extract out the "guts" of building a server entry into it's own separately callable/usable function in order to allow building a server entry for a consumer with src->nhosts == 1.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_block.c | 106 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 70 insertions(+), 36 deletions(-)
ACK
From: Ashish Mittal <Ashish.Mittal@veritas.com> The VxHS block device will only use the newer formatting options and avoid the legacy URI syntax. An excerpt for a sample QEMU command line is: -drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.type=tcp,file.server.host=192.168.0.1,\ file.server.port=9999,format=raw,if=none,id=drive-virtio-disk0,cache=none \ -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ id=virtio-disk0 Update qemuxml2argvtest with a simple test. Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_block.c | 37 +++++++++++++++++++++- src/qemu/qemu_command.c | 10 +++++- src/qemu/qemu_parse_command.c | 16 +++++++++- src/qemu/qemu_process.c | 29 +++++++++++++++++ .../qemuxml2argv-disk-drive-network-vxhs.args | 27 ++++++++++++++++ tests/qemuxml2argvtest.c | 1 + 6 files changed, 117 insertions(+), 3 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index c97b787c5..ca6e213b4 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -516,6 +516,37 @@ qemuBlockStorageSourceGetGlusterProps(virStorageSourcePtr src) } +static virJSONValuePtr +qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src) +{ + const char *protocol = virStorageNetProtocolTypeToString(src->protocol); + virJSONValuePtr server = NULL; + virJSONValuePtr ret = NULL; + + if (src->nhosts != 1) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("VxHS protocol accepts only one host")); + return NULL; + } + + if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true))) + return NULL; + + /* VxHS disk specification example: + * { driver:"vxhs", + * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", + * server:[{type:"tcp", host:"1.2.3.4", port:9999}]} + */ + if (virJSONValueObjectCreate(&ret, + "s:driver", protocol, + "s:vdisk-id", src->path, + "a:server", server, NULL) < 0) + virJSONValueFree(server); + + return ret; +} + + /** * qemuBlockStorageSourceGetBackendProps: * @src: disk source @@ -546,6 +577,11 @@ qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src) goto cleanup; break; + case VIR_STORAGE_NET_PROTOCOL_VXHS: + if (!(fileprops = qemuBlockStorageSourceGetVxHSProps(src))) + goto cleanup; + break; + case VIR_STORAGE_NET_PROTOCOL_NBD: case VIR_STORAGE_NET_PROTOCOL_RBD: case VIR_STORAGE_NET_PROTOCOL_SHEEPDOG: @@ -556,7 +592,6 @@ qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src) case VIR_STORAGE_NET_PROTOCOL_FTPS: case VIR_STORAGE_NET_PROTOCOL_TFTP: case VIR_STORAGE_NET_PROTOCOL_SSH: - case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_NONE: case VIR_STORAGE_NET_PROTOCOL_LAST: break; diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 720530daa..0a3278510 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -994,12 +994,16 @@ qemuBuildNetworkDriveStr(virStorageSourcePtr src, ret = virBufferContentAndReset(&buf); break; + case VIR_STORAGE_NET_PROTOCOL_VXHS: + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("VxHS protocol does not support URI syntax")); + goto cleanup; + case VIR_STORAGE_NET_PROTOCOL_SSH: virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("'ssh' protocol is not yet supported")); goto cleanup; - case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_LAST: case VIR_STORAGE_NET_PROTOCOL_NONE: virReportError(VIR_ERR_INTERNAL_ERROR, @@ -1329,6 +1333,10 @@ qemuDiskSourceNeedsProps(virStorageSourcePtr src) src->nhosts > 1) return true; + if (actualType == VIR_STORAGE_TYPE_NETWORK && + src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS) + return true; + return false; } diff --git a/src/qemu/qemu_parse_command.c b/src/qemu/qemu_parse_command.c index 9190a37ba..6286c2e7a 100644 --- a/src/qemu/qemu_parse_command.c +++ b/src/qemu/qemu_parse_command.c @@ -736,6 +736,11 @@ qemuParseCommandLineDisk(virDomainXMLOptionPtr xmlopt, if (VIR_STRDUP(def->src->path, vdi) < 0) goto error; } + } else if (STRPREFIX(def->src->path, "vxhs:")) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("VxHS protocol does not support URI syntax '%s'"), + def->src->path); + goto error; } else { def->src->type = VIR_STORAGE_TYPE_FILE; } @@ -1944,6 +1949,10 @@ qemuParseCommandLine(virCapsPtr caps, disk->src->type = VIR_STORAGE_TYPE_NETWORK; disk->src->protocol = VIR_STORAGE_NET_PROTOCOL_SHEEPDOG; val += strlen("sheepdog:"); + } else if (STRPREFIX(val, "vxhs:")) { + disk->src->type = VIR_STORAGE_TYPE_NETWORK; + disk->src->protocol = VIR_STORAGE_NET_PROTOCOL_VXHS; + val += strlen("vxhs:"); } else { disk->src->type = VIR_STORAGE_TYPE_FILE; } @@ -2020,13 +2029,18 @@ qemuParseCommandLine(virCapsPtr caps, goto error; break; + case VIR_STORAGE_NET_PROTOCOL_VXHS: + virReportError(VIR_ERR_INTERNAL_ERROR, + _("VxHS protocol does not support URI " + "syntax '%s'"), disk->src->path); + goto error; + break; case VIR_STORAGE_NET_PROTOCOL_HTTP: case VIR_STORAGE_NET_PROTOCOL_HTTPS: case VIR_STORAGE_NET_PROTOCOL_FTP: case VIR_STORAGE_NET_PROTOCOL_FTPS: case VIR_STORAGE_NET_PROTOCOL_TFTP: case VIR_STORAGE_NET_PROTOCOL_SSH: - case VIR_STORAGE_NET_PROTOCOL_VXHS: case VIR_STORAGE_NET_PROTOCOL_LAST: case VIR_STORAGE_NET_PROTOCOL_NONE: /* ignored for now */ diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 7e9b406b6..099a770e9 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4578,6 +4578,32 @@ qemuProcessStartValidateShmem(virDomainObjPtr vm) static int +qemuProcessStartValidateDisks(virDomainObjPtr vm, + virQEMUCapsPtr qemuCaps) +{ + size_t i; + + for (i = 0; i < vm->def->ndisks; i++) { + virStorageSourcePtr src = vm->def->disks[i]->src; + + /* This is a best effort check as we can only check if the command + * option exists, but we cannot determine whether the running QEMU + * was build with '--enable-vxhs'. */ + if (src->type == VIR_STORAGE_TYPE_NETWORK && + src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS && + !virQEMUCapsGet(qemuCaps, QEMU_CAPS_VXHS)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("VxHS protocol is not supported with this " + "QEMU binary")); + return -1; + } + } + + return 0; +} + + +static int qemuProcessStartValidateXML(virQEMUDriverPtr driver, virDomainObjPtr vm, virQEMUCapsPtr qemuCaps, @@ -4659,6 +4685,9 @@ qemuProcessStartValidate(virQEMUDriverPtr driver, if (qemuProcessStartValidateShmem(vm) < 0) return -1; + if (qemuProcessStartValidateDisks(vm, qemuCaps) < 0) + return -1; + VIR_DEBUG("Checking for any possible (non-fatal) issues"); qemuProcessStartWarnShmem(vm); diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args new file mode 100644 index 000000000..b62ace3de --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args @@ -0,0 +1,27 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/home/test \ +USER=test \ +LOGNAME=test \ +QEMU_AUDIO_DRV=none \ +/usr/bin/qemu-system-x86_64 \ +-name QEMUGuest1 \ +-S \ +-M pc \ +-cpu qemu32 \ +-m 214 \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-nographic \ +-nodefaults \ +-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\ +server,nowait \ +-mon chardev=charmonitor,id=monitor,mode=readline \ +-no-acpi \ +-boot c \ +-usb \ +-drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\ +file.server.type=tcp,file.server.host=192.168.0.1,file.server.port=9999,\ +format=raw,if=none,id=drive-virtio-disk0,cache=none \ +-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ +id=virtio-disk0 diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 2c040e4c0..01a518eff 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -931,6 +931,7 @@ mymain(void) # endif DO_TEST("disk-drive-network-rbd-ipv6", NONE); DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE); + DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS); DO_TEST("disk-drive-no-boot", QEMU_CAPS_BOOTINDEX); DO_TEST_PARSE_ERROR("disk-device-lun-type-invalid", -- 2.13.5
On Thu, Sep 14, 2017 at 08:51:51 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal@veritas.com>
The VxHS block device will only use the newer formatting options and avoid the legacy URI syntax.
An excerpt for a sample QEMU command line is:
-drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.type=tcp,file.server.host=192.168.0.1,\ file.server.port=9999,format=raw,if=none,id=drive-virtio-disk0,cache=none \ -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ id=virtio-disk0
Update qemuxml2argvtest with a simple test.
Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_block.c | 37 +++++++++++++++++++++- src/qemu/qemu_command.c | 10 +++++- src/qemu/qemu_parse_command.c | 16 +++++++++- src/qemu/qemu_process.c | 29 +++++++++++++++++ .../qemuxml2argv-disk-drive-network-vxhs.args | 27 ++++++++++++++++ tests/qemuxml2argvtest.c | 1 + 6 files changed, 117 insertions(+), 3 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index c97b787c5..ca6e213b4 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -516,6 +516,37 @@ qemuBlockStorageSourceGetGlusterProps(virStorageSourcePtr src) }
+static virJSONValuePtr +qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src) +{ + const char *protocol = virStorageNetProtocolTypeToString(src->protocol); + virJSONValuePtr server = NULL; + virJSONValuePtr ret = NULL; + + if (src->nhosts != 1) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("VxHS protocol accepts only one host")); + return NULL; + } + + if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true))) + return NULL;
This creates a json object ...
+ + /* VxHS disk specification example: + * { driver:"vxhs", + * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", + * server:[{type:"tcp", host:"1.2.3.4", port:9999}]}
... which is appended below as the 'server' field, while this example shows an array of objects. So, which one is correct? Is this a hack to force the JSON->commandline generator to compy? If it's so then we need to change that and not this, since then QMP commands like 'blockdev-add' will not accept it and thus this will be useless for expansion.
+ */ + if (virJSONValueObjectCreate(&ret, + "s:driver", protocol, + "s:vdisk-id", src->path, + "a:server", server, NULL) < 0) + virJSONValueFree(server); + + return ret; +} + + /** * qemuBlockStorageSourceGetBackendProps: * @src: disk source
Rest looks okay
On 09/19/2017 09:37 AM, Peter Krempa wrote:
On Thu, Sep 14, 2017 at 08:51:51 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal@veritas.com>
The VxHS block device will only use the newer formatting options and avoid the legacy URI syntax.
An excerpt for a sample QEMU command line is:
-drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.type=tcp,file.server.host=192.168.0.1,\ file.server.port=9999,format=raw,if=none,id=drive-virtio-disk0,cache=none \ -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ id=virtio-disk0
Update qemuxml2argvtest with a simple test.
Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_block.c | 37 +++++++++++++++++++++- src/qemu/qemu_command.c | 10 +++++- src/qemu/qemu_parse_command.c | 16 +++++++++- src/qemu/qemu_process.c | 29 +++++++++++++++++ .../qemuxml2argv-disk-drive-network-vxhs.args | 27 ++++++++++++++++ tests/qemuxml2argvtest.c | 1 + 6 files changed, 117 insertions(+), 3 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index c97b787c5..ca6e213b4 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -516,6 +516,37 @@ qemuBlockStorageSourceGetGlusterProps(virStorageSourcePtr src) }
+static virJSONValuePtr +qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src) +{ + const char *protocol = virStorageNetProtocolTypeToString(src->protocol); + virJSONValuePtr server = NULL; + virJSONValuePtr ret = NULL; + + if (src->nhosts != 1) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("VxHS protocol accepts only one host")); + return NULL; + } + + if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true))) + return NULL;
This creates a json object ...
+ + /* VxHS disk specification example: + * { driver:"vxhs", + * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", + * server:[{type:"tcp", host:"1.2.3.4", port:9999}]}
... which is appended below as the 'server' field, while this example shows an array of objects. So, which one is correct? Is this a hack to force the JSON->commandline generator to compy? If it's so then we need to change that and not this, since then QMP commands like 'blockdev-add' will not accept it and thus this will be useless for expansion.
Oh right, the [ ] is wrong as this isn't an array it's just a single server element (as seen in patch 4) I can remove the [ ] and I think that answers your concern. The VxHS qemu code only likes the "server.type, server.host, and server.port" syntax and fails on the "server.0.type", "server.0.host", and "server.0.port" syntax. John
+ */ + if (virJSONValueObjectCreate(&ret, + "s:driver", protocol, + "s:vdisk-id", src->path, + "a:server", server, NULL) < 0) + virJSONValueFree(server); + + return ret; +} + + /** * qemuBlockStorageSourceGetBackendProps: * @src: disk source
Rest looks okay
On Tue, Sep 19, 2017 at 10:15:38 -0400, John Ferlan wrote:
On 09/19/2017 09:37 AM, Peter Krempa wrote:
On Thu, Sep 14, 2017 at 08:51:51 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal@veritas.com>
The VxHS block device will only use the newer formatting options and avoid the legacy URI syntax.
An excerpt for a sample QEMU command line is:
-drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.type=tcp,file.server.host=192.168.0.1,\ file.server.port=9999,format=raw,if=none,id=drive-virtio-disk0,cache=none \ -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ id=virtio-disk0
Update qemuxml2argvtest with a simple test.
Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_block.c | 37 +++++++++++++++++++++- src/qemu/qemu_command.c | 10 +++++- src/qemu/qemu_parse_command.c | 16 +++++++++- src/qemu/qemu_process.c | 29 +++++++++++++++++ .../qemuxml2argv-disk-drive-network-vxhs.args | 27 ++++++++++++++++ tests/qemuxml2argvtest.c | 1 + 6 files changed, 117 insertions(+), 3 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-vxhs.args
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index c97b787c5..ca6e213b4 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -516,6 +516,37 @@ qemuBlockStorageSourceGetGlusterProps(virStorageSourcePtr src) }
+static virJSONValuePtr +qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src) +{ + const char *protocol = virStorageNetProtocolTypeToString(src->protocol); + virJSONValuePtr server = NULL; + virJSONValuePtr ret = NULL; + + if (src->nhosts != 1) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("VxHS protocol accepts only one host")); + return NULL; + } + + if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true))) + return NULL;
This creates a json object ...
+ + /* VxHS disk specification example: + * { driver:"vxhs", + * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", + * server:[{type:"tcp", host:"1.2.3.4", port:9999}]}
... which is appended below as the 'server' field, while this example shows an array of objects. So, which one is correct? Is this a hack to force the JSON->commandline generator to compy? If it's so then we need to change that and not this, since then QMP commands like 'blockdev-add' will not accept it and thus this will be useless for expansion.
Oh right, the [ ] is wrong as this isn't an array it's just a single server element (as seen in patch 4)
I can remove the [ ] and I think that answers your concern. The VxHS qemu code only likes the "server.type, server.host, and server.port" syntax and fails on the "server.0.type", "server.0.host", and "server.0.port" syntax.
Okay, cool. ACK with the docs fixed.
From: Ashish Mittal <Ashish.Mittal@veritas.com> Add a new TLS X.509 certificate type - "vxhs". This will handle the creation of a TLS certificate capability for properly configured VxHS network block device clients. The following describes the behavior of TLS for VxHS block device: (1) Two new options have been added in /etc/libvirt/qemu.conf to control TLS behavior with VxHS block devices "vxhs_tls" and "vxhs_tls_x509_cert_dir". (2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable TLS for VxHS block devices. (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the TLS CA certificate and the client certificate and keys are saved. If this value is missing, the "default_tls_x509_cert_dir" will be used instead. If the environment is not configured properly the authentication to the VxHS server will fail. Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/libvirtd_qemu.aug | 4 ++++ src/qemu/qemu.conf | 34 ++++++++++++++++++++++++++++++++++ src/qemu/qemu_conf.c | 16 ++++++++++++++++ src/qemu/qemu_conf.h | 3 +++ src/qemu/test_libvirtd_qemu.aug.in | 2 ++ 5 files changed, 59 insertions(+) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index e1983d1fd..c19bf3a43 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -115,6 +115,9 @@ module Libvirtd_qemu = let memory_entry = str_entry "memory_backing_dir" + let vxhs_entry = bool_entry "vxhs_tls" + | str_entry "vxhs_tls_x509_cert_dir" + (* Each entry in the config is one of the following ... *) let entry = default_tls_entry | vnc_entry @@ -133,6 +136,7 @@ module Libvirtd_qemu = | nvram_entry | gluster_debug_level_entry | memory_entry + | vxhs_entry let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ] let empty = [ label "#empty" . eol ] diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index f977e3b71..2d20d790b 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -258,6 +258,40 @@ #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" +# Enable use of TLS encryption for all VxHS network block devices that +# don't specifically disable. +# +# When the VxHS network block device server is set up appropriately, +# x509 certificates are required for authentication between the clients +# (qemu processes) and the remote VxHS server. +# +# It is necessary to setup CA and issue the client certificate before +# enabling this. +# +#vxhs_tls = 1 + + +# In order to override the default TLS certificate location for VxHS +# device TCP certificates, supply a valid path to the certificate directory. +# This is used to authenticate the VxHS block device clients to the VxHS +# server. +# +# If the provided path does not exist then the default_tls_x509_cert_dir +# path will be used. +# +# VxHS block device clients expect the client certificate and key to be +# present in the certificate directory along with the CA master certificate. +# If using the default environment, default_tls_x509_verify must be configured. +# The server key as well as secret UUID that would decrypt it is not used. +# Thus a VxHS directory must contain the following: +# +# ca-cert.pem - the CA master certificate +# client-cert.pem - the client certificate signed with the ca-cert.pem +# client-key.pem - the client private key +# +#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs" + + # In order to override the default TLS certificate location for migration # certificates, supply a valid path to the certificate directory. If the # provided path does not exist then the default_tls_x509_cert_dir path diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index ab5f7cc59..bcf798d08 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -283,6 +283,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged) SET_TLS_X509_CERT_DEFAULT(spice); SET_TLS_X509_CERT_DEFAULT(chardev); SET_TLS_X509_CERT_DEFAULT(migrate); + SET_TLS_X509_CERT_DEFAULT(vxhs); #undef SET_TLS_X509_CERT_DEFAULT @@ -380,6 +381,8 @@ static void virQEMUDriverConfigDispose(void *obj) VIR_FREE(cfg->chardevTLSx509certdir); VIR_FREE(cfg->chardevTLSx509secretUUID); + VIR_FREE(cfg->vxhsTLSx509certdir); + VIR_FREE(cfg->migrateTLSx509certdir); VIR_FREE(cfg->migrateTLSx509secretUUID); @@ -457,6 +460,7 @@ virQEMUDriverConfigTLSDirResetDefaults(virQEMUDriverConfigPtr cfg) CHECK_RESET_CERT_DIR_DEFAULT(spice); CHECK_RESET_CERT_DIR_DEFAULT(chardev); CHECK_RESET_CERT_DIR_DEFAULT(migrate); + CHECK_RESET_CERT_DIR_DEFAULT(vxhs); return 0; } @@ -556,6 +560,10 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, goto cleanup; if (virConfGetValueBool(conf, "spice_auto_unix_socket", &cfg->spiceAutoUnixSocket) < 0) goto cleanup; + if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0) + goto cleanup; + if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir", &cfg->vxhsTLSx509certdir) < 0) + goto cleanup; #define GET_CONFIG_TLS_CERTINFO(val) \ do { \ @@ -976,6 +984,14 @@ virQEMUDriverConfigValidate(virQEMUDriverConfigPtr cfg) return -1; } + if (STRNEQ(cfg->vxhsTLSx509certdir, SYSCONFDIR "/pki/qemu") && + !virFileExists(cfg->vxhsTLSx509certdir)) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("vxhs_tls_x509_cert_dir directory '%s' does not exist"), + cfg->vxhsTLSx509certdir); + return -1; + } + return 0; } diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index d469b50bd..13b6f818a 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -203,6 +203,9 @@ struct _virQEMUDriverConfig { unsigned int glusterDebugLevel; char *memoryBackingDir; + + bool vxhsTLS; + char *vxhsTLSx509certdir; }; /* Main driver state */ diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in index 676d48cf5..688e5b9fd 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -25,6 +25,8 @@ module Test_libvirtd_qemu = { "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" } { "chardev_tls_x509_verify" = "1" } { "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } +{ "vxhs_tls" = "1" } +{ "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" } { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" } { "migrate_tls_x509_verify" = "1" } { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } -- 2.13.5
On Thu, Sep 14, 2017 at 08:51:52 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal@veritas.com>
Add a new TLS X.509 certificate type - "vxhs". This will handle the creation of a TLS certificate capability for properly configured VxHS network block device clients.
The following describes the behavior of TLS for VxHS block device:
(1) Two new options have been added in /etc/libvirt/qemu.conf to control TLS behavior with VxHS block devices "vxhs_tls" and "vxhs_tls_x509_cert_dir". (2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable TLS for VxHS block devices. (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the TLS CA certificate and the client certificate and keys are saved. If this value is missing, the "default_tls_x509_cert_dir" will be used instead. If the environment is not configured properly the authentication to the VxHS server will fail.
Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/libvirtd_qemu.aug | 4 ++++ src/qemu/qemu.conf | 34 ++++++++++++++++++++++++++++++++++ src/qemu/qemu_conf.c | 16 ++++++++++++++++ src/qemu/qemu_conf.h | 3 +++ src/qemu/test_libvirtd_qemu.aug.in | 2 ++ 5 files changed, 59 insertions(+)
ACK
From: Ashish Mittal <Ashish.Mittal@veritas.com> Add an optional virTristateBool haveTLS to virStorageSource to manage whether a storage source will be using TLS. Sample XML for a VxHS disk: <disk type='network' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251' tls='yes'> <host name='192.168.0.1' port='9999'/> </source> <target dev='vda' bus='virtio'/> </disk> Additionally add a tlsFromConfig boolean to control whether the TLS setting was due to domain configuration or qemu.conf global setting in order to decide whether to Format the haveTLS setting for either a live or saved domain configuration file. Update the qemuxml2xmltest in order to add a test to show the proper parsing. Also update the docs to describe the tls attribute plus clean up the description in the surrounding area to make the information a bit more readable rather than one winding paragraph. Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- docs/formatdomain.html.in | 40 ++++++++++++++++------ docs/schemas/domaincommon.rng | 5 +++ src/conf/domain_conf.c | 28 +++++++++++++-- src/util/virstoragefile.c | 2 ++ src/util/virstoragefile.h | 7 ++++ ...emuxml2argv-disk-drive-network-tlsx509-vxhs.xml | 32 +++++++++++++++++ ...uxml2xmlout-disk-drive-network-tlsx509-vxhs.xml | 34 ++++++++++++++++++ tests/qemuxml2xmltest.c | 1 + 8 files changed, 137 insertions(+), 12 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 446ffff4c..26c00674a 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -2520,19 +2520,39 @@ <dd> The <code>protocol</code> attribute specifies the protocol to access to the requested image. Possible values are "nbd", - "iscsi", "rbd", "sheepdog", "gluster" or "vxhs". If the - <code>protocol</code> attribute is "rbd", "sheepdog", "gluster" - or "vxhs", an additional attribute <code>name</code> is - mandatory to specify which volume/image will be used. For "nbd", - the <code>name</code> attribute is optional. For "iscsi" - (<span class="since">since 1.0.4</span>), the <code>name</code> - attribute may include a logical unit number, separated from the - target's name by a slash (e.g., + "iscsi", "rbd", "sheepdog", "gluster" or "vxhs". + + <p>If the <code>protocol</code> attribute is "rbd", "sheepdog", + "gluster", or "vxhs", an additional attribute <code>name</code> + is mandatory to specify which volume/image will be used. + </p> + + <p>For "nbd", the <code>name</code> attribute is optional. + </p> + + <p>For "iscsi" (<span class="since">since 1.0.4</span>), the + <code>name</code> attribute may include a logical unit number, + separated from the target's name by a slash (e.g., <code>iqn.2013-07.com.example:iscsi-pool/1</code>). If not specified, the default LUN is zero. - For "vxhs" (<span class="since">since 3.8.0</span>), the + </p> + + <p>For "vxhs" (<span class="since">since 3.8.0</span>), the <code>name</code> is the UUID of the volume, assigned by the - HyperScale server. + HyperScale server. Additionally, an optional attribute + <code>tls</code> (QEMU only) can be used to control whether a + VxHS block device would utilize a hypervisor configured TLS + X.509 certificate environment in order to encrypt the data + channel. For the QEMU hypervisor, usage of a TLS environment can + also be globally controlled on the host by the + <code>vxhs_tls</code> and <code>vxhs_tls_x509_cert_dir</code> or + <code>default_tls_x509_cert_dir</code> settings in the file + /etc/libvirt/qemu.conf. If <code>vxhs_tls</code> is enabled, + then unless the domain <code>tls</code> attribute is set to "no", + libvirt will use the host configured TLS environment. If the + <code>tls</code> attribute is set to "yes", then regardless of + the qemu.conf setting, TLS authentication will be attempted. + </p> <span class="since">Since 0.8.7</span> </dd> <dt><code>volume</code></dt> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 76852abb3..bac371ea3 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -1644,6 +1644,11 @@ </choice> </attribute> <attribute name="name"/> + <optional> + <attribute name="tls"> + <ref name="virYesNo"/> + </attribute> + </optional> <ref name="diskSourceNetworkHost"/> </element> </define> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index a43b25c31..3684454e8 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -8114,6 +8114,7 @@ virDomainDiskSourceParse(xmlNodePtr node, int ret = -1; char *protocol = NULL; xmlNodePtr saveNode = ctxt->node; + char *haveTLS = NULL; ctxt->node = node; @@ -8147,6 +8148,19 @@ virDomainDiskSourceParse(xmlNodePtr node, goto cleanup; } + /* Check tls=yes|no domain setting for the block device + * At present only VxHS. Other block devices may be added later */ + if (src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS && + (haveTLS = virXMLPropString(node, "tls"))) { + if ((src->haveTLS = + virTristateBoolTypeFromString(haveTLS)) <= 0) { + virReportError(VIR_ERR_XML_ERROR, + _("unknown disk source 'tls' setting '%s'"), + haveTLS); + goto cleanup; + } + } + /* for historical reasons the volume name for gluster volume is stored * as a part of the path. This is hard to work with when dealing with * relative names. Split out the volume into a separate variable */ @@ -8202,6 +8216,7 @@ virDomainDiskSourceParse(xmlNodePtr node, cleanup: VIR_FREE(protocol); + VIR_FREE(haveTLS); ctxt->node = saveNode; return ret; } @@ -21669,7 +21684,8 @@ virDomainSourceDefFormatSeclabel(virBufferPtr buf, static int virDomainDiskSourceFormatNetwork(virBufferPtr buf, - virStorageSourcePtr src) + virStorageSourcePtr src, + unsigned int flags) { size_t n; char *path = NULL; @@ -21686,6 +21702,14 @@ virDomainDiskSourceFormatNetwork(virBufferPtr buf, VIR_FREE(path); + if (src->haveTLS != VIR_TRISTATE_BOOL_ABSENT && + !(flags & VIR_DOMAIN_DEF_FORMAT_MIGRATABLE && + src->tlsFromConfig)) + virBufferAsprintf(buf, " tls='%s'", + virTristateBoolTypeToString(src->haveTLS)); + if (flags & VIR_DOMAIN_DEF_FORMAT_STATUS) + virBufferAsprintf(buf, " tlsFromConfig='%d'", src->tlsFromConfig); + if (src->nhosts == 0 && !src->snapshot && !src->configFile) { virBufferAddLit(buf, "/>\n"); } else { @@ -21760,7 +21784,7 @@ virDomainDiskSourceFormatInternal(virBufferPtr buf, break; case VIR_STORAGE_TYPE_NETWORK: - if (virDomainDiskSourceFormatNetwork(buf, src) < 0) + if (virDomainDiskSourceFormatNetwork(buf, src, flags) < 0) goto error; break; diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index ba2045369..35f468e35 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -2039,6 +2039,8 @@ virStorageSourceCopy(const virStorageSource *src, ret->physical = src->physical; ret->readonly = src->readonly; ret->shared = src->shared; + ret->haveTLS = src->haveTLS; + ret->tlsFromConfig = src->tlsFromConfig; /* storage driver metadata are not copied */ ret->drv = NULL; diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h index f7e897f25..4817090fc 100644 --- a/src/util/virstoragefile.h +++ b/src/util/virstoragefile.h @@ -281,6 +281,13 @@ struct _virStorageSource { /* metadata that allows identifying given storage source */ char *nodeformat; /* name of the format handler object */ char *nodestorage; /* name of the storage object */ + + /* An optional setting to enable usage of TLS for the storage source */ + int haveTLS; /* enum virTristateBool */ + + /* Indication whether the haveTLS value was altered due to qemu.conf + * setting when haveTLS is missing from the domain config file */ + bool tlsFromConfig; }; diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml new file mode 100644 index 000000000..61b5e2e79 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml @@ -0,0 +1,32 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='network' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251' tls='yes'> + <host name='192.168.0.1' port='9999'/> + </source> + <target dev='vda' bus='virtio'/> + <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </disk> + <controller type='usb' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml new file mode 100644 index 000000000..16f0883e0 --- /dev/null +++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml @@ -0,0 +1,34 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='network' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251' tls='yes'> + <host name='192.168.0.1' port='9999'/> + </source> + <target dev='vda' bus='virtio'/> + <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </disk> + <controller type='usb' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c index 8b7577fd3..f005163c4 100644 --- a/tests/qemuxml2xmltest.c +++ b/tests/qemuxml2xmltest.c @@ -475,6 +475,7 @@ mymain(void) DO_TEST("disk-drive-network-rbd-ceph-env", NONE); DO_TEST("disk-drive-network-sheepdog", NONE); DO_TEST("disk-drive-network-vxhs", NONE); + DO_TEST("disk-drive-network-tlsx509-vxhs", NONE); DO_TEST("disk-scsi-device", QEMU_CAPS_NODEFCONFIG, QEMU_CAPS_SCSI_LSI); DO_TEST("disk-scsi-vscsi", NONE); -- 2.13.5
On Thu, Sep 14, 2017 at 08:51:53 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal@veritas.com>
Add an optional virTristateBool haveTLS to virStorageSource to manage whether a storage source will be using TLS.
Sample XML for a VxHS disk:
<disk type='network' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251' tls='yes'> <host name='192.168.0.1' port='9999'/> </source> <target dev='vda' bus='virtio'/> </disk>
Additionally add a tlsFromConfig boolean to control whether the TLS setting was due to domain configuration or qemu.conf global setting in order to decide whether to Format the haveTLS setting for either a live or saved domain configuration file.
I guess it's unpleasant to do it any other way... ACK
Introduce a function to setup any TLS needs for a disk source. If there's a configuration or other error setting up the disk source for TLS, then cause the domain startup to fail. For VxHS, follow the chardevTLS model where if the src->haveTLS hasn't been configured, then take the system/global cfg->haveTLS setting for the storage source *and* mark that we've done so via the tlsFromConfig setting in storage source. Next, if we are using TLS, then generate an alias into a virStorageSource 'tlsAlias' field that will be used to create the TLS object and added to the disk object in order to link the two together for QEMU. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_domain.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_domain.h | 11 ++++++++ src/qemu/qemu_process.c | 4 +++ src/util/virstoragefile.c | 5 +++- src/util/virstoragefile.h | 6 ++++ 5 files changed, 96 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 05f8e9488..b93b7de63 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -7550,6 +7550,77 @@ qemuDomainPrepareChardevSource(virDomainDefPtr def, } +/* qemuProcessPrepareDiskSourceTLS: + * @source: pointer to host interface data for disk device + * @diskAlias: alias use for the disk device + * @cfg: driver configuration + * + * Updates host interface TLS encryption setting based on qemu.conf + * for disk devices. This will be presented as "tls='yes|no'" in + * live XML of a guest. + * + * Returns 0 on success, -1 on bad config/failure + */ +int +qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src, + const char *diskAlias, + virQEMUDriverConfigPtr cfg) +{ + + /* VxHS doesn't utilize a password protected server certificate, + * so no need to add a secinfo for a secret UUID. */ + if (src->type == VIR_STORAGE_TYPE_NETWORK && + src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS) { + + if (src->haveTLS == VIR_TRISTATE_BOOL_ABSENT) { + if (cfg->vxhsTLS) + src->haveTLS = VIR_TRISTATE_BOOL_YES; + else + src->haveTLS = VIR_TRISTATE_BOOL_NO; + src->tlsFromConfig = true; + } + + if (src->haveTLS == VIR_TRISTATE_BOOL_YES) { + if (!diskAlias) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("disk does not have an alias")); + return -1; + } + + if (!(src->tlsAlias = qemuAliasTLSObjFromSrcAlias(diskAlias))) + return -1; + } + } + + return 0; +} + + +/* qemuProcessPrepareDiskSource: + * @def: live domain definition + * @driver: qemu driver + * + * Iterate through all disk devices to setup/check any that would be + * using TLS. + * + * Returns 0 on success, -1 on failure + */ +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) +{ + size_t i; + + for (i = 0; i < def->ndisks; i++) { + if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src, + def->disks[i]->info.alias, + cfg) < 0) + return -1; + } + + return 0; +} + int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem) diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index b291dc308..93db23c2b 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -864,6 +864,17 @@ void qemuDomainPrepareChardevSource(virDomainDefPtr def, virQEMUDriverConfigPtr cfg) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); +int +qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src, + const char *diskAlias, + virQEMUDriverConfigPtr cfg) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3); + +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); + int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem) ATTRIBUTE_NONNULL(1); diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 099a770e9..f0691ece6 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -5351,6 +5351,10 @@ qemuProcessPrepareDomain(virConnectPtr conn, if (qemuDomainMasterKeyCreate(vm) < 0) goto cleanup; + VIR_DEBUG("Prepare disk source backends for TLS"); + if (qemuDomainPrepareDiskSource(vm->def, cfg) < 0) + goto cleanup; + VIR_DEBUG("Prepare chardev source backends for TLS"); qemuDomainPrepareChardevSource(vm->def, cfg); diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index 35f468e35..9cd648d36 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -2054,7 +2054,8 @@ virStorageSourceCopy(const virStorageSource *src, VIR_STRDUP(ret->configFile, src->configFile) < 0 || VIR_STRDUP(ret->nodeformat, src->nodeformat) < 0 || VIR_STRDUP(ret->nodestorage, src->nodestorage) < 0 || - VIR_STRDUP(ret->compat, src->compat) < 0) + VIR_STRDUP(ret->compat, src->compat) < 0 || + VIR_STRDUP(ret->tlsAlias, src->tlsAlias) < 0) goto error; if (src->nhosts) { @@ -2279,6 +2280,8 @@ virStorageSourceClear(virStorageSourcePtr def) virStorageSourceBackingStoreClear(def); + VIR_FREE(def->tlsAlias); + memset(def, 0, sizeof(*def)); } diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h index 4817090fc..eadbcc190 100644 --- a/src/util/virstoragefile.h +++ b/src/util/virstoragefile.h @@ -288,6 +288,12 @@ struct _virStorageSource { /* Indication whether the haveTLS value was altered due to qemu.conf * setting when haveTLS is missing from the domain config file */ bool tlsFromConfig; + + /* If TLS is used, then mgmt of the TLS credentials occurs via an + * object that is generated using a specific alias. That alias must + * be used when generating the disk object in order to link the + * two together. */ + char *tlsAlias; }; -- 2.13.5
On Thu, Sep 14, 2017 at 08:51:54 -0400, John Ferlan wrote:
Introduce a function to setup any TLS needs for a disk source.
If there's a configuration or other error setting up the disk source for TLS, then cause the domain startup to fail.
For VxHS, follow the chardevTLS model where if the src->haveTLS hasn't been configured, then take the system/global cfg->haveTLS setting for the storage source *and* mark that we've done so via the tlsFromConfig setting in storage source.
Next, if we are using TLS, then generate an alias into a virStorageSource 'tlsAlias' field that will be used to create the TLS object and added to the disk object in order to link the two together for QEMU.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_domain.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_domain.h | 11 ++++++++ src/qemu/qemu_process.c | 4 +++ src/util/virstoragefile.c | 5 +++- src/util/virstoragefile.h | 6 ++++ 5 files changed, 96 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 05f8e9488..b93b7de63 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c
[...]
+ +/* qemuProcessPrepareDiskSource: + * @def: live domain definition + * @driver: qemu driver + * + * Iterate through all disk devices to setup/check any that would be + * using TLS.
Don't add this here. This function is generic.
+ * + * Returns 0 on success, -1 on failure + */ +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) +{ + size_t i; + + for (i = 0; i < def->ndisks; i++) { + if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src, + def->disks[i]->info.alias, + cfg) < 0) + return -1; + } + + return 0; +} +
int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem)
ACK
On 09/19/2017 09:48 AM, Peter Krempa wrote:
On Thu, Sep 14, 2017 at 08:51:54 -0400, John Ferlan wrote:
Introduce a function to setup any TLS needs for a disk source.
If there's a configuration or other error setting up the disk source for TLS, then cause the domain startup to fail.
For VxHS, follow the chardevTLS model where if the src->haveTLS hasn't been configured, then take the system/global cfg->haveTLS setting for the storage source *and* mark that we've done so via the tlsFromConfig setting in storage source.
Next, if we are using TLS, then generate an alias into a virStorageSource 'tlsAlias' field that will be used to create the TLS object and added to the disk object in order to link the two together for QEMU.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_domain.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_domain.h | 11 ++++++++ src/qemu/qemu_process.c | 4 +++ src/util/virstoragefile.c | 5 +++- src/util/virstoragefile.h | 6 ++++ 5 files changed, 96 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 05f8e9488..b93b7de63 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c
[...]
+ +/* qemuProcessPrepareDiskSource: + * @def: live domain definition + * @driver: qemu driver + * + * Iterate through all disk devices to setup/check any that would be + * using TLS.
Don't add this here. This function is generic.
OK - removed completely. Tks - John
+ * + * Returns 0 on success, -1 on failure + */ +int +qemuDomainPrepareDiskSource(virDomainDefPtr def, + virQEMUDriverConfigPtr cfg) +{ + size_t i; + + for (i = 0; i < def->ndisks; i++) { + if (qemuDomainPrepareDiskSourceTLS(def->disks[i]->src, + def->disks[i]->info.alias, + cfg) < 0) + return -1; + } + + return 0; +} +
int qemuDomainPrepareShmemChardev(virDomainShmemDefPtr shmem)
ACK
From: Ashish Mittal <Ashish.Mittal@veritas.com> Add a test case to verify TLS arguments are parsed correctly for a VxHS disk. This includes saving off a found tls-creds into the storage source @tlsAlias field since that's what's used to link the TLS object for the authentication credentials and the disk. Test case verifies that XML is generated correctly for a VxHS disk having TLS enabled. Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/util/virstoragefile.c | 9 +++++++++ tests/virstoragetest.c | 12 ++++++++++++ 2 files changed, 21 insertions(+) diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index 9cd648d36..1fcd7a028 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -3225,6 +3225,7 @@ virStorageSourceParseBackingJSONVxHS(virStorageSourcePtr src, { const char *vdisk_id = virJSONValueObjectGetString(json, "vdisk-id"); virJSONValuePtr server = virJSONValueObjectGetObject(json, "server"); + const char *haveTLS = virJSONValueObjectGetString(json, "tls-creds"); if (!vdisk_id || !server) { virReportError(VIR_ERR_INVALID_ARG, "%s", @@ -3243,6 +3244,14 @@ virStorageSourceParseBackingJSONVxHS(virStorageSourcePtr src, return -1; src->nhosts = 1; + if (haveTLS) { + VIR_FREE(src->tlsAlias); + if (VIR_STRDUP(src->tlsAlias, haveTLS) < 0) + return -1; + + src->haveTLS = VIR_TRISTATE_BOOL_YES; + } + if (virStorageSourceParseBackingJSONInetSocketAddress(src->hosts, server) < 0) return -1; diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c index ffebd4dc1..75ad6330b 100644 --- a/tests/virstoragetest.c +++ b/tests/virstoragetest.c @@ -1603,6 +1603,18 @@ mymain(void) "<source protocol='vxhs' name='c6718f6b-0401-441d-a8c3-1f0064d75ee0'>\n" " <host name='example.com' port='9999'/>\n" "</source>\n"); + TEST_BACKING_PARSE("json:{\"file\":{\"driver\":\"vxhs\"," + "\"vdisk-id\":\"c6718f6b-0401-441d-a8c3-1f0064d75ee0\"," + "\"server\": { \"type\":\"tcp\"," + "\"host\":\"example.com\"," + "\"port\":\"9999\"" + "}," + "\"tls-creds\":\"objvirtio-disk0_tls0\"" + "}" + "}", + "<source protocol='vxhs' name='c6718f6b-0401-441d-a8c3-1f0064d75ee0' tls='yes'>\n" + " <host name='example.com' port='9999'/>\n" + "</source>\n"); #endif /* WITH_YAJL */ cleanup: -- 2.13.5
On Thu, Sep 14, 2017 at 08:51:55 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal@veritas.com>
Add a test case to verify TLS arguments are parsed correctly for a VxHS disk. This includes saving off a found tls-creds into the storage source @tlsAlias field since that's what's used to link the TLS object for the authentication credentials and the disk.
Test case verifies that XML is generated correctly for a VxHS disk having TLS enabled.
Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/util/virstoragefile.c | 9 +++++++++ tests/virstoragetest.c | 12 ++++++++++++ 2 files changed, 21 insertions(+)
It's useless to parse this from the backign store strings. It might be useful if we'd parse it from qemu, but we don't. This needs to be setup each time anyways by libvirt and the alias may become stale. NACK
From: Ashish Mittal <Ashish.Mittal@veritas.com> Alter qemu command line generation in order to possibly add TLS for a suitably configured domain. Sample TLS args generated by libvirt - -object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\ endpoint=client,verify-peer=yes \ -drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\ file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.type=tcp,file.server.host=192.168.0.1,\ file.server.port=9999,format=raw,if=none,\ id=drive-virtio-disk0,cache=none \ -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ id=virtio-disk0 Update the qemuxml2argvtest with a couple of examples. One for a simple case and the other a bit more complex where multiple VxHS disks are added where at least one uses a VxHS that doesn't require TLS credentials and thus sets the domain disk source attribute "tls = 'no'". Update the hotplug to be able to handle processing the tlsAlias whether it's to add the TLS object when hotplugging a disk or to remove the TLS object when hot unplugging a disk. The hot plug/unplug code is largely generic, but the addition code does make the VXHS specific checks only because it needs to grab the correct config directory and generate the object as the command line would do. Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_block.c | 8 +++ src/qemu/qemu_command.c | 29 +++++++++ src/qemu/qemu_hotplug.c | 73 ++++++++++++++++++++++ ...-disk-drive-network-tlsx509-multidisk-vxhs.args | 43 +++++++++++++ ...v-disk-drive-network-tlsx509-multidisk-vxhs.xml | 50 +++++++++++++++ ...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 30 +++++++++ tests/qemuxml2argvtest.c | 7 +++ 7 files changed, 240 insertions(+) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index ca6e213b4..458b90d8e 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -529,16 +529,24 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src) return NULL; } + if (src->haveTLS == VIR_TRISTATE_BOOL_YES && !src->tlsAlias) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("VxHS disk does not have TLS alias set")); + return NULL; + } + if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true))) return NULL; /* VxHS disk specification example: * { driver:"vxhs", + * [tls-creds:"objvirtio-disk0_tls0",] * vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", * server:[{type:"tcp", host:"1.2.3.4", port:9999}]} */ if (virJSONValueObjectCreate(&ret, "s:driver", protocol, + "S:tls-creds", src->tlsAlias, "s:vdisk-id", src->path, "a:server", server, NULL) < 0) virJSONValueFree(server); diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 0a3278510..7b98e1947 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -794,6 +794,32 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd, } +/* qemuBuildDiskTLSx509CommandLine: + * + * Add TLS object if the disk uses a secure communication channel + * + * Returns 0 on success, -1 w/ error on some sort of failure. + */ +static int +qemuBuildDiskTLSx509CommandLine(virCommandPtr cmd, + virQEMUDriverConfigPtr cfg, + virDomainDiskDefPtr disk, + virQEMUCapsPtr qemuCaps) +{ + virStorageSourcePtr src = disk->src; + + /* other protocols may be added later */ + if (src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS && + disk->src->haveTLS == VIR_TRISTATE_BOOL_YES) { + return qemuBuildTLSx509CommandLine(cmd, cfg->vxhsTLSx509certdir, + false, true, false, + disk->info.alias, qemuCaps); + } + + return 0; +} + + static char * qemuBuildNetworkDriveURI(virStorageSourcePtr src, qemuDomainSecretInfoPtr secinfo) @@ -2221,6 +2247,9 @@ qemuBuildDiskDriveCommandLine(virCommandPtr cmd, if (qemuBuildDiskSecinfoCommandLine(cmd, encinfo) < 0) return -1; + if (qemuBuildDiskTLSx509CommandLine(cmd, cfg, disk, qemuCaps) < 0) + return -1; + virCommandAddArg(cmd, "-drive"); if (!(optstr = qemuBuildDriveStr(disk, cfg, driveBoot, qemuCaps))) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index b365078ec..e4174af35 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -152,6 +152,55 @@ qemuDomainPrepareDisk(virQEMUDriverPtr driver, static int +qemuDomainAddDiskTLSObject(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virDomainDiskDefPtr disk, + char **tlsAlias) +{ + int ret = -1; + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); + qemuDomainObjPrivatePtr priv = vm->privateData; + virStorageSourcePtr src = disk->src; + virJSONValuePtr tlsProps = NULL; + + /* NB: This may alter haveTLS based on cfg */ + qemuDomainPrepareDiskSourceTLS(src, disk->info.alias, cfg); + + if (src->haveTLS != VIR_TRISTATE_BOOL_YES) { + ret = 0; + goto cleanup; + } + + /* Initial implementation doesn't require/use a secret to decrypt + * a server certificate, so there's no need to manage a tlsSecAlias + * and tlsSecProps. See qemuDomainAddChardevTLSObjects for the + * methodology required to add a secret object. */ + + /* For a VxHS environment, create a TLS object for the client to + * connect to the VxHS server. */ + if (src->type == VIR_STORAGE_TYPE_NETWORK && + src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS && + qemuDomainGetTLSObjects(priv->qemuCaps, NULL, + cfg->vxhsTLSx509certdir, false, true, + disk->info.alias, &tlsProps, tlsAlias, + NULL, NULL) < 0) + goto cleanup; + + if (qemuDomainAddTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, + NULL, NULL, *tlsAlias, &tlsProps) < 0) + goto cleanup; + + ret = 0; + + cleanup: + virJSONValueFree(tlsProps); + virObjectUnref(cfg); + + return ret; +} + + +static int qemuHotplugWaitForTrayEject(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainDiskDefPtr disk, @@ -315,6 +364,7 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn, char *devstr = NULL; char *drivestr = NULL; char *drivealias = NULL; + char *tlsAlias = NULL; bool releaseaddr = false; bool driveAdded = false; bool secobjAdded = false; @@ -372,6 +422,9 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn, if (encinfo && qemuBuildSecretInfoProps(encinfo, &encobjProps) < 0) goto error; + if (qemuDomainAddDiskTLSObject(driver, vm, disk, &tlsAlias) < 0) + goto error; + if (!(drivestr = qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps))) goto error; @@ -422,6 +475,7 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn, ret = 0; cleanup: + VIR_FREE(tlsAlias); virJSONValueFree(secobjProps); virJSONValueFree(encobjProps); qemuDomainSecretDiskDestroy(disk); @@ -453,6 +507,8 @@ qemuDomainAttachVirtioDiskDevice(virConnectPtr conn, virDomainAuditDisk(vm, NULL, disk->src, "attach", false); error: + qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, NULL, tlsAlias); + if (releaseaddr) qemuDomainReleaseDeviceAddress(vm, &disk->info, src); @@ -611,6 +667,7 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn, virErrorPtr orig_err; char *drivestr = NULL; char *devstr = NULL; + char *tlsAlias = NULL; bool driveAdded = false; bool encobjAdded = false; bool secobjAdded = false; @@ -667,6 +724,9 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn, if (!(devstr = qemuBuildDriveDevStr(vm->def, disk, 0, priv->qemuCaps))) goto error; + if (qemuDomainAddDiskTLSObject(driver, vm, disk, &tlsAlias) < 0) + goto error; + if (!(drivestr = qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps))) goto error; @@ -712,6 +772,7 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn, ret = 0; cleanup: + VIR_FREE(tlsAlias); virJSONValueFree(secobjProps); virJSONValueFree(encobjProps); qemuDomainSecretDiskDestroy(disk); @@ -740,6 +801,8 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn, virDomainAuditDisk(vm, NULL, disk->src, "attach", false); error: + qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, NULL, tlsAlias); + ignore_value(qemuDomainPrepareDisk(driver, vm, disk, NULL, true)); goto cleanup; } @@ -756,6 +819,7 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr driver, char *drivealias = NULL; char *drivestr = NULL; char *devstr = NULL; + char *tlsAlias = NULL; bool driveAdded = false; virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); const char *src = virDomainDiskGetSource(disk); @@ -780,6 +844,9 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr driver, if (qemuAssignDeviceDiskAlias(vm->def, disk, priv->qemuCaps) < 0) goto error; + if (qemuDomainAddDiskTLSObject(driver, vm, disk, &tlsAlias) < 0) + goto error; + if (!(drivestr = qemuBuildDriveStr(disk, cfg, false, priv->qemuCaps))) goto error; @@ -810,6 +877,7 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr driver, ret = 0; cleanup: + VIR_FREE(tlsAlias); if (ret < 0 && releaseaddr) virDomainUSBAddressRelease(priv->usbaddrs, &disk->info); VIR_FREE(devstr); @@ -833,6 +901,8 @@ qemuDomainAttachUSBMassStorageDevice(virQEMUDriverPtr driver, virDomainAuditDisk(vm, NULL, disk->src, "attach", false); error: + qemuDomainDelTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, NULL, tlsAlias); + ignore_value(qemuDomainPrepareDisk(driver, vm, disk, NULL, true)); goto cleanup; } @@ -3710,6 +3780,9 @@ qemuDomainRemoveDiskDevice(virQEMUDriverPtr driver, ignore_value(qemuMonitorDelObject(priv->mon, encAlias)); VIR_FREE(encAlias); + if (disk->src->tlsAlias) + ignore_value(qemuMonitorDelObject(priv->mon, disk->src->tlsAlias)); + if (qemuDomainObjExitMonitor(driver, vm) < 0) return -1; diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args new file mode 100644 index 000000000..572c9f36c --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args @@ -0,0 +1,43 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/home/test \ +USER=test \ +LOGNAME=test \ +QEMU_AUDIO_DRV=none \ +/usr/bin/qemu-system-x86_64 \ +-name QEMUGuest1 \ +-S \ +-M pc \ +-cpu qemu32 \ +-m 214 \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-nographic \ +-nodefaults \ +-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\ +server,nowait \ +-mon chardev=charmonitor,id=monitor,mode=readline \ +-no-acpi \ +-boot c \ +-usb \ +-object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\ +endpoint=client,verify-peer=yes \ +-drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\ +file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,file.server.type=tcp,\ +file.server.host=192.168.0.1,file.server.port=9999,format=raw,if=none,\ +id=drive-virtio-disk0,cache=none \ +-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ +id=virtio-disk0 \ +-object tls-creds-x509,id=objvirtio-disk1_tls0,dir=/etc/pki/qemu,\ +endpoint=client,verify-peer=yes \ +-drive file.driver=vxhs,file.tls-creds=objvirtio-disk1_tls0,\ +file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc252,file.server.type=tcp,\ +file.server.host=192.168.0.2,file.server.port=9999,format=raw,if=none,\ +id=drive-virtio-disk1,cache=none \ +-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,\ +id=virtio-disk1 \ +-drive file.driver=vxhs,file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc253,\ +file.server.type=tcp,file.server.host=192.168.0.3,file.server.port=9999,\ +format=raw,if=none,id=drive-virtio-disk2,cache=none \ +-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk2,\ +id=virtio-disk2 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml new file mode 100644 index 000000000..a66e81f06 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml @@ -0,0 +1,50 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='network' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc251'> + <host name='192.168.0.1' port='9999'/> + </source> + <target dev='vda' bus='virtio'/> + <serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </disk> + <disk type='network' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc252'> + <host name='192.168.0.2' port='9999'/> + </source> + <target dev='vdb' bus='virtio'/> + <serial>eb90327c-8302-4725-9e1b-4e85ed4dc252</serial> + <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> + </disk> + <disk type='network' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source protocol='vxhs' name='eb90327c-8302-4725-9e1b-4e85ed4dc253' tls='no'> + <host name='192.168.0.3' port='9999'/> + </source> + <target dev='vdc' bus='virtio'/> + <serial>eb90327c-8302-4725-9e1b-4e85ed4dc252</serial> + <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> + </disk> + <controller type='usb' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args new file mode 100644 index 000000000..aaf88635b --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args @@ -0,0 +1,30 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/home/test \ +USER=test \ +LOGNAME=test \ +QEMU_AUDIO_DRV=none \ +/usr/bin/qemu-system-x86_64 \ +-name QEMUGuest1 \ +-S \ +-M pc \ +-cpu qemu32 \ +-m 214 \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-nographic \ +-nodefaults \ +-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\ +server,nowait \ +-mon chardev=charmonitor,id=monitor,mode=readline \ +-no-acpi \ +-boot c \ +-usb \ +-object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\ +endpoint=client,verify-peer=yes \ +-drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\ +file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,file.server.type=tcp,\ +file.server.host=192.168.0.1,file.server.port=9999,format=raw,if=none,\ +id=drive-virtio-disk0,cache=none \ +-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ +id=virtio-disk0 diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 01a518eff..5cdc1a726 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -932,6 +932,13 @@ mymain(void) DO_TEST("disk-drive-network-rbd-ipv6", NONE); DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE); DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS); + driver.config->vxhsTLS = 1; + DO_TEST("disk-drive-network-tlsx509-vxhs", QEMU_CAPS_VXHS, + QEMU_CAPS_OBJECT_TLS_CREDS_X509); + DO_TEST("disk-drive-network-tlsx509-multidisk-vxhs", QEMU_CAPS_VXHS, + QEMU_CAPS_OBJECT_TLS_CREDS_X509); + driver.config->vxhsTLS = 0; + VIR_FREE(driver.config->vxhsTLSx509certdir); DO_TEST("disk-drive-no-boot", QEMU_CAPS_BOOTINDEX); DO_TEST_PARSE_ERROR("disk-device-lun-type-invalid", -- 2.13.5
On Thu, Sep 14, 2017 at 08:51:56 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal@veritas.com>
Alter qemu command line generation in order to possibly add TLS for a suitably configured domain.
Sample TLS args generated by libvirt -
-object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\ endpoint=client,verify-peer=yes \ -drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\ file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.type=tcp,file.server.host=192.168.0.1,\ file.server.port=9999,format=raw,if=none,\ id=drive-virtio-disk0,cache=none \ -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ id=virtio-disk0
Update the qemuxml2argvtest with a couple of examples. One for a simple case and the other a bit more complex where multiple VxHS disks are added where at least one uses a VxHS that doesn't require TLS credentials and thus sets the domain disk source attribute "tls = 'no'".
Update the hotplug to be able to handle processing the tlsAlias whether it's to add the TLS object when hotplugging a disk or to remove the TLS object when hot unplugging a disk. The hot plug/unplug code is largely generic, but the addition code does make the VXHS specific checks only because it needs to grab the correct config directory and generate the object as the command line would do.
Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_block.c | 8 +++ src/qemu/qemu_command.c | 29 +++++++++ src/qemu/qemu_hotplug.c | 73 ++++++++++++++++++++++ ...-disk-drive-network-tlsx509-multidisk-vxhs.args | 43 +++++++++++++ ...v-disk-drive-network-tlsx509-multidisk-vxhs.xml | 50 +++++++++++++++ ...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 30 +++++++++ tests/qemuxml2argvtest.c | 7 +++ 7 files changed, 240 insertions(+) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index ca6e213b4..458b90d8e 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -529,16 +529,24 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src) return NULL; }
+ if (src->haveTLS == VIR_TRISTATE_BOOL_YES && !src->tlsAlias) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("VxHS disk does not have TLS alias set")); + return NULL; + } + if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true))) return NULL;
/* VxHS disk specification example: * { driver:"vxhs", + * [tls-creds:"objvirtio-disk0_tls0",]
Be careful with square brackets in JSON, they denote an array.
* vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", * server:[{type:"tcp", host:"1.2.3.4", port:9999}]} */ if (virJSONValueObjectCreate(&ret, "s:driver", protocol, + "S:tls-creds", src->tlsAlias, "s:vdisk-id", src->path, "a:server", server, NULL) < 0) virJSONValueFree(server); diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 0a3278510..7b98e1947 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -794,6 +794,32 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd, }
+/* qemuBuildDiskTLSx509CommandLine: + * + * Add TLS object if the disk uses a secure communication channel + * + * Returns 0 on success, -1 w/ error on some sort of failure. + */ +static int +qemuBuildDiskTLSx509CommandLine(virCommandPtr cmd, + virQEMUDriverConfigPtr cfg, + virDomainDiskDefPtr disk, + virQEMUCapsPtr qemuCaps) +{ + virStorageSourcePtr src = disk->src; + + /* other protocols may be added later */ + if (src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS && + disk->src->haveTLS == VIR_TRISTATE_BOOL_YES) { + return qemuBuildTLSx509CommandLine(cmd, cfg->vxhsTLSx509certdir, + false, true, false, + disk->info.alias, qemuCaps); + } + + return 0; +} + + static char * qemuBuildNetworkDriveURI(virStorageSourcePtr src, qemuDomainSecretInfoPtr secinfo)
[...]
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index b365078ec..e4174af35 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -152,6 +152,55 @@ qemuDomainPrepareDisk(virQEMUDriverPtr driver,
static int +qemuDomainAddDiskTLSObject(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virDomainDiskDefPtr disk, + char **tlsAlias)
I don't particularly like this. You set it into the disk object, so there should be a function which rolls this back for a disk (or preferably a virStorageSource).
+{ + int ret = -1; + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); + qemuDomainObjPrivatePtr priv = vm->privateData; + virStorageSourcePtr src = disk->src; + virJSONValuePtr tlsProps = NULL; + + /* NB: This may alter haveTLS based on cfg */ + qemuDomainPrepareDiskSourceTLS(src, disk->info.alias, cfg);
This should be executed in the hotplug API function and not in a helper.
+ + if (src->haveTLS != VIR_TRISTATE_BOOL_YES) { + ret = 0; + goto cleanup; + } + + /* Initial implementation doesn't require/use a secret to decrypt + * a server certificate, so there's no need to manage a tlsSecAlias + * and tlsSecProps. See qemuDomainAddChardevTLSObjects for the + * methodology required to add a secret object. */ + + /* For a VxHS environment, create a TLS object for the client to + * connect to the VxHS server. */ + if (src->type == VIR_STORAGE_TYPE_NETWORK && + src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS && + qemuDomainGetTLSObjects(priv->qemuCaps, NULL, + cfg->vxhsTLSx509certdir, false, true, + disk->info.alias, &tlsProps, tlsAlias, + NULL, NULL) < 0)
This looks like another place that extracts qemu-specific stuff, which need to be duplicated for blockdev add. Can't we make the cert dir part of virStorageSource?
+ goto cleanup; + + if (qemuDomainAddTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, + NULL, NULL, *tlsAlias, &tlsProps) < 0) + goto cleanup; + + ret = 0; + + cleanup: + virJSONValueFree(tlsProps); + virObjectUnref(cfg); + + return ret; +} + + +static int qemuHotplugWaitForTrayEject(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainDiskDefPtr disk,
On 09/19/2017 10:02 AM, Peter Krempa wrote:
On Thu, Sep 14, 2017 at 08:51:56 -0400, John Ferlan wrote:
From: Ashish Mittal <Ashish.Mittal@veritas.com>
Alter qemu command line generation in order to possibly add TLS for a suitably configured domain.
Sample TLS args generated by libvirt -
-object tls-creds-x509,id=objvirtio-disk0_tls0,dir=/etc/pki/qemu,\ endpoint=client,verify-peer=yes \ -drive file.driver=vxhs,file.tls-creds=objvirtio-disk0_tls0,\ file.vdisk-id=eb90327c-8302-4725-9e1b-4e85ed4dc251,\ file.server.type=tcp,file.server.host=192.168.0.1,\ file.server.port=9999,format=raw,if=none,\ id=drive-virtio-disk0,cache=none \ -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ id=virtio-disk0
Update the qemuxml2argvtest with a couple of examples. One for a simple case and the other a bit more complex where multiple VxHS disks are added where at least one uses a VxHS that doesn't require TLS credentials and thus sets the domain disk source attribute "tls = 'no'".
Update the hotplug to be able to handle processing the tlsAlias whether it's to add the TLS object when hotplugging a disk or to remove the TLS object when hot unplugging a disk. The hot plug/unplug code is largely generic, but the addition code does make the VXHS specific checks only because it needs to grab the correct config directory and generate the object as the command line would do.
Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com> Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_block.c | 8 +++ src/qemu/qemu_command.c | 29 +++++++++ src/qemu/qemu_hotplug.c | 73 ++++++++++++++++++++++ ...-disk-drive-network-tlsx509-multidisk-vxhs.args | 43 +++++++++++++ ...v-disk-drive-network-tlsx509-multidisk-vxhs.xml | 50 +++++++++++++++ ...muxml2argv-disk-drive-network-tlsx509-vxhs.args | 30 +++++++++ tests/qemuxml2argvtest.c | 7 +++ 7 files changed, 240 insertions(+) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-multidisk-vxhs.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.args
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index ca6e213b4..458b90d8e 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -529,16 +529,24 @@ qemuBlockStorageSourceGetVxHSProps(virStorageSourcePtr src) return NULL; }
+ if (src->haveTLS == VIR_TRISTATE_BOOL_YES && !src->tlsAlias) { + virReportError(VIR_ERR_INVALID_ARG, "%s", + _("VxHS disk does not have TLS alias set")); + return NULL; + } + if (!(server = qemuBlockStorageSourceBuildJSONSocketAddress(src->hosts, true))) return NULL;
/* VxHS disk specification example: * { driver:"vxhs", + * [tls-creds:"objvirtio-disk0_tls0",]
Be careful with square brackets in JSON, they denote an array.
OK - I can remove... Obviously it's the "optional" marking that I'm after...
* vdisk-id:"eb90327c-8302-4725-4e85ed4dc251", * server:[{type:"tcp", host:"1.2.3.4", port:9999}]} */ if (virJSONValueObjectCreate(&ret, "s:driver", protocol, + "S:tls-creds", src->tlsAlias, "s:vdisk-id", src->path, "a:server", server, NULL) < 0) virJSONValueFree(server); diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 0a3278510..7b98e1947 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -794,6 +794,32 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd, }
+/* qemuBuildDiskTLSx509CommandLine: + * + * Add TLS object if the disk uses a secure communication channel + * + * Returns 0 on success, -1 w/ error on some sort of failure. + */ +static int +qemuBuildDiskTLSx509CommandLine(virCommandPtr cmd, + virQEMUDriverConfigPtr cfg, + virDomainDiskDefPtr disk, + virQEMUCapsPtr qemuCaps) +{ + virStorageSourcePtr src = disk->src; + + /* other protocols may be added later */ + if (src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS && + disk->src->haveTLS == VIR_TRISTATE_BOOL_YES) { + return qemuBuildTLSx509CommandLine(cmd, cfg->vxhsTLSx509certdir, + false, true, false, + disk->info.alias, qemuCaps); + } + + return 0; +} + + static char * qemuBuildNetworkDriveURI(virStorageSourcePtr src, qemuDomainSecretInfoPtr secinfo)
[...]
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index b365078ec..e4174af35 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -152,6 +152,55 @@ qemuDomainPrepareDisk(virQEMUDriverPtr driver,
static int +(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virDomainDiskDefPtr disk, + char **tlsAlias)
I don't particularly like this. You set it into the disk object, so there should be a function which rolls this back for a disk (or preferably a virStorageSource).
Sure that's fine - the rollback code is so ugly anyway - this just adds to its misery.
+{ + int ret = -1; + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); + qemuDomainObjPrivatePtr priv = vm->privateData; + virStorageSourcePtr src = disk->src; + virJSONValuePtr tlsProps = NULL; + + /* NB: This may alter haveTLS based on cfg */ + qemuDomainPrepareDiskSourceTLS(src, disk->info.alias, cfg);
This should be executed in the hotplug API function and not in a helper.
I was trying to avoid replication of code for each of the 3 disk types in the event that at some future point more than one has TLS. I actually prefer it here.
+ + if (src->haveTLS != VIR_TRISTATE_BOOL_YES) { + ret = 0; + goto cleanup; + } + + /* Initial implementation doesn't require/use a secret to decrypt + * a server certificate, so there's no need to manage a tlsSecAlias + * and tlsSecProps. See qemuDomainAddChardevTLSObjects for the + * methodology required to add a secret object. */ + + /* For a VxHS environment, create a TLS object for the client to + * connect to the VxHS server. */ + if (src->type == VIR_STORAGE_TYPE_NETWORK && + src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS && + qemuDomainGetTLSObjects(priv->qemuCaps, NULL, + cfg->vxhsTLSx509certdir, false, true, + disk->info.alias, &tlsProps, tlsAlias, + NULL, NULL) < 0)
This looks like another place that extracts qemu-specific stuff, which need to be duplicated for blockdev add. Can't we make the cert dir part of virStorageSource?
Hmmmmm... I think we can do that... The qemuDomainPrepareDiskSourceTLS would change to fill in some sort of src->TLSx509certdir based on src->type and protocol which then would be used by this code. And the only reason why @disk was passed was to get src and srcalias. I can adjust that too. Tks - John
+ goto cleanup; + + if (qemuDomainAddTLSObjects(driver, vm, QEMU_ASYNC_JOB_NONE, + NULL, NULL, *tlsAlias, &tlsProps) < 0) + goto cleanup; + + ret = 0; + + cleanup: + virJSONValueFree(tlsProps); + virObjectUnref(cfg); + + return ret; +} + + +static int qemuHotplugWaitForTrayEject(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainDiskDefPtr disk,
participants (2)
-
John Ferlan -
Peter Krempa