11:22 a.m.
With blockdev we need to interpret the fields in order to actually
use them in qemu. Unfortunately we didn't do that for some and
libguestfs was using them in backing store strings.
Model all known curl driver options and pass-through ssh driver options
as we don't model the ssh driver.
Changes can be fetched from:
git fetch https://gitlab.com/pipo.sk/libvirt.git json-props
https://gitlab.com/pipo.sk/libvirt/-/commits/json-props
Peter Krempa (30):
qemuBlockStorageSourceDetachPrepare: Get rid of cleanup section
qemu: Don't take double pointer in qemuDomainSecretInfoFree
qemuMigrationParamsResetTLS: Adapt to modern memory management
qemuMigrationParamsResetTLS: Fix comment
qemu: domain: Split out encryption of secret object data
qemu: Introduce another helper for creating alias for a 'secret'
object
qemuDomainSecretStorageSourcePrepare: Fix naming of alias variables
qemuDomainDeviceDiskDefPostParseRestoreSecAlias: Hardcode restored
aliases
qemu: Split out initialization of secrets for 'iscsi' hostdevs
qemuDomainSecretAESSetupFromSecret: Use 'qemuAliasForSecret'
qemuDomainSecretStorageSourcePrepare: Change aliases for disk secrets
qemuDomainGetSecretAESAlias: Replace outstanding uses with
qemuAliasForSecret
conf: Add support for modifying ssl validation for https/ftps disks
conf: Add support for cookies for HTTP based disks
conf: Add support for setting timeout and readahead size for network
disks
qemuDomainValidateStorageSource: Validate new network storage
parameters
qemuxml2argvtest: Add test case for disks with http(s) source
qemu: block: Implement ssl verification configuration
qemu: domain: Store data for 'secret' object representing http cookies
qemuDomainSecretStorageSourcePrepare: Setup secret for http cookies
qemu: Handle hotplug and commandline for secret objects for http
cookies
qemu: block: Add support for HTTP cookies
qemu: block: Implement readahead and timeout properties for 'curl'
driver
virstoragefile: Add JSON parser for 'sslverify', 'readahead',
'cookies' and 'timeout'
virStorageSourceParseBackingJSONUri: Handle undocumented value 'off'
for sslverify
qemublocktest: Load QMP schema earlier
qemublocktest: Extract schema root for blockdev-add validation
qemublocktest: XMLjsonXML: Test formatting/parsing of modern JSON
qemublocktest: Add JSON->JSON test cases for block device backends
qemu: Pass through arguments of 'ssh' block driver used by libguestfs
docs/formatdomain.html.in | 35 ++
docs/schemas/domaincommon.rng | 98 ++++-
src/conf/domain_conf.c | 119 +++++++
src/libvirt_private.syms | 1 +
src/qemu/qemu_alias.c | 32 +-
src/qemu/qemu_alias.h | 4 +-
src/qemu/qemu_block.c | 50 ++-
src/qemu/qemu_block.h | 3 +
src/qemu/qemu_command.c | 5 +
src/qemu/qemu_domain.c | 337 +++++++++++-------
src/qemu/qemu_domain.h | 7 +-
src/qemu/qemu_hotplug.c | 4 +-
src/qemu/qemu_migration_params.c | 16 +-
src/util/virstoragefile.c | 229 +++++++++++-
src/util/virstoragefile.h | 24 ++
.../disk-network-http.xml | 19 +
tests/qemublocktest.c | 136 ++++++-
.../jsontojson/curl-libguestfs-in.json | 1 +
.../jsontojson/curl-libguestfs-out.json | 9 +
.../ssh-passthrough-libguestfs-in.json | 1 +
.../ssh-passthrough-libguestfs-out.json | 14 +
tests/qemustatusxml2xmldata/modern-in.xml | 1 +
...-backing-chains-noindex.x86_64-2.12.0.args | 4 +-
...-backing-chains-noindex.x86_64-latest.args | 6 +-
...sk-hostdev-scsi-virtio-iscsi-auth-AES.args | 6 +-
.../disk-network-http.x86_64-latest.args | 67 ++++
tests/qemuxml2argvdata/disk-network-http.xml | 61 ++++
.../disk-network-iscsi.x86_64-2.12.0.args | 12 +-
.../disk-network-iscsi.x86_64-latest.args | 8 +-
.../disk-network-rbd.x86_64-2.12.0.args | 4 +-
.../disk-network-rbd.x86_64-latest.args | 4 +-
...isk-network-source-auth.x86_64-2.12.0.args | 10 +-
...isk-network-source-auth.x86_64-latest.args | 8 +-
.../disk-nvme.x86_64-latest.args | 4 +-
.../encrypted-disk-usage.args | 4 +-
tests/qemuxml2argvdata/encrypted-disk.args | 4 +-
.../luks-disks-source-qcow2.args | 24 +-
...luks-disks-source-qcow2.x86_64-latest.args | 32 +-
tests/qemuxml2argvdata/luks-disks-source.args | 26 +-
tests/qemuxml2argvdata/luks-disks.args | 10 +-
tests/qemuxml2argvdata/user-aliases.args | 4 +-
tests/qemuxml2argvtest.c | 1 +
tests/virstoragetest.c | 30 ++
43 files changed, 1197 insertions(+), 277 deletions(-)
create mode 100644 tests/qemublocktestdata/jsontojson/curl-libguestfs-in.json
create mode 100644 tests/qemublocktestdata/jsontojson/curl-libguestfs-out.json
create mode 100644 tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-in.json
create mode 100644
tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-out.json
create mode 100644 tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-http.xml
--
2.24.1
11:22 a.m.
New subject: [PATCH 01/30] qemuBlockStorageSourceDetachPrepare: Get rid of cleanup section
Use g_new0 to completely avoid the 'cleanup' labe.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 152c73f1bf..0357815b07 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -1734,10 +1734,8 @@ qemuBlockStorageSourceDetachPrepare(virStorageSourcePtr src,
{
qemuDomainStorageSourcePrivatePtr srcpriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src);
g_autoptr(qemuBlockStorageSourceAttachData) data = NULL;
- qemuBlockStorageSourceAttachDataPtr ret = NULL;
- if (VIR_ALLOC(data) < 0)
- goto cleanup;
+ data = g_new0(qemuBlockStorageSourceAttachData, 1);
if (driveAlias) {
data->driveAlias = g_steal_pointer(&driveAlias);
@@ -1771,11 +1769,7 @@ qemuBlockStorageSourceDetachPrepare(virStorageSourcePtr src,
data->encryptsecretAlias = g_strdup(srcpriv->encinfo->s.aes.alias);
}
- ret = g_steal_pointer(&data);
-
- cleanup:
- VIR_FREE(driveAlias);
- return ret;
+ return g_steal_pointer(&data);
}
--
2.24.1
1:25 p.m.
New subject: [PATCH 01/30] qemuBlockStorageSourceDetachPrepare: Get rid of cleanup section
On a Monday in 2020, Peter Krempa wrote:
Use g_new0 to completely avoid the 'cleanup' labe.
s/labe/label/
This is neither sparta [0] nor Patrick [1].
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
[0] https://en.wikipedia.org/wiki/Molon_labe
[1] https://en.wikipedia.org/wiki/Patrick_Star
11:22 a.m.
New subject: [PATCH 02/30] qemu: Don't take double pointer in qemuDomainSecretInfoFree
Using a doulble pointer prevents the function from being used as the
automatic cleanup function for the given type.
Remove the double pointer use by replacing the calls with
g_clear_pointer which ensures that the pointer is cleared.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 30 +++++++++++++-----------------
src/qemu/qemu_domain.h | 2 +-
src/qemu/qemu_migration_params.c | 2 +-
3 files changed, 15 insertions(+), 19 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 33c2158eb5..bd32949e9b 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1099,14 +1099,10 @@ qemuDomainSecretInfoClear(qemuDomainSecretInfoPtr secinfo,
void
-qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr *secinfo)
+qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr secinfo)
{
- if (!*secinfo)
- return;
-
- qemuDomainSecretInfoClear(*secinfo, false);
-
- VIR_FREE(*secinfo);
+ qemuDomainSecretInfoClear(secinfo, false);
+ g_free(secinfo);
}
@@ -1196,8 +1192,8 @@ qemuDomainStorageSourcePrivateDispose(void *obj)
{
qemuDomainStorageSourcePrivatePtr priv = obj;
- qemuDomainSecretInfoFree(&priv->secinfo);
- qemuDomainSecretInfoFree(&priv->encinfo);
+ g_clear_pointer(&priv->secinfo, qemuDomainSecretInfoFree);
+ g_clear_pointer(&priv->encinfo, qemuDomainSecretInfoFree);
}
@@ -1276,7 +1272,7 @@ qemuDomainChrSourcePrivateDispose(void *obj)
{
qemuDomainChrSourcePrivatePtr priv = obj;
- qemuDomainSecretInfoFree(&priv->secinfo);
+ g_clear_pointer(&priv->secinfo, qemuDomainSecretInfoFree);
}
@@ -1355,7 +1351,7 @@ qemuDomainGraphicsPrivateDispose(void *obj)
qemuDomainGraphicsPrivatePtr priv = obj;
VIR_FREE(priv->tlsAlias);
- qemuDomainSecretInfoFree(&priv->secinfo);
+ g_clear_pointer(&priv->secinfo, qemuDomainSecretInfoFree);
}
@@ -1631,7 +1627,7 @@ qemuDomainSecretInfoNewPlain(virSecretUsageType usageType,
return NULL;
if (qemuDomainSecretPlainSetup(secinfo, usageType, username, lookupDef) < 0) {
- qemuDomainSecretInfoFree(&secinfo);
+ g_clear_pointer(&secinfo, qemuDomainSecretInfoFree);
return NULL;
}
@@ -1674,7 +1670,7 @@ qemuDomainSecretInfoNew(qemuDomainObjPrivatePtr priv,
if (qemuDomainSecretAESSetup(priv, secinfo, srcAlias, usageType, username,
lookupDef, isLuks) < 0) {
- qemuDomainSecretInfoFree(&secinfo);
+ g_clear_pointer(&secinfo, qemuDomainSecretInfoFree);
return NULL;
}
@@ -1836,7 +1832,7 @@ qemuDomainSecretHostdevDestroy(virDomainHostdevDefPtr hostdev)
if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) {
srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(iscsisrc->src);
if (srcPriv && srcPriv->secinfo)
- qemuDomainSecretInfoFree(&srcPriv->secinfo);
+ g_clear_pointer(&srcPriv->secinfo, qemuDomainSecretInfoFree);
}
}
}
@@ -1880,7 +1876,7 @@ qemuDomainSecretChardevDestroy(virDomainChrSourceDefPtr dev)
if (!chrSourcePriv || !chrSourcePriv->secinfo)
return;
- qemuDomainSecretInfoFree(&chrSourcePriv->secinfo);
+ g_clear_pointer(&chrSourcePriv->secinfo, qemuDomainSecretInfoFree);
}
@@ -1935,7 +1931,7 @@ qemuDomainSecretGraphicsDestroy(virDomainGraphicsDefPtr graphics)
return;
VIR_FREE(gfxPriv->tlsAlias);
- qemuDomainSecretInfoFree(&gfxPriv->secinfo);
+ g_clear_pointer(&gfxPriv->secinfo, qemuDomainSecretInfoFree);
}
@@ -2283,7 +2279,7 @@ qemuDomainObjPrivateFree(void *data)
}
VIR_FREE(priv->cleanupCallbacks);
- qemuDomainSecretInfoFree(&priv->migSecinfo);
+ g_clear_pointer(&priv->migSecinfo, qemuDomainSecretInfoFree);
qemuDomainMasterKeyFree(priv);
virHashFree(priv->blockjobs);
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 476056c73f..10d6264e46 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -1032,7 +1032,7 @@ void qemuDomainMasterKeyRemove(qemuDomainObjPrivatePtr priv);
bool qemuDomainSupportsEncryptedSecret(qemuDomainObjPrivatePtr priv);
-void qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr *secinfo)
+void qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr secinfo)
ATTRIBUTE_NONNULL(1);
void qemuDomainSecretInfoDestroy(qemuDomainSecretInfoPtr secinfo);
diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c
index a92bb2fa2b..a36c6a4aea 100644
--- a/src/qemu/qemu_migration_params.c
+++ b/src/qemu/qemu_migration_params.c
@@ -1086,7 +1086,7 @@ qemuMigrationParamsResetTLS(virQEMUDriverPtr driver,
secAlias = qemuDomainGetSecretAESAlias(QEMU_MIGRATION_TLS_ALIAS_BASE, false);
qemuDomainDelTLSObjects(driver, vm, asyncJob, secAlias, tlsAlias);
- qemuDomainSecretInfoFree(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo);
+ g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo,
qemuDomainSecretInfoFree);
VIR_FREE(tlsAlias);
VIR_FREE(secAlias);
--
2.24.1
1:31 p.m.
New subject: [PATCH 02/30] qemu: Don't take double pointer in qemuDomainSecretInfoFree
On a Monday in 2020, Peter Krempa wrote:
Using a doulble pointer prevents the function from being used as the
*double
automatic cleanup function for the given type.
Remove the double pointer use by replacing the calls with
g_clear_pointer which ensures that the pointer is cleared.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 30 +++++++++++++-----------------
src/qemu/qemu_domain.h | 2 +-
src/qemu/qemu_migration_params.c | 2 +-
3 files changed, 15 insertions(+), 19 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 03/30] qemuMigrationParamsResetTLS: Adapt to modern memory management
Use g_autofree instead of VIR_FREE and delete the comment mentioning
possible failure to allocate memory.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_migration_params.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c
index a36c6a4aea..8c552ab9a0 100644
--- a/src/qemu/qemu_migration_params.c
+++ b/src/qemu/qemu_migration_params.c
@@ -1070,8 +1070,8 @@ qemuMigrationParamsResetTLS(virQEMUDriverPtr driver,
qemuMigrationParamsPtr origParams,
unsigned long apiFlags)
{
- char *tlsAlias = NULL;
- char *secAlias = NULL;
+ g_autofree char *tlsAlias = NULL;
+ g_autofree char *secAlias = NULL;
/* There's nothing to do if QEMU does not support TLS migration or we were
* not asked to enable it. */
@@ -1079,17 +1079,11 @@ qemuMigrationParamsResetTLS(virQEMUDriverPtr driver,
!(apiFlags & VIR_MIGRATE_TLS))
return;
- /* NB: If either or both fail to allocate memory we can still proceed
- * since the next time we migrate another deletion attempt will be
- * made after successfully generating the aliases. */
tlsAlias = qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE);
secAlias = qemuDomainGetSecretAESAlias(QEMU_MIGRATION_TLS_ALIAS_BASE, false);
qemuDomainDelTLSObjects(driver, vm, asyncJob, secAlias, tlsAlias);
g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo,
qemuDomainSecretInfoFree);
-
- VIR_FREE(tlsAlias);
- VIR_FREE(secAlias);
}
--
2.24.1
1:34 p.m.
New subject: [PATCH 03/30] qemuMigrationParamsResetTLS: Adapt to modern memory management
On a Monday in 2020, Peter Krempa wrote:
Use g_autofree instead of VIR_FREE and delete the comment mentioning
possible failure to allocate memory.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_migration_params.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 04/30] qemuMigrationParamsResetTLS: Fix comment
The comment mentioned that the function resets migration params, but
that is not true.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_migration_params.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c
index 8c552ab9a0..f9bc43afee 100644
--- a/src/qemu/qemu_migration_params.c
+++ b/src/qemu/qemu_migration_params.c
@@ -1061,7 +1061,7 @@ qemuMigrationParamsDisableTLS(virDomainObjPtr vm,
* @apiFlags: API flags used to start the migration
*
* Deconstruct all the setup possibly done for TLS - delete the TLS and
- * security objects, free the secinfo, and reset the migration params to "".
+ * security objects.
*/
static void
qemuMigrationParamsResetTLS(virQEMUDriverPtr driver,
--
2.24.1
10:07 a.m.
New subject: [PATCH 04/30] qemuMigrationParamsResetTLS: Fix comment
On a Monday in 2020, Peter Krempa wrote:
The comment mentioned that the function resets migration params, but
that is not true.
Not true as of commit eb54cb473a8d140e0dd4a7bd42e8bcd72b056368
qemu: Reset all migration parameters
Also, you remove "free the secinfo" from the comment, even though it
still does free it.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_migration_params.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c
index 8c552ab9a0..f9bc43afee 100644
--- a/src/qemu/qemu_migration_params.c
+++ b/src/qemu/qemu_migration_params.c
@@ -1061,7 +1061,7 @@ qemuMigrationParamsDisableTLS(virDomainObjPtr vm,
* @apiFlags: API flags used to start the migration
*
* Deconstruct all the setup possibly done for TLS - delete the TLS and
- * security objects, free the secinfo, and reset the migration params to "".
+ * security objects.
*/
static void
qemuMigrationParamsResetTLS(virQEMUDriverPtr driver,
--
2.24.1
With the secinfo change mentioned in the commit message:
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 05/30] qemu: domain: Split out encryption of secret object data
Previously qemuDomainSecretAESSetup was looking up the secret in the
secret diver as well as encrypting it for use with qemu. Split out the
the lookup into a wrapper for this function so that we can reuse the
original internals when we don't need to look up a secret with the
secret driver. The new wrapper is called
qemuDomainSecretAESSetupFromSecret.
This refactor also changes the functions to return qemuDomainSecretInfoPtr
directly rather than filling it via an argument. This rendered
qemuDomainSecretInfoNew obsolete and thus it was deleted.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 180 ++++++++++++++++++-----------------------
src/qemu/qemu_domain.h | 2 +
2 files changed, 81 insertions(+), 101 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index bd32949e9b..52d2dddede 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1513,79 +1513,100 @@ qemuDomainSecretPlainSetup(qemuDomainSecretInfoPtr secinfo,
/* qemuDomainSecretAESSetup:
* @priv: pointer to domain private object
- * @secinfo: Pointer to secret info
- * @srcalias: Alias of the disk/hostdev used to generate the secret alias
- * @usageType: The virSecretUsageType
- * @username: username to use for authentication (may be NULL)
- * @seclookupdef: Pointer to seclookupdef data
- * @isLuks: True/False for is for luks (alias generation)
+ * @alias: alias of the secret
+ * @username: username to use (may be NULL)
+ * @secret: secret data
+ * @secretlen: length of @secret
*
- * Taking a secinfo, fill in the AES specific information using the
- *
- * Returns 0 on success, -1 on failure with error message
+ * Encrypts @secret to use with the domain.
*/
-static int
+static qemuDomainSecretInfoPtr
qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
- qemuDomainSecretInfoPtr secinfo,
- const char *srcalias,
- virSecretUsageType usageType,
+ const char *alias,
const char *username,
- virSecretLookupTypeDefPtr seclookupdef,
- bool isLuks)
+ uint8_t *secret,
+ size_t secretlen)
{
- g_autoptr(virConnect) conn = virGetConnectSecret();
- int ret = -1;
- uint8_t *raw_iv = NULL;
+ g_autoptr(qemuDomainSecretInfo) secinfo = NULL;
+ g_autofree uint8_t *raw_iv = NULL;
size_t ivlen = QEMU_DOMAIN_AES_IV_LEN;
- uint8_t *secret = NULL;
- size_t secretlen = 0;
- uint8_t *ciphertext = NULL;
+ g_autofree uint8_t *ciphertext = NULL;
size_t ciphertextlen = 0;
- if (!conn)
- return -1;
+ if (!qemuDomainSupportsEncryptedSecret(priv)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("encrypted secrets are not supported"));
+ return NULL;
+ }
+
+ secinfo = g_new0(qemuDomainSecretInfo, 1);
secinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES;
+ secinfo->s.aes.alias = g_strdup(alias);
secinfo->s.aes.username = g_strdup(username);
- if (!(secinfo->s.aes.alias = qemuDomainGetSecretAESAlias(srcalias, isLuks)))
- goto cleanup;
-
- if (VIR_ALLOC_N(raw_iv, ivlen) < 0)
- goto cleanup;
+ raw_iv = g_new0(uint8_t, ivlen);
/* Create a random initialization vector */
if (virRandomBytes(raw_iv, ivlen) < 0)
- goto cleanup;
+ return NULL;
/* Encode the IV and save that since qemu will need it */
secinfo->s.aes.iv = g_base64_encode(raw_iv, ivlen);
- /* Grab the unencoded secret */
- if (virSecretGetSecretString(conn, seclookupdef, usageType,
- &secret, &secretlen) < 0)
- goto cleanup;
-
if (virCryptoEncryptData(VIR_CRYPTO_CIPHER_AES256CBC,
priv->masterKey, QEMU_DOMAIN_MASTER_KEY_LEN,
raw_iv, ivlen, secret, secretlen,
&ciphertext, &ciphertextlen) < 0)
- goto cleanup;
-
- /* Clear out the secret */
- memset(secret, 0, secretlen);
+ return NULL;
/* Now encode the ciphertext and store to be passed to qemu */
- secinfo->s.aes.ciphertext = g_base64_encode(ciphertext,
- ciphertextlen);
+ secinfo->s.aes.ciphertext = g_base64_encode(ciphertext, ciphertextlen);
- ret = 0;
+ return g_steal_pointer(&secinfo);
+}
+
+
+/**
+ * qemuDomainSecretAESSetupFromSecret:
+ * @priv: pointer to domain private object
+ * @srcalias: Alias of the disk/hostdev used to generate the secret alias
+ * @usageType: The virSecretUsageType
+ * @username: username to use for authentication (may be NULL)
+ * @seclookupdef: Pointer to seclookupdef data
+ * @isLuks: True/False for is for luks (alias generation)
+ *
+ * Looks up a secret in the secret driver based on @usageType and @seclookupdef
+ * and builds qemuDomainSecretInfoPtr from it.
+ */
+static qemuDomainSecretInfoPtr
+qemuDomainSecretAESSetupFromSecret(qemuDomainObjPrivatePtr priv,
+ const char *srcalias,
+ virSecretUsageType usageType,
+ const char *username,
+ virSecretLookupTypeDefPtr seclookupdef,
+ bool isLuks)
+{
+ g_autoptr(virConnect) conn = virGetConnectSecret();
+ qemuDomainSecretInfoPtr secinfo;
+ g_autofree char *alias = NULL;
+ uint8_t *secret = NULL;
+ size_t secretlen = 0;
+
+ if (!conn)
+ return NULL;
+
+ if (!(alias = qemuDomainGetSecretAESAlias(srcalias, isLuks)))
+ return NULL;
+
+ if (virSecretGetSecretString(conn, seclookupdef, usageType, &secret,
&secretlen) < 0)
+ return NULL;
+
+ secinfo = qemuDomainSecretAESSetup(priv, alias, username, secret, secretlen);
- cleanup:
- VIR_DISPOSE_N(raw_iv, ivlen);
VIR_DISPOSE_N(secret, secretlen);
- VIR_DISPOSE_N(ciphertext, ciphertextlen);
- return ret;
+
+ return secinfo;
}
@@ -1635,49 +1656,6 @@ qemuDomainSecretInfoNewPlain(virSecretUsageType usageType,
}
-/* qemuDomainSecretInfoNew:
- * @priv: pointer to domain private object
- * @srcAlias: Alias base to use for TLS object
- * @usageType: Secret usage type
- * @username: username
- * @looupDef: lookup def describing secret
- * @isLuks: boolean for luks lookup
- *
- * Helper function to create a secinfo to be used for secinfo consumers. This
- * sets up encrypted data to be used with qemu's 'secret' object.
- *
- * Returns @secinfo on success, NULL on failure. Caller is responsible
- * to eventually free @secinfo.
- */
-static qemuDomainSecretInfoPtr
-qemuDomainSecretInfoNew(qemuDomainObjPrivatePtr priv,
- const char *srcAlias,
- virSecretUsageType usageType,
- const char *username,
- virSecretLookupTypeDefPtr lookupDef,
- bool isLuks)
-{
- qemuDomainSecretInfoPtr secinfo = NULL;
-
- if (!qemuDomainSupportsEncryptedSecret(priv)) {
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("encrypted secrets are not supported"));
- return NULL;
- }
-
- if (VIR_ALLOC(secinfo) < 0)
- return NULL;
-
- if (qemuDomainSecretAESSetup(priv, secinfo, srcAlias, usageType, username,
- lookupDef, isLuks) < 0) {
- g_clear_pointer(&secinfo, qemuDomainSecretInfoFree);
- return NULL;
- }
-
- return secinfo;
-}
-
-
/**
* qemuDomainSecretInfoTLSNew:
* @priv: pointer to domain private object
@@ -1704,9 +1682,9 @@ qemuDomainSecretInfoTLSNew(qemuDomainObjPrivatePtr priv,
}
seclookupdef.type = VIR_SECRET_LOOKUP_TYPE_UUID;
- return qemuDomainSecretInfoNew(priv, srcAlias,
- VIR_SECRET_USAGE_TYPE_TLS, NULL,
- &seclookupdef, false);
+ return qemuDomainSecretAESSetupFromSecret(priv, srcAlias,
+ VIR_SECRET_USAGE_TYPE_TLS,
+ NULL, &seclookupdef, false);
}
@@ -1796,11 +1774,11 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr
priv,
src->auth->username,
&src->auth->seclookupdef);
} else {
- srcPriv->secinfo = qemuDomainSecretInfoNew(priv, authalias,
- usageType,
- src->auth->username,
-
&src->auth->seclookupdef,
- false);
+ srcPriv->secinfo = qemuDomainSecretAESSetupFromSecret(priv, authalias,
+ usageType,
+
src->auth->username,
+
&src->auth->seclookupdef,
+ false);
}
if (!srcPriv->secinfo)
@@ -1808,11 +1786,11 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr
priv,
}
if (hasEnc) {
- if (!(srcPriv->encinfo =
- qemuDomainSecretInfoNew(priv, encalias,
- VIR_SECRET_USAGE_TYPE_VOLUME, NULL,
-
&src->encryption->secrets[0]->seclookupdef,
- true)))
+ if (!(srcPriv->encinfo = qemuDomainSecretAESSetupFromSecret(priv, encalias,
+
VIR_SECRET_USAGE_TYPE_VOLUME,
+ NULL,
+
&src->encryption->secrets[0]->seclookupdef,
+ true)))
return -1;
}
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 10d6264e46..202b85e39a 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -1035,6 +1035,8 @@ bool qemuDomainSupportsEncryptedSecret(qemuDomainObjPrivatePtr
priv);
void qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr secinfo)
ATTRIBUTE_NONNULL(1);
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(qemuDomainSecretInfo, qemuDomainSecretInfoFree);
+
void qemuDomainSecretInfoDestroy(qemuDomainSecretInfoPtr secinfo);
void qemuDomainSecretDiskDestroy(virDomainDiskDefPtr disk)
--
2.24.1
10:40 a.m.
New subject: [PATCH 05/30] qemu: domain: Split out encryption of secret object data
On a Monday in 2020, Peter Krempa wrote:
Previously qemuDomainSecretAESSetup was looking up the secret in the
secret diver as well as encrypting it for use with qemu. Split out the
the lookup into a wrapper for this function so that we can reuse the
original internals when we don't need to look up a secret with the
secret driver. The new wrapper is called
qemuDomainSecretAESSetupFromSecret.
This refactor also changes the functions to return
qemuDomainSecretInfoPtr
also
Please split the split from refactors.
directly rather than filling it via an argument. This rendered
qemuDomainSecretInfoNew obsolete and thus it was deleted.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 180 ++++++++++++++++++-----------------------
src/qemu/qemu_domain.h | 2 +
2 files changed, 81 insertions(+), 101 deletions(-)
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 10d6264e46..202b85e39a 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -1035,6 +1035,8 @@ bool qemuDomainSupportsEncryptedSecret(qemuDomainObjPrivatePtr
priv);
void qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr secinfo)
ATTRIBUTE_NONNULL(1);
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(qemuDomainSecretInfo, qemuDomainSecretInfoFree);
+
You really should not need to declare a new cleanup function when
splitting code.
Jano
void qemuDomainSecretInfoDestroy(qemuDomainSecretInfoPtr secinfo);
void qemuDomainSecretDiskDestroy(virDomainDiskDefPtr disk)
--
2.24.1
5:13 p.m.
New subject: [PATCH 05/30] qemu: domain: Split out encryption of secret object data
On 3/9/20 11:22 AM, Peter Krempa wrote:
Previously qemuDomainSecretAESSetup was looking up the secret in the
secret diver as well as encrypting it for use with qemu. Split out the
driver
the lookup into a wrapper for this function so that we can reuse the
original internals when we don't need to look up a secret with the
secret driver. The new wrapper is called
qemuDomainSecretAESSetupFromSecret.
This refactor also changes the functions to return qemuDomainSecretInfoPtr
directly rather than filling it via an argument. This rendered
qemuDomainSecretInfoNew obsolete and thus it was deleted.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
11:22 a.m.
New subject: [PATCH 06/30] qemu: Introduce another helper for creating alias for a 'secret' object
qemuAliasForSecret is meant as a replacement qemuDomainGetSecretAESAlias
with saner API. The sub-type we are creating the alias for is passed in
as a string rather than the unflexible 'isLuks' boolean.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_alias.c | 17 +++++++++++++++++
src/qemu/qemu_alias.h | 3 +++
2 files changed, 20 insertions(+)
diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c
index 95086fc65a..2e466ff23f 100644
--- a/src/qemu/qemu_alias.c
+++ b/src/qemu/qemu_alias.c
@@ -793,6 +793,23 @@ qemuDomainGetSecretAESAlias(const char *srcalias,
}
+/* qemuAliasForSecret:
+ * @parentalias: alias of the parent object
+ * @obj: optional sub-object of the parent device the secret is for
+ *
+ * Generate alias for a secret object used by @parentalias device or one of
+ * the dependencies of the device described by @obj.
+ */
+char *
+qemuAliasForSecret(const char *parentalias,
+ const char *obj)
+{
+ if (obj)
+ return g_strdup_printf("%s-%s-secret0", parentalias, obj);
+ else
+ return g_strdup_printf("%s-secret0", parentalias);
+}
+
/* qemuAliasTLSObjFromSrcAlias
* @srcAlias: Pointer to a source alias string
*
diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h
index ae2fce16bc..645956d024 100644
--- a/src/qemu/qemu_alias.h
+++ b/src/qemu/qemu_alias.h
@@ -86,6 +86,9 @@ char *qemuDomainGetMasterKeyAlias(void);
char *qemuDomainGetSecretAESAlias(const char *srcalias,
bool isLuks);
+char *qemuAliasForSecret(const char *parentalias,
+ const char *obj);
+
char *qemuAliasTLSObjFromSrcAlias(const char *srcAlias)
ATTRIBUTE_NONNULL(1);
--
2.24.1
10:41 a.m.
New subject: [PATCH 06/30] qemu: Introduce another helper for creating alias for a 'secret' object
On a Monday in 2020, Peter Krempa wrote:
qemuAliasForSecret is meant as a replacement
qemuDomainGetSecretAESAlias
with saner API. The sub-type we are creating the alias for is passed in
as a string rather than the unflexible 'isLuks' boolean.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_alias.c | 17 +++++++++++++++++
src/qemu/qemu_alias.h | 3 +++
2 files changed, 20 insertions(+)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 07/30] qemuDomainSecretStorageSourcePrepare: Fix naming of alias variables
The naming of the variables was tied to what they are used for not what
the alias represents. Since we'll need to use some of the aliases for
another type of secrets fix the name so that it makes sense.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 52d2dddede..70b1b5c4f2 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1746,8 +1746,8 @@ qemuDomainDiskHasEncryptionSecret(virStorageSourcePtr src)
static int
qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr priv,
virStorageSourcePtr src,
- const char *authalias,
- const char *encalias)
+ const char *aliasprotocol,
+ const char *aliasformat)
{
qemuDomainStorageSourcePrivatePtr srcPriv;
bool iscsiHasPS = virQEMUCapsGet(priv->qemuCaps,
QEMU_CAPS_ISCSI_PASSWORD_SECRET);
@@ -1774,7 +1774,7 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr priv,
src->auth->username,
&src->auth->seclookupdef);
} else {
- srcPriv->secinfo = qemuDomainSecretAESSetupFromSecret(priv, authalias,
+ srcPriv->secinfo = qemuDomainSecretAESSetupFromSecret(priv,
aliasprotocol,
usageType,
src->auth->username,
&src->auth->seclookupdef,
@@ -1786,7 +1786,7 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr priv,
}
if (hasEnc) {
- if (!(srcPriv->encinfo = qemuDomainSecretAESSetupFromSecret(priv, encalias,
+ if (!(srcPriv->encinfo = qemuDomainSecretAESSetupFromSecret(priv,
aliasformat,
VIR_SECRET_USAGE_TYPE_VOLUME,
NULL,
&src->encryption->secrets[0]->seclookupdef,
--
2.24.1
10:24 a.m.
New subject: [PATCH 07/30] qemuDomainSecretStorageSourcePrepare: Fix naming of alias variables
On a Monday in 2020, Peter Krempa wrote:
The naming of the variables was tied to what they are used for not
what
the alias represents. Since we'll need to use some of the aliases for
another type of secrets fix the name so that it makes sense.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 08/30] qemuDomainDeviceDiskDefPostParseRestoreSecAlias: Hardcode restored aliases
In order to be able to change the function generating the alias and thus
also the aliases itself, we must hardcode the old format for the case of
upgrading form libvirt which didn't record them in the status XML yet.
Note that this code path is tested by
'tests/qemustatusxml2xmldata/disk-secinfo-upgrade-in.xml'
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 70b1b5c4f2..72e651ecee 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -8993,16 +8993,14 @@
qemuDomainDeviceDiskDefPostParseRestoreSecAlias(virDomainDiskDefPtr disk,
}
if (restoreAuthSecret) {
- if (!(authalias = qemuDomainGetSecretAESAlias(disk->info.alias, false)))
- return -1;
+ authalias = g_strdup_printf("%s-secret0", disk->info.alias);
if (qemuStorageSourcePrivateDataAssignSecinfo(&priv->secinfo,
&authalias) < 0)
return -1;
}
if (restoreEncSecret) {
- if (!(encalias = qemuDomainGetSecretAESAlias(disk->info.alias, true)))
- return -1;
+ encalias = g_strdup_printf("%s-luks-secret0", disk->info.alias);
if (qemuStorageSourcePrivateDataAssignSecinfo(&priv->encinfo,
&encalias) < 0)
return -1;
--
2.24.1
10:52 a.m.
New subject: [PATCH 08/30] qemuDomainDeviceDiskDefPostParseRestoreSecAlias: Hardcode restored aliases
On a Monday in 2020, Peter Krempa wrote:
In order to be able to change the function generating the alias and
thus
also the aliases itself, we must hardcode the old format for the case of
upgrading form libvirt which didn't record them in the status XML yet.
Note that this code path is tested by
'tests/qemustatusxml2xmldata/disk-secinfo-upgrade-in.xml'
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 09/30] qemu: Split out initialization of secrets for 'iscsi' hostdevs
Currently we don't have infrastructure to remember the secret aliases
for hostdevs. Since an upcomming patch is going to change aliases for
the disks, initialize the iscsi hostdevs separately so that we can keep
the alias. At the same time let's use qemuAliasForSecret instead of
qemuDomainGetSecretAESAlias when unplugging the iscsi hostdev.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 25 +++++++++++++++++++++++--
src/qemu/qemu_hotplug.c | 2 +-
2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 72e651ecee..c2218871a7 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1835,8 +1835,29 @@ qemuDomainSecretHostdevPrepare(qemuDomainObjPrivatePtr priv,
if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI
&&
src->auth) {
- if (qemuDomainSecretStorageSourcePrepare(priv, src,
- hostdev->info->alias, NULL)
< 0)
+ bool iscsiHasPS = virQEMUCapsGet(priv->qemuCaps,
QEMU_CAPS_ISCSI_PASSWORD_SECRET);
+ virSecretUsageType usageType = VIR_SECRET_USAGE_TYPE_ISCSI;
+ qemuDomainStorageSourcePrivatePtr srcPriv;
+
+ if (!(src->privateData = qemuDomainStorageSourcePrivateNew()))
+ return -1;
+
+ srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src);
+
+ if (!qemuDomainSupportsEncryptedSecret(priv) || !iscsiHasPS) {
+ srcPriv->secinfo = qemuDomainSecretInfoNewPlain(usageType,
+
src->auth->username,
+
&src->auth->seclookupdef);
+ } else {
+ srcPriv->secinfo = qemuDomainSecretAESSetupFromSecret(priv,
+
hostdev->info->alias,
+ usageType,
+
src->auth->username,
+
&src->auth->seclookupdef,
+ false);
+ }
+
+ if (!srcPriv->secinfo)
return -1;
}
}
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index ca18bb9e5f..e804053933 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -4471,7 +4471,7 @@ qemuDomainRemoveHostDevice(virQEMUDriverPtr driver,
if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI
&&
virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ISCSI_PASSWORD_SECRET)
&&
qemuDomainStorageSourceHasAuth(iscsisrc->src)) {
- if (!(objAlias = qemuDomainGetSecretAESAlias(hostdev->info->alias,
false)))
+ if (!(objAlias = qemuAliasForSecret(hostdev->info->alias, NULL)))
return -1;
}
--
2.24.1
10:56 a.m.
New subject: [PATCH 09/30] qemu: Split out initialization of secrets for 'iscsi' hostdevs
On a Monday in 2020, Peter Krempa wrote:
Currently we don't have infrastructure to remember the secret
aliases
for hostdevs. Since an upcomming patch is going to change aliases for
upcoming
the disks, initialize the iscsi hostdevs separately so that we can
keep
the alias. At the same time let's use qemuAliasForSecret instead of
qemuDomainGetSecretAESAlias when unplugging the iscsi hostdev.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 25 +++++++++++++++++++++++--
src/qemu/qemu_hotplug.c | 2 +-
2 files changed, 24 insertions(+), 3 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 10/30] qemuDomainSecretAESSetupFromSecret: Use 'qemuAliasForSecret'
Replace qemuDomainGetSecretAESAlias by the new function si that we can
reuse qemuDomainSecretAESSetupFromSecret also for setting up other kinds
of objects.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index c2218871a7..c7432b3a98 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1571,34 +1571,32 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
* qemuDomainSecretAESSetupFromSecret:
* @priv: pointer to domain private object
* @srcalias: Alias of the disk/hostdev used to generate the secret alias
+ * @secretuse: specific usage for the secret (may be NULL if main object is using it)
* @usageType: The virSecretUsageType
* @username: username to use for authentication (may be NULL)
* @seclookupdef: Pointer to seclookupdef data
- * @isLuks: True/False for is for luks (alias generation)
*
* Looks up a secret in the secret driver based on @usageType and @seclookupdef
- * and builds qemuDomainSecretInfoPtr from it.
+ * and builds qemuDomainSecretInfoPtr from it. @use describes the usage of the
+ * secret in case if @srcalias requires more secrets for various usage cases.
*/
static qemuDomainSecretInfoPtr
qemuDomainSecretAESSetupFromSecret(qemuDomainObjPrivatePtr priv,
const char *srcalias,
+ const char *secretuse,
virSecretUsageType usageType,
const char *username,
- virSecretLookupTypeDefPtr seclookupdef,
- bool isLuks)
+ virSecretLookupTypeDefPtr seclookupdef)
{
g_autoptr(virConnect) conn = virGetConnectSecret();
qemuDomainSecretInfoPtr secinfo;
- g_autofree char *alias = NULL;
+ g_autofree char *alias = qemuAliasForSecret(srcalias, secretuse);
uint8_t *secret = NULL;
size_t secretlen = 0;
if (!conn)
return NULL;
- if (!(alias = qemuDomainGetSecretAESAlias(srcalias, isLuks)))
- return NULL;
-
if (virSecretGetSecretString(conn, seclookupdef, usageType, &secret,
&secretlen) < 0)
return NULL;
@@ -1682,9 +1680,9 @@ qemuDomainSecretInfoTLSNew(qemuDomainObjPrivatePtr priv,
}
seclookupdef.type = VIR_SECRET_LOOKUP_TYPE_UUID;
- return qemuDomainSecretAESSetupFromSecret(priv, srcAlias,
+ return qemuDomainSecretAESSetupFromSecret(priv, srcAlias, NULL,
VIR_SECRET_USAGE_TYPE_TLS,
- NULL, &seclookupdef, false);
+ NULL, &seclookupdef);
}
@@ -1775,10 +1773,10 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr
priv,
&src->auth->seclookupdef);
} else {
srcPriv->secinfo = qemuDomainSecretAESSetupFromSecret(priv,
aliasprotocol,
+ NULL,
usageType,
src->auth->username,
-
&src->auth->seclookupdef,
- false);
+
&src->auth->seclookupdef);
}
if (!srcPriv->secinfo)
@@ -1787,10 +1785,10 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr
priv,
if (hasEnc) {
if (!(srcPriv->encinfo = qemuDomainSecretAESSetupFromSecret(priv,
aliasformat,
+ "luks",
VIR_SECRET_USAGE_TYPE_VOLUME,
NULL,
-
&src->encryption->secrets[0]->seclookupdef,
- true)))
+
&src->encryption->secrets[0]->seclookupdef)))
return -1;
}
@@ -1851,10 +1849,10 @@ qemuDomainSecretHostdevPrepare(qemuDomainObjPrivatePtr priv,
} else {
srcPriv->secinfo = qemuDomainSecretAESSetupFromSecret(priv,
hostdev->info->alias,
+ NULL,
usageType,
src->auth->username,
-
&src->auth->seclookupdef,
- false);
+
&src->auth->seclookupdef);
}
if (!srcPriv->secinfo)
--
2.24.1
11:07 a.m.
New subject: [PATCH 10/30] qemuDomainSecretAESSetupFromSecret: Use 'qemuAliasForSecret'
On a Monday in 2020, Peter Krempa wrote:
Replace qemuDomainGetSecretAESAlias by the new function si that we can
s/si/so/
reuse qemuDomainSecretAESSetupFromSecret also for setting up other
kinds
of objects.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 11/30] qemuDomainSecretStorageSourcePrepare: Change aliases for disk secrets
Originally there was only the secret for authentication so we didn't use
any suffix to tell it apart. With the introduction of encryption we
added a 'luks' suffix for the encryption secrets. Since encryption is
really generic and authentication is not the only secret modify the
aliases for the secrets to better describe what they are used for.
This is possible as we store the disk secrets in the status XML thus
only new machines will use the new secrets.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 4 +--
...-backing-chains-noindex.x86_64-2.12.0.args | 4 +--
...-backing-chains-noindex.x86_64-latest.args | 6 ++--
...sk-hostdev-scsi-virtio-iscsi-auth-AES.args | 6 ++--
.../disk-network-iscsi.x86_64-2.12.0.args | 12 +++----
.../disk-network-iscsi.x86_64-latest.args | 8 ++---
.../disk-network-rbd.x86_64-2.12.0.args | 4 +--
.../disk-network-rbd.x86_64-latest.args | 4 +--
...isk-network-source-auth.x86_64-2.12.0.args | 10 +++---
...isk-network-source-auth.x86_64-latest.args | 8 ++---
.../disk-nvme.x86_64-latest.args | 4 +--
.../encrypted-disk-usage.args | 4 +--
tests/qemuxml2argvdata/encrypted-disk.args | 4 +--
.../luks-disks-source-qcow2.args | 24 +++++++-------
...luks-disks-source-qcow2.x86_64-latest.args | 32 +++++++++----------
tests/qemuxml2argvdata/luks-disks-source.args | 26 ++++++++-------
tests/qemuxml2argvdata/luks-disks.args | 10 +++---
tests/qemuxml2argvdata/user-aliases.args | 4 +--
18 files changed, 90 insertions(+), 84 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index c7432b3a98..1d551f248f 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1773,7 +1773,7 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr priv,
&src->auth->seclookupdef);
} else {
srcPriv->secinfo = qemuDomainSecretAESSetupFromSecret(priv,
aliasprotocol,
- NULL,
+ "auth",
usageType,
src->auth->username,
&src->auth->seclookupdef);
@@ -1785,7 +1785,7 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr priv,
if (hasEnc) {
if (!(srcPriv->encinfo = qemuDomainSecretAESSetupFromSecret(priv,
aliasformat,
- "luks",
+
"encryption",
VIR_SECRET_USAGE_TYPE_VOLUME,
NULL,
&src->encryption->secrets[0]->seclookupdef)))
diff --git a/tests/qemuxml2argvdata/disk-backing-chains-noindex.x86_64-2.12.0.args
b/tests/qemuxml2argvdata/disk-backing-chains-noindex.x86_64-2.12.0.args
index a8675debd5..47691339d6 100644
--- a/tests/qemuxml2argvdata/disk-backing-chains-noindex.x86_64-2.12.0.args
+++ b/tests/qemuxml2argvdata/disk-backing-chains-noindex.x86_64-2.12.0.args
@@ -39,12 +39,12 @@ id=virtio-disk1 \
if=none,id=drive-virtio-disk2 \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk2,\
id=virtio-disk2 \
--object secret,id=virtio-disk3-secret0,\
+-object secret,id=virtio-disk3-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive 'file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\
-6322,file.password-secret=virtio-disk3-secret0,format=qcow2,if=none,\
+6322,file.password-secret=virtio-disk3-auth-secret0,format=qcow2,if=none,\
id=drive-virtio-disk3' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk3,\
id=virtio-disk3 \
diff --git a/tests/qemuxml2argvdata/disk-backing-chains-noindex.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-backing-chains-noindex.x86_64-latest.args
index b1a1f8a6bc..6c19da970f 100644
--- a/tests/qemuxml2argvdata/disk-backing-chains-noindex.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-backing-chains-noindex.x86_64-latest.args
@@ -81,15 +81,15 @@ id=virtio-disk2 \
"node-name":"libvirt-15-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-15-format","read-only":true,"driver":"qcow2",\
"file":"libvirt-15-storage","backing":null}' \
--object secret,id=libvirt-14-storage-secret0,\
+-object secret,id=libvirt-14-storage-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"rbd","pool":"pool","image":"image",\
"server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org",\
"port":"6322"},{"host":"mon3.example.org","port":"6322"}],"user":"myname",\
"auth-client-required":["cephx","none"],\
-"key-secret":"libvirt-14-storage-secret0","node-name":"libvirt-14-storage",\
-"auto-read-only":true,"discard":"unmap"}' \
+"key-secret":"libvirt-14-storage-auth-secret0",\
+"node-name":"libvirt-14-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-14-format","read-only":false,"driver":"qcow2",\
"file":"libvirt-14-storage","backing":"libvirt-15-format"}'
\
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=libvirt-14-format,\
diff --git a/tests/qemuxml2argvdata/disk-hostdev-scsi-virtio-iscsi-auth-AES.args
b/tests/qemuxml2argvdata/disk-hostdev-scsi-virtio-iscsi-auth-AES.args
index aece52dad2..47b014aacc 100644
--- a/tests/qemuxml2argvdata/disk-hostdev-scsi-virtio-iscsi-auth-AES.args
+++ b/tests/qemuxml2argvdata/disk-hostdev-scsi-virtio-iscsi-auth-AES.args
@@ -28,13 +28,13 @@ server,nowait \
-no-acpi \
-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \
-usb \
--object secret,id=virtio-disk0-secret0,\
+-object secret,id=virtio-disk0-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file.driver=iscsi,file.portal=example.org:6000,\
file.target=iqn.1992-01.com.example:storage,file.lun=1,file.transport=tcp,\
-file.user=myname,file.password-secret=virtio-disk0-secret0,format=raw,if=none,\
-id=drive-virtio-disk0 \
+file.user=myname,file.password-secret=virtio-disk0-auth-secret0,format=raw,\
+if=none,id=drive-virtio-disk0 \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0,bootindex=1 \
-object secret,id=hostdev0-secret0,\
diff --git a/tests/qemuxml2argvdata/disk-network-iscsi.x86_64-2.12.0.args
b/tests/qemuxml2argvdata/disk-network-iscsi.x86_64-2.12.0.args
index 55347521da..930d8d5db2 100644
--- a/tests/qemuxml2argvdata/disk-network-iscsi.x86_64-2.12.0.args
+++ b/tests/qemuxml2argvdata/disk-network-iscsi.x86_64-2.12.0.args
@@ -38,22 +38,22 @@
file.target=iqn.1992-01.com.example,file.lun=1,file.transport=tcp,format=raw,\
if=none,id=drive-virtio-disk1 \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk1,\
id=virtio-disk1 \
--object secret,id=virtio-disk2-secret0,\
+-object secret,id=virtio-disk2-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file.driver=iscsi,file.portal=example.org:6000,\
file.target=iqn.1992-01.com.example:storage,file.lun=1,file.transport=tcp,\
-file.user=myname,file.password-secret=virtio-disk2-secret0,format=raw,if=none,\
-id=drive-virtio-disk2 \
+file.user=myname,file.password-secret=virtio-disk2-auth-secret0,format=raw,\
+if=none,id=drive-virtio-disk2 \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk2,\
id=virtio-disk2 \
--object secret,id=virtio-disk3-secret0,\
+-object secret,id=virtio-disk3-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file.driver=iscsi,file.portal=example.org:6000,\
file.target=iqn.1992-01.com.example:storage,file.lun=2,file.transport=tcp,\
-file.user=myname,file.password-secret=virtio-disk3-secret0,format=raw,if=none,\
-id=drive-virtio-disk3 \
+file.user=myname,file.password-secret=virtio-disk3-auth-secret0,format=raw,\
+if=none,id=drive-virtio-disk3 \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk3,\
id=virtio-disk3 \
-drive file.driver=iscsi,file.portal=example.org:3260,\
diff --git a/tests/qemuxml2argvdata/disk-network-iscsi.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-network-iscsi.x86_64-latest.args
index 0df7819237..3f61f6dc2c 100644
--- a/tests/qemuxml2argvdata/disk-network-iscsi.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-network-iscsi.x86_64-latest.args
@@ -43,23 +43,23 @@ id=virtio-disk0,bootindex=1 \
"file":"libvirt-4-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=libvirt-4-format,\
id=virtio-disk1 \
--object secret,id=libvirt-3-storage-secret0,\
+-object secret,id=libvirt-3-storage-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"iscsi","portal":"example.org:6000",\
"target":"iqn.1992-01.com.example:storage","lun":1,"transport":"tcp",\
-"user":"myname","password-secret":"libvirt-3-storage-secret0",\
+"user":"myname","password-secret":"libvirt-3-storage-auth-secret0",\
"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-3-format","read-only":false,"driver":"raw",\
"file":"libvirt-3-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=libvirt-3-format,\
id=virtio-disk2 \
--object secret,id=libvirt-2-storage-secret0,\
+-object secret,id=libvirt-2-storage-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"iscsi","portal":"example.org:6000",\
"target":"iqn.1992-01.com.example:storage","lun":2,"transport":"tcp",\
-"user":"myname","password-secret":"libvirt-2-storage-secret0",\
+"user":"myname","password-secret":"libvirt-2-storage-auth-secret0",\
"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-2-format","read-only":false,"driver":"raw",\
"file":"libvirt-2-storage"}' \
diff --git a/tests/qemuxml2argvdata/disk-network-rbd.x86_64-2.12.0.args
b/tests/qemuxml2argvdata/disk-network-rbd.x86_64-2.12.0.args
index 18cb534552..21d1c2deba 100644
--- a/tests/qemuxml2argvdata/disk-network-rbd.x86_64-2.12.0.args
+++ b/tests/qemuxml2argvdata/disk-network-rbd.x86_64-2.12.0.args
@@ -45,12 +45,12 @@ id=virtio-disk2 \
format=raw,if=none,id=drive-virtio-disk3 \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk3,\
id=virtio-disk3 \
--object secret,id=virtio-disk4-secret0,\
+-object secret,id=virtio-disk4-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive 'file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\
-6322,file.password-secret=virtio-disk4-secret0,format=raw,if=none,\
+6322,file.password-secret=virtio-disk4-auth-secret0,format=raw,if=none,\
id=drive-virtio-disk4' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk4,\
id=virtio-disk4 \
diff --git a/tests/qemuxml2argvdata/disk-network-rbd.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-network-rbd.x86_64-latest.args
index ea4cb6ff06..fb8fc988e8 100644
--- a/tests/qemuxml2argvdata/disk-network-rbd.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-network-rbd.x86_64-latest.args
@@ -57,14 +57,14 @@ id=virtio-disk2 \
"file":"libvirt-3-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=libvirt-3-format,\
id=virtio-disk3 \
--object secret,id=libvirt-2-storage-secret0,\
+-object secret,id=libvirt-2-storage-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"rbd","pool":"pool","image":"image",\
"server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org",\
"port":"6322"},{"host":"mon3.example.org","port":"6322"}],"user":"myname",\
"auth-client-required":["cephx","none"],\
-"key-secret":"libvirt-2-storage-secret0","node-name":"libvirt-2-storage",\
+"key-secret":"libvirt-2-storage-auth-secret0","node-name":"libvirt-2-storage",\
"auto-read-only":true,"discard":"unmap"}' \
-blockdev
'{"node-name":"libvirt-2-format","read-only":false,"driver":"raw",\
"file":"libvirt-2-storage"}' \
diff --git a/tests/qemuxml2argvdata/disk-network-source-auth.x86_64-2.12.0.args
b/tests/qemuxml2argvdata/disk-network-source-auth.x86_64-2.12.0.args
index f34c6b678d..279d5c73ec 100644
--- a/tests/qemuxml2argvdata/disk-network-source-auth.x86_64-2.12.0.args
+++ b/tests/qemuxml2argvdata/disk-network-source-auth.x86_64-2.12.0.args
@@ -27,21 +27,21 @@ file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
-no-acpi \
-boot strict=on \
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
--object secret,id=virtio-disk0-secret0,\
+-object secret,id=virtio-disk0-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file.driver=iscsi,file.portal=example.org:6000,\
file.target=iqn.1992-01.com.example:storage,file.lun=1,file.transport=tcp,\
-file.user=myname,file.password-secret=virtio-disk0-secret0,format=raw,if=none,\
-id=drive-virtio-disk0 \
+file.user=myname,file.password-secret=virtio-disk0-auth-secret0,format=raw,\
+if=none,id=drive-virtio-disk0 \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x2,drive=drive-virtio-disk0,\
id=virtio-disk0,bootindex=1 \
--object secret,id=virtio-disk1-secret0,\
+-object secret,id=virtio-disk1-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive 'file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\
-6322,file.password-secret=virtio-disk1-secret0,format=raw,if=none,\
+6322,file.password-secret=virtio-disk1-auth-secret0,format=raw,if=none,\
id=drive-virtio-disk1' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x3,drive=drive-virtio-disk1,\
id=virtio-disk1 \
diff --git a/tests/qemuxml2argvdata/disk-network-source-auth.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-network-source-auth.x86_64-latest.args
index 44b8ec87df..7a504d49be 100644
--- a/tests/qemuxml2argvdata/disk-network-source-auth.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-network-source-auth.x86_64-latest.args
@@ -28,25 +28,25 @@ file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
-no-acpi \
-boot strict=on \
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
--object secret,id=libvirt-2-storage-secret0,\
+-object secret,id=libvirt-2-storage-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"iscsi","portal":"example.org:6000",\
"target":"iqn.1992-01.com.example:storage","lun":1,"transport":"tcp",\
-"user":"myname","password-secret":"libvirt-2-storage-secret0",\
+"user":"myname","password-secret":"libvirt-2-storage-auth-secret0",\
"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-2-format","read-only":false,"driver":"raw",\
"file":"libvirt-2-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x2,drive=libvirt-2-format,\
id=virtio-disk0,bootindex=1 \
--object secret,id=libvirt-1-storage-secret0,\
+-object secret,id=libvirt-1-storage-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"rbd","pool":"pool","image":"image",\
"server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org",\
"port":"6322"},{"host":"mon3.example.org","port":"6322"}],"user":"myname",\
"auth-client-required":["cephx","none"],\
-"key-secret":"libvirt-1-storage-secret0","node-name":"libvirt-1-storage",\
+"key-secret":"libvirt-1-storage-auth-secret0","node-name":"libvirt-1-storage",\
"auto-read-only":true,"discard":"unmap"}' \
-blockdev
'{"node-name":"libvirt-1-format","read-only":false,"driver":"raw",\
"file":"libvirt-1-storage"}' \
diff --git a/tests/qemuxml2argvdata/disk-nvme.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-nvme.x86_64-latest.args
index 2962f496c4..5334882c0b 100644
--- a/tests/qemuxml2argvdata/disk-nvme.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-nvme.x86_64-latest.args
@@ -47,7 +47,7 @@ id=virtio-disk1 \
"file":"libvirt-2-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=libvirt-2-format,\
id=virtio-disk2 \
--object secret,id=libvirt-1-format-luks-secret0,\
+-object secret,id=libvirt-1-format-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"nvme","device":"0001:02:00.0","namespace":2,\
@@ -55,7 +55,7 @@ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
"auto-read-only":true,"discard":"unmap"}' \
-blockdev
'{"node-name":"libvirt-1-format","read-only":false,\
"cache":{"direct":true,"no-flush":false},"driver":"qcow2",\
-"encrypt":{"format":"luks","key-secret":"libvirt-1-format-luks-secret0"},\
+"encrypt":{"format":"luks","key-secret":"libvirt-1-format-encryption-secret0"},\
"file":"libvirt-1-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=libvirt-1-format,\
id=virtio-disk3,write-cache=on \
diff --git a/tests/qemuxml2argvdata/encrypted-disk-usage.args
b/tests/qemuxml2argvdata/encrypted-disk-usage.args
index 4522d2cb84..8641701293 100644
--- a/tests/qemuxml2argvdata/encrypted-disk-usage.args
+++ b/tests/qemuxml2argvdata/encrypted-disk-usage.args
@@ -27,11 +27,11 @@ path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \
-no-shutdown \
-no-acpi \
-usb \
--object secret,id=virtio-disk0-luks-secret0,\
+-object secret,id=virtio-disk0-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=/storage/guest_disks/encryptdisk,encrypt.format=luks,\
-encrypt.key-secret=virtio-disk0-luks-secret0,format=qcow2,if=none,\
+encrypt.key-secret=virtio-disk0-encryption-secret0,format=qcow2,if=none,\
id=drive-virtio-disk0 \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0,bootindex=1 \
diff --git a/tests/qemuxml2argvdata/encrypted-disk.args
b/tests/qemuxml2argvdata/encrypted-disk.args
index 4522d2cb84..8641701293 100644
--- a/tests/qemuxml2argvdata/encrypted-disk.args
+++ b/tests/qemuxml2argvdata/encrypted-disk.args
@@ -27,11 +27,11 @@ path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \
-no-shutdown \
-no-acpi \
-usb \
--object secret,id=virtio-disk0-luks-secret0,\
+-object secret,id=virtio-disk0-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=/storage/guest_disks/encryptdisk,encrypt.format=luks,\
-encrypt.key-secret=virtio-disk0-luks-secret0,format=qcow2,if=none,\
+encrypt.key-secret=virtio-disk0-encryption-secret0,format=qcow2,if=none,\
id=drive-virtio-disk0 \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0,bootindex=1 \
diff --git a/tests/qemuxml2argvdata/luks-disks-source-qcow2.args
b/tests/qemuxml2argvdata/luks-disks-source-qcow2.args
index ab1c864cf6..e7a29b2e03 100644
--- a/tests/qemuxml2argvdata/luks-disks-source-qcow2.args
+++ b/tests/qemuxml2argvdata/luks-disks-source-qcow2.args
@@ -27,53 +27,53 @@ path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \
-no-shutdown \
-no-acpi \
-usb \
--object secret,id=virtio-disk0-luks-secret0,\
+-object secret,id=virtio-disk0-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=/storage/guest_disks/encryptdisk,encrypt.format=luks,\
-encrypt.key-secret=virtio-disk0-luks-secret0,format=qcow2,if=none,\
+encrypt.key-secret=virtio-disk0-encryption-secret0,format=qcow2,if=none,\
id=drive-virtio-disk0 \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0,bootindex=1 \
--object secret,id=virtio-disk1-luks-secret0,\
+-object secret,id=virtio-disk1-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=/storage/guest_disks/encryptdisk2,encrypt.format=luks,\
-encrypt.key-secret=virtio-disk1-luks-secret0,format=qcow2,if=none,\
+encrypt.key-secret=virtio-disk1-encryption-secret0,format=qcow2,if=none,\
id=drive-virtio-disk1 \
-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,\
id=virtio-disk1 \
--object secret,id=virtio-disk2-luks-secret0,\
+-object secret,id=virtio-disk2-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=iscsi://myname:AQCVn5hO6HzFAhAAq0NCv8jtJcIcE+HOBlMQ1A@example.org:\
6000/iqn.1992-01.com.example%3Astorage/1,encrypt.format=luks,\
-encrypt.key-secret=virtio-disk2-luks-secret0,format=qcow2,if=none,\
+encrypt.key-secret=virtio-disk2-encryption-secret0,format=qcow2,if=none,\
id=drive-virtio-disk2 \
-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk2,\
id=virtio-disk2 \
--object secret,id=virtio-disk3-luks-secret0,\
+-object secret,id=virtio-disk3-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=iscsi://iscsi.example.com:3260/demo-target/3,encrypt.format=luks,\
-encrypt.key-secret=virtio-disk3-luks-secret0,format=qcow2,if=none,\
+encrypt.key-secret=virtio-disk3-encryption-secret0,format=qcow2,if=none,\
id=drive-virtio-disk3 \
-device virtio-blk-pci,bus=pci.0,addr=0x7,drive=drive-virtio-disk3,\
id=virtio-disk3 \
--object secret,id=virtio-disk4-luks-secret0,\
+-object secret,id=virtio-disk4-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive 'file=rbd:pool/image:auth_supported=none:mon_host=mon1.example.org\:\
6321\;mon2.example.org\:6322\;mon3.example.org\:6322,encrypt.format=luks,\
-encrypt.key-secret=virtio-disk4-luks-secret0,format=qcow2,if=none,\
+encrypt.key-secret=virtio-disk4-encryption-secret0,format=qcow2,if=none,\
id=drive-virtio-disk4' \
-device virtio-blk-pci,bus=pci.0,addr=0x8,drive=drive-virtio-disk4,\
id=virtio-disk4 \
--object secret,id=virtio-disk5-luks-secret0,\
+-object secret,id=virtio-disk5-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=/storage/guest_disks/encryptdisk5,encrypt.format=luks,\
-encrypt.key-secret=virtio-disk5-luks-secret0,format=qcow2,if=none,\
+encrypt.key-secret=virtio-disk5-encryption-secret0,format=qcow2,if=none,\
id=drive-virtio-disk5 \
-device virtio-blk-pci,bus=pci.0,addr=0x9,drive=drive-virtio-disk5,\
id=virtio-disk5 \
diff --git a/tests/qemuxml2argvdata/luks-disks-source-qcow2.x86_64-latest.args
b/tests/qemuxml2argvdata/luks-disks-source-qcow2.x86_64-latest.args
index 021bcb6961..44e4c5698d 100644
--- a/tests/qemuxml2argvdata/luks-disks-source-qcow2.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/luks-disks-source-qcow2.x86_64-latest.args
@@ -28,53 +28,53 @@ file=/tmp/lib/domain--1-encryptdisk/master-key.aes \
-no-acpi \
-boot strict=on \
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
--object secret,id=libvirt-7-format-luks-secret0,\
+-object secret,id=libvirt-7-format-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"file","filename":"/storage/guest_disks/encryptdisk",\
"node-name":"libvirt-7-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-7-format","read-only":false,"driver":"qcow2",\
-"encrypt":{"format":"luks","key-secret":"libvirt-7-format-luks-secret0"},\
+"encrypt":{"format":"luks","key-secret":"libvirt-7-format-encryption-secret0"},\
"file":"libvirt-7-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=libvirt-7-format,\
id=virtio-disk0,bootindex=1 \
--object secret,id=libvirt-6-format-luks-secret0,\
+-object secret,id=libvirt-6-format-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"file","filename":"/storage/guest_disks/encryptdisk2",\
"node-name":"libvirt-6-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-6-format","read-only":false,"driver":"qcow2",\
-"encrypt":{"format":"luks","key-secret":"libvirt-6-format-luks-secret0"},\
+"encrypt":{"format":"luks","key-secret":"libvirt-6-format-encryption-secret0"},\
"file":"libvirt-6-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=libvirt-6-format,\
id=virtio-disk1 \
--object secret,id=libvirt-5-storage-secret0,\
+-object secret,id=libvirt-5-storage-auth-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
--object secret,id=libvirt-5-format-luks-secret0,\
+-object secret,id=libvirt-5-format-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"iscsi","portal":"example.org:6000",\
"target":"iqn.1992-01.com.example:storage","lun":1,"transport":"tcp",\
-"user":"myname","password-secret":"libvirt-5-storage-secret0",\
+"user":"myname","password-secret":"libvirt-5-storage-auth-secret0",\
"node-name":"libvirt-5-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-5-format","read-only":false,"driver":"qcow2",\
-"encrypt":{"format":"luks","key-secret":"libvirt-5-format-luks-secret0"},\
+"encrypt":{"format":"luks","key-secret":"libvirt-5-format-encryption-secret0"},\
"file":"libvirt-5-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x2,drive=libvirt-5-format,\
id=virtio-disk2 \
--object secret,id=libvirt-4-format-luks-secret0,\
+-object secret,id=libvirt-4-format-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"iscsi","portal":"iscsi.example.com:3260",\
"target":"demo-target","lun":3,"transport":"tcp",\
"node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-4-format","read-only":false,"driver":"qcow2",\
-"encrypt":{"format":"luks","key-secret":"libvirt-4-format-luks-secret0"},\
+"encrypt":{"format":"luks","key-secret":"libvirt-4-format-encryption-secret0"},\
"file":"libvirt-4-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=libvirt-4-format,\
id=virtio-disk3 \
--object secret,id=libvirt-3-format-luks-secret0,\
+-object secret,id=libvirt-3-format-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"rbd","pool":"pool","image":"image",\
@@ -82,25 +82,25 @@ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
"port":"6322"},{"host":"mon3.example.org","port":"6322"}],\
"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-3-format","read-only":false,"driver":"qcow2",\
-"encrypt":{"format":"luks","key-secret":"libvirt-3-format-luks-secret0"},\
+"encrypt":{"format":"luks","key-secret":"libvirt-3-format-encryption-secret0"},\
"file":"libvirt-3-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=libvirt-3-format,\
id=virtio-disk4 \
--object secret,id=libvirt-2-format-luks-secret0,\
+-object secret,id=libvirt-2-format-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"file","filename":"/storage/guest_disks/base.qcow2",\
"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-2-format","read-only":true,"driver":"qcow2",\
-"encrypt":{"format":"luks","key-secret":"libvirt-2-format-luks-secret0"},\
+"encrypt":{"format":"luks","key-secret":"libvirt-2-format-encryption-secret0"},\
"file":"libvirt-2-storage","backing":null}' \
--object secret,id=libvirt-1-format-luks-secret0,\
+-object secret,id=libvirt-1-format-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"file","filename":"/storage/guest_disks/encryptdisk5",\
"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-1-format","read-only":false,"driver":"qcow2",\
-"encrypt":{"format":"luks","key-secret":"libvirt-1-format-luks-secret0"},\
+"encrypt":{"format":"luks","key-secret":"libvirt-1-format-encryption-secret0"},\
"file":"libvirt-1-storage","backing":"libvirt-2-format"}'
\
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x8,drive=libvirt-1-format,\
id=virtio-disk5 \
diff --git a/tests/qemuxml2argvdata/luks-disks-source.args
b/tests/qemuxml2argvdata/luks-disks-source.args
index 4566f84ff1..e2bd559212 100644
--- a/tests/qemuxml2argvdata/luks-disks-source.args
+++ b/tests/qemuxml2argvdata/luks-disks-source.args
@@ -27,41 +27,45 @@ path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \
-no-shutdown \
-no-acpi \
-usb \
--object secret,id=virtio-disk0-luks-secret0,\
+-object secret,id=virtio-disk0-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=/storage/guest_disks/encryptdisk,\
-key-secret=virtio-disk0-luks-secret0,format=luks,if=none,id=drive-virtio-disk0 \
+key-secret=virtio-disk0-encryption-secret0,format=luks,if=none,\
+id=drive-virtio-disk0 \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0,bootindex=1 \
--object secret,id=virtio-disk1-luks-secret0,\
+-object secret,id=virtio-disk1-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=/storage/guest_disks/encryptdisk2,\
-key-secret=virtio-disk1-luks-secret0,format=luks,if=none,id=drive-virtio-disk1 \
+key-secret=virtio-disk1-encryption-secret0,format=luks,if=none,\
+id=drive-virtio-disk1 \
-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,\
id=virtio-disk1 \
--object secret,id=virtio-disk2-luks-secret0,\
+-object secret,id=virtio-disk2-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=iscsi://myname:AQCVn5hO6HzFAhAAq0NCv8jtJcIcE+HOBlMQ1A@example.org:\
-6000/iqn.1992-01.com.example%3Astorage/1,key-secret=virtio-disk2-luks-secret0,\
-format=luks,if=none,id=drive-virtio-disk2 \
+6000/iqn.1992-01.com.example%3Astorage/1,\
+key-secret=virtio-disk2-encryption-secret0,format=luks,if=none,\
+id=drive-virtio-disk2 \
-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk2,\
id=virtio-disk2 \
--object secret,id=virtio-disk3-luks-secret0,\
+-object secret,id=virtio-disk3-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=iscsi://iscsi.example.com:3260/demo-target/3,\
-key-secret=virtio-disk3-luks-secret0,format=luks,if=none,id=drive-virtio-disk3 \
+key-secret=virtio-disk3-encryption-secret0,format=luks,if=none,\
+id=drive-virtio-disk3 \
-device virtio-blk-pci,bus=pci.0,addr=0x7,drive=drive-virtio-disk3,\
id=virtio-disk3 \
--object secret,id=virtio-disk4-luks-secret0,\
+-object secret,id=virtio-disk4-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive 'file=rbd:pool/image:auth_supported=none:mon_host=mon1.example.org\:\
6321\;mon2.example.org\:6322\;mon3.example.org\:6322,\
-key-secret=virtio-disk4-luks-secret0,format=luks,if=none,\
+key-secret=virtio-disk4-encryption-secret0,format=luks,if=none,\
id=drive-virtio-disk4' \
-device virtio-blk-pci,bus=pci.0,addr=0x8,drive=drive-virtio-disk4,\
id=virtio-disk4 \
diff --git a/tests/qemuxml2argvdata/luks-disks.args
b/tests/qemuxml2argvdata/luks-disks.args
index db1ae45b60..47626966f2 100644
--- a/tests/qemuxml2argvdata/luks-disks.args
+++ b/tests/qemuxml2argvdata/luks-disks.args
@@ -27,18 +27,20 @@ path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \
-no-shutdown \
-no-acpi \
-usb \
--object secret,id=virtio-disk0-luks-secret0,\
+-object secret,id=virtio-disk0-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=/storage/guest_disks/encryptdisk,\
-key-secret=virtio-disk0-luks-secret0,format=luks,if=none,id=drive-virtio-disk0 \
+key-secret=virtio-disk0-encryption-secret0,format=luks,if=none,\
+id=drive-virtio-disk0 \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0,bootindex=1 \
--object secret,id=virtio-disk1-luks-secret0,\
+-object secret,id=virtio-disk1-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=/storage/guest_disks/encryptdisk2,\
-key-secret=virtio-disk1-luks-secret0,format=luks,if=none,id=drive-virtio-disk1 \
+key-secret=virtio-disk1-encryption-secret0,format=luks,if=none,\
+id=drive-virtio-disk1 \
-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,\
id=virtio-disk1 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
diff --git a/tests/qemuxml2argvdata/user-aliases.args
b/tests/qemuxml2argvdata/user-aliases.args
index 54463386cd..88e540bc3c 100644
--- a/tests/qemuxml2argvdata/user-aliases.args
+++ b/tests/qemuxml2argvdata/user-aliases.args
@@ -48,11 +48,11 @@ id=drive-ua-myDisk1,cache=none \
id=drive-ua-myDisk2 \
-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-ua-myDisk2,id=ua-myDisk2,\
bootindex=1 \
--object secret,id=ua-myEncryptedDisk1-luks-secret0,\
+-object secret,id=ua-myEncryptedDisk1-encryption-secret0,\
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-drive file=/var/lib/libvirt/images/OtherDemo.img,encrypt.format=luks,\
-encrypt.key-secret=ua-myEncryptedDisk1-luks-secret0,format=qcow2,if=none,\
+encrypt.key-secret=ua-myEncryptedDisk1-encryption-secret0,format=qcow2,if=none,\
id=drive-ua-myEncryptedDisk1 \
-device virtio-blk-pci,bus=pci.0,addr=0x7,drive=drive-ua-myEncryptedDisk1,\
id=ua-myEncryptedDisk1 \
--
2.24.1
11:12 a.m.
New subject: [PATCH 11/30] qemuDomainSecretStorageSourcePrepare: Change aliases for disk secrets
On a Monday in 2020, Peter Krempa wrote:
Originally there was only the secret for authentication so we
didn't use
any suffix to tell it apart. With the introduction of encryption we
added a 'luks' suffix for the encryption secrets. Since encryption is
really generic and authentication is not the only secret modify the
aliases for the secrets to better describe what they are used for.
This is possible as we store the disk secrets in the status XML thus
only new machines will use the new secrets.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 4 +--
...-backing-chains-noindex.x86_64-2.12.0.args | 4 +--
...-backing-chains-noindex.x86_64-latest.args | 6 ++--
...sk-hostdev-scsi-virtio-iscsi-auth-AES.args | 6 ++--
.../disk-network-iscsi.x86_64-2.12.0.args | 12 +++----
.../disk-network-iscsi.x86_64-latest.args | 8 ++---
.../disk-network-rbd.x86_64-2.12.0.args | 4 +--
.../disk-network-rbd.x86_64-latest.args | 4 +--
...isk-network-source-auth.x86_64-2.12.0.args | 10 +++---
...isk-network-source-auth.x86_64-latest.args | 8 ++---
.../disk-nvme.x86_64-latest.args | 4 +--
.../encrypted-disk-usage.args | 4 +--
tests/qemuxml2argvdata/encrypted-disk.args | 4 +--
.../luks-disks-source-qcow2.args | 24 +++++++-------
...luks-disks-source-qcow2.x86_64-latest.args | 32 +++++++++----------
tests/qemuxml2argvdata/luks-disks-source.args | 26 ++++++++-------
tests/qemuxml2argvdata/luks-disks.args | 10 +++---
tests/qemuxml2argvdata/user-aliases.args | 4 +--
18 files changed, 90 insertions(+), 84 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 12/30] qemuDomainGetSecretAESAlias: Replace outstanding uses with qemuAliasForSecret
There are two last callers of this function. Replace them by
qemuAliasForSecret and delete qemuDomainGetSecretAESAlias.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_alias.c | 29 -----------------------------
src/qemu/qemu_alias.h | 3 ---
src/qemu/qemu_hotplug.c | 2 +-
src/qemu/qemu_migration_params.c | 2 +-
4 files changed, 2 insertions(+), 34 deletions(-)
diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c
index 2e466ff23f..b450bf0866 100644
--- a/src/qemu/qemu_alias.c
+++ b/src/qemu/qemu_alias.c
@@ -764,35 +764,6 @@ qemuDomainGetMasterKeyAlias(void)
}
-/* qemuDomainGetSecretAESAlias:
- * @srcalias: Source alias used to generate the secret alias
- * @isLuks: True when we are generating a secret for LUKS encrypt/decrypt
- *
- * Generate and return an alias for the encrypted secret
- *
- * Returns NULL or a string containing the alias
- */
-char *
-qemuDomainGetSecretAESAlias(const char *srcalias,
- bool isLuks)
-{
- char *alias;
-
- if (!srcalias) {
- virReportError(VIR_ERR_INVALID_ARG, "%s",
- _("encrypted secret alias requires valid source
alias"));
- return NULL;
- }
-
- if (isLuks)
- alias = g_strdup_printf("%s-luks-secret0", srcalias);
- else
- alias = g_strdup_printf("%s-secret0", srcalias);
-
- return alias;
-}
-
-
/* qemuAliasForSecret:
* @parentalias: alias of the parent object
* @obj: optional sub-object of the parent device the secret is for
diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h
index 645956d024..490aa568a9 100644
--- a/src/qemu/qemu_alias.h
+++ b/src/qemu/qemu_alias.h
@@ -83,9 +83,6 @@ char *qemuAliasFromHostdev(const virDomainHostdevDef *hostdev);
char *qemuDomainGetMasterKeyAlias(void);
-char *qemuDomainGetSecretAESAlias(const char *srcalias,
- bool isLuks);
-
char *qemuAliasForSecret(const char *parentalias,
const char *obj);
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index e804053933..47069be900 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1842,7 +1842,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriverPtr driver,
* secret UUID and we have a serial TCP chardev, then formulate a
* secAlias which we'll attempt to destroy. */
if (cfg->chardevTLSx509secretUUID &&
- !(secAlias = qemuDomainGetSecretAESAlias(inAlias, false)))
+ !(secAlias = qemuAliasForSecret(inAlias, NULL)))
return -1;
qemuDomainObjEnterMonitor(driver, vm);
diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c
index f9bc43afee..6a2033b484 100644
--- a/src/qemu/qemu_migration_params.c
+++ b/src/qemu/qemu_migration_params.c
@@ -1080,7 +1080,7 @@ qemuMigrationParamsResetTLS(virQEMUDriverPtr driver,
return;
tlsAlias = qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE);
- secAlias = qemuDomainGetSecretAESAlias(QEMU_MIGRATION_TLS_ALIAS_BASE, false);
+ secAlias = qemuAliasForSecret(QEMU_MIGRATION_TLS_ALIAS_BASE, NULL);
qemuDomainDelTLSObjects(driver, vm, asyncJob, secAlias, tlsAlias);
g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo,
qemuDomainSecretInfoFree);
--
2.24.1
11:51 a.m.
New subject: [PATCH 12/30] qemuDomainGetSecretAESAlias: Replace outstanding uses with qemuAliasForSecret
On a Monday in 2020, Peter Krempa wrote:
There are two last callers of this function. Replace them by
qemuAliasForSecret and delete qemuDomainGetSecretAESAlias.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_alias.c | 29 -----------------------------
src/qemu/qemu_alias.h | 3 ---
src/qemu/qemu_hotplug.c | 2 +-
src/qemu/qemu_migration_params.c | 2 +-
4 files changed, 2 insertions(+), 34 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 13/30] conf: Add support for modifying ssl validation for https/ftps disks
To allow turning of verification of SSL cerificates add a new element
<ssl> to the disk source XML which will allow configuring the validation
process using the 'verify' attribute.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
docs/formatdomain.html.in | 9 ++++
docs/schemas/domaincommon.rng | 51 ++++++++++++++++++-
src/conf/domain_conf.c | 18 +++++++
src/util/virstoragefile.c | 1 +
src/util/virstoragefile.h | 1 +
.../disk-network-http.xml | 9 ++++
6 files changed, 87 insertions(+), 2 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 7e7771725c..8f503f6967 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2857,6 +2857,7 @@
<driver name='qemu' type='raw'/>
<source protocol="https" name="url_path">
<host name="hostname" port="443"/>
+ <ssl verify="no"/>
</source>
<target dev='hdf' bus='ide' tray='open'/>
<readonly/>
@@ -3383,6 +3384,14 @@
The <code>offset</code> and <code>size</code> values
are in bytes.
<span class="since">Since 6.1.0</span>
</dd>
+ <dt><code>ssl</code></dt>
+ <dd>
+ For <code>https</code> and <code>ftps</code> accessed
storage it's
+ possible to tweak the SSL transport parameters with this element.
+ The <code>verify</code> attribute allows to turn on or of SSL
+ certificate validation. Supported values are <code>yes</code>
and
+ <code>no</code>. <span class="since">Since
6.1.0</span>
+ </dd>
</dl>
<p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 529a98fc05..d179a25ee6 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1808,12 +1808,39 @@
</element>
</define>
+ <define name="diskSourceNetworkProtocolSSLVerify">
+ <element name="ssl">
+ <attribute name="verify">
+ <ref name="virYesNo"/>
+ </attribute>
+ <empty/>
+ </element>
+ </define>
+
+ <define name="diskSourceNetworkProtocolHTTPS">
+ <element name="source">
+ <attribute name="protocol">
+ <choice>
+ <value>https</value>
+ </choice>
+ </attribute>
+ <attribute name="name"/>
+ <ref name="diskSourceCommon"/>
+ <ref name="diskSourceNetworkHost"/>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
+ <optional>
+ <ref name="diskSourceNetworkProtocolSSLVerify"/>
+ </optional>
+ </element>
+ </define>
+
<define name="diskSourceNetworkProtocolHTTP">
<element name="source">
<attribute name="protocol">
<choice>
<value>http</value>
- <value>https</value>
</choice>
</attribute>
<attribute name="name"/>
@@ -1825,13 +1852,31 @@
</element>
</define>
+ <define name="diskSourceNetworkProtocolFTPS">
+ <element name="source">
+ <attribute name="protocol">
+ <choice>
+ <value>ftps</value>
+ </choice>
+ </attribute>
+ <attribute name="name"/>
+ <ref name="diskSourceCommon"/>
+ <ref name="diskSourceNetworkHost"/>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
+ <optional>
+ <ref name="diskSourceNetworkProtocolSSLVerify"/>
+ </optional>
+ </element>
+ </define>
+
<define name="diskSourceNetworkProtocolSimple">
<element name="source">
<attribute name="protocol">
<choice>
<value>sheepdog</value>
<value>ftp</value>
- <value>ftps</value>
<value>tftp</value>
</choice>
</attribute>
@@ -1909,6 +1954,8 @@
<ref name="diskSourceNetworkProtocolRBD"/>
<ref name="diskSourceNetworkProtocolISCSI"/>
<ref name="diskSourceNetworkProtocolHTTP"/>
+ <ref name="diskSourceNetworkProtocolHTTPS"/>
+ <ref name="diskSourceNetworkProtocolFTPS"/>
<ref name="diskSourceNetworkProtocolSimple"/>
<ref name="diskSourceNetworkProtocolVxHS"/>
</choice>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index d8471acd2d..dd3a3a1439 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -9350,6 +9350,7 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
g_autofree char *protocol = NULL;
g_autofree char *haveTLS = NULL;
g_autofree char *tlsCfg = NULL;
+ g_autofree char *sslverifystr = NULL;
if (!(protocol = virXMLPropString(node, "protocol"))) {
virReportError(VIR_ERR_XML_ERROR, "%s",
@@ -9422,6 +9423,19 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
virStorageSourceInitiatorParseXML(ctxt, &src->initiator);
+ if ((src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) &&
+ (sslverifystr = virXPathString("string(./ssl/@verify)", ctxt))) {
+ int verify;
+ if ((verify = virTristateBoolTypeFromString(sslverifystr)) < 0) {
+ virReportError(VIR_ERR_XML_ERROR,
+ _("invalid ssl verify mode '%s'"),
sslverifystr);
+ return -1;
+ }
+
+ src->sslverify = verify;
+ }
+
return 0;
}
@@ -24531,6 +24545,10 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
virStorageSourceInitiatorFormatXML(&src->initiator, childBuf);
+ if (src->sslverify != VIR_TRISTATE_BOOL_ABSENT)
+ virBufferAsprintf(childBuf, "<ssl verify='%s'/>\n",
+ virTristateBoolTypeToString(src->sslverify));
+
return 0;
}
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index b133cf17f1..ca91fc65ba 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2270,6 +2270,7 @@ virStorageSourceCopy(const virStorageSource *src,
def->cachemode = src->cachemode;
def->discard = src->discard;
def->detect_zeroes = src->detect_zeroes;
+ def->sslverify = src->sslverify;
/* storage driver metadata are not copied */
def->drv = NULL;
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index 9af7b4f226..49718b51d8 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -281,6 +281,7 @@ struct _virStorageSource {
virStorageEncryptionPtr encryption;
bool encryptionInherited;
virStoragePRDefPtr pr;
+ virTristateBool sslverify;
virStorageSourceNVMeDefPtr nvme; /* type == VIR_STORAGE_TYPE_NVME */
diff --git a/tests/genericxml2xmlindata/disk-network-http.xml
b/tests/genericxml2xmlindata/disk-network-http.xml
index fde1222fd0..bdcc1977f2 100644
--- a/tests/genericxml2xmlindata/disk-network-http.xml
+++ b/tests/genericxml2xmlindata/disk-network-http.xml
@@ -25,6 +25,7 @@
<driver name='qemu' type='raw'/>
<source protocol='https' name='test2.img'>
<host name='example.org' port='443'/>
+ <ssl verify='no'/>
</source>
<target dev='vdb' bus='virtio'/>
</disk>
@@ -35,6 +36,14 @@
</source>
<target dev='vdc' bus='virtio'/>
</disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='https' name='test4.img'>
+ <host name='example.org' port='1234'/>
+ <ssl verify='yes'/>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ </disk>
<controller type='usb' index='0'/>
<controller type='pci' index='0' model='pci-root'/>
<input type='mouse' bus='ps2'/>
--
2.24.1
11:57 a.m.
New subject: [PATCH 13/30] conf: Add support for modifying ssl validation for https/ftps disks
On a Monday in 2020, Peter Krempa wrote:
To allow turning of verification of SSL cerificates add a new element
turning off
<ssl> to the disk source XML which will allow configuring the
validation
process using the 'verify' attribute.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
docs/formatdomain.html.in | 9 ++++
docs/schemas/domaincommon.rng | 51 ++++++++++++++++++-
src/conf/domain_conf.c | 18 +++++++
src/util/virstoragefile.c | 1 +
src/util/virstoragefile.h | 1 +
.../disk-network-http.xml | 9 ++++
6 files changed, 87 insertions(+), 2 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 7e7771725c..8f503f6967 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2857,6 +2857,7 @@
<driver name='qemu' type='raw'/>
<source protocol="https" name="url_path">
<host name="hostname" port="443"/>
+ <ssl verify="no"/>
</source>
<target dev='hdf' bus='ide' tray='open'/>
<readonly/>
@@ -3383,6 +3384,14 @@
The <code>offset</code> and <code>size</code> values
are in bytes.
<span class="since">Since 6.1.0</span>
</dd>
+ <dt><code>ssl</code></dt>
+ <dd>
+ For <code>https</code> and <code>ftps</code> accessed
storage it's
+ possible to tweak the SSL transport parameters with this element.
+ The <code>verify</code> attribute allows to turn on or of SSL
or off
+ certificate validation. Supported values are
<code>yes</code> and
+ <code>no</code>. <span class="since">Since
6.1.0</span>
6.2.0
+ </dd>
</dl>
<p>
@@ -24531,6 +24545,10 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
virStorageSourceInitiatorFormatXML(&src->initiator, childBuf);
+ if (src->sslverify != VIR_TRISTATE_BOOL_ABSENT)
+ virBufferAsprintf(childBuf, "<ssl verify='%s'/>\n",
+ virTristateBoolTypeToString(src->sslverify));
+
Multi-line body without braces.
return 0;
}
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 14/30] conf: Add support for cookies for HTTP based disks
Add possibility to specify one or more cookies for http based disks.
This patch adds the config parser, storage and validation of the
cookies.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
docs/formatdomain.html.in | 10 ++
docs/schemas/domaincommon.rng | 24 ++++
src/conf/domain_conf.c | 82 +++++++++++++
src/libvirt_private.syms | 1 +
src/util/virstoragefile.c | 115 ++++++++++++++++++
src/util/virstoragefile.h | 15 +++
.../disk-network-http.xml | 8 ++
7 files changed, 255 insertions(+)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 8f503f6967..dfea614907 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2849,6 +2849,9 @@
<driver name='qemu' type='raw'/>
<source protocol="http" name="url_path">
<host name="hostname" port="80"/>
+ <cookies>
+ <cookie name="test">somevalue</cookie>
+ </cookies>
</source>
<target dev='hde' bus='ide' tray='open'/>
<readonly/>
@@ -3392,6 +3395,13 @@
certificate validation. Supported values are <code>yes</code>
and
<code>no</code>. <span class="since">Since
6.1.0</span>
</dd>
+ <dt><code>cookies</code></dt>
+ <dd>
+ For <code>http</code> and <code>https</code> accessed
storage it's
+ possible to pass one or more cookies. The cookie name and value
+ must conform to the HTTP specification.
+ <span class="since">Since 6.2.0</span>
+ </dd>
</dl>
<p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index d179a25ee6..85d6484dbd 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1817,6 +1817,24 @@
</element>
</define>
+ <define name="diskSourceNetworkProtocolHTTPCookies">
+ <element name="cookies">
+ <oneOrMore>
+ <element name="cookie">
+ <attribute name="name">
+ <data type="string">
+ <param
name="pattern">[!#$%&'*+\-.0-9A-Z\^_`a-z|~]+</param>
+ </data>
+ </attribute>
+ <data type="string">
+ <param
name="pattern">[!#$%&'()*+\-./0-9:>=<?@A-Z\^_`\[\]a-z|~]+</param>
+ </data>
+ </element>
+ </oneOrMore>
+ <empty/>
+ </element>
+ </define>
+
<define name="diskSourceNetworkProtocolHTTPS">
<element name="source">
<attribute name="protocol">
@@ -1833,6 +1851,9 @@
<optional>
<ref name="diskSourceNetworkProtocolSSLVerify"/>
</optional>
+ <optional>
+ <ref name="diskSourceNetworkProtocolHTTPCookies"/>
+ </optional>
</element>
</define>
@@ -1849,6 +1870,9 @@
<optional>
<ref name="encryption"/>
</optional>
+ <optional>
+ <ref name="diskSourceNetworkProtocolHTTPCookies"/>
+ </optional>
</element>
</define>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index dd3a3a1439..dc7a47dd21 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -9340,6 +9340,62 @@ virDomainDiskSourcePoolDefParse(xmlNodePtr node,
}
+static virStorageNetCookieDefPtr
+virDomainStorageCookieParse(xmlNodePtr node,
+ xmlXPathContextPtr ctxt)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
+ g_autoptr(virStorageNetCookieDef) cookie = NULL;
+
+ ctxt->node = node;
+
+ cookie = g_new0(virStorageNetCookieDef, 1);
+
+ if (!(cookie->name = virXPathString("string(./@name)", ctxt))) {
+ virReportError(VIR_ERR_XML_ERROR, "%s", _("missing cookie
name"));
+ return NULL;
+ }
+
+ if (!(cookie->value = virXPathString("string(.)", ctxt))) {
+ virReportError(VIR_ERR_XML_ERROR, _("missing value for cookie
'%s'"),
+ cookie->name);
+ return NULL;
+ }
+
+ return g_steal_pointer(&cookie);
+}
+
+
+static int
+virDomainStorageCookiesParse(xmlNodePtr node,
+ xmlXPathContextPtr ctxt,
+ virStorageSourcePtr src)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
+ g_autofree xmlNodePtr *nodes = NULL;
+ ssize_t nnodes;
+ size_t i;
+
+ ctxt->node = node;
+
+ if ((nnodes = virXPathNodeSet("./cookie", ctxt, &nodes)) < 0)
+ return -1;
+
+ src->cookies = g_new0(virStorageNetCookieDefPtr, nnodes);
+ src->ncookies = nnodes;
+
+ for (i = 0; i < nnodes; i++) {
+ if (!(src->cookies[i] = virDomainStorageCookieParse(nodes[i], ctxt)))
+ return -1;
+ }
+
+ if (virStorageSourceNetCookiesValidate(src) < 0)
+ return -1;
+
+ return 0;
+}
+
+
static int
virDomainDiskSourceNetworkParse(xmlNodePtr node,
xmlXPathContextPtr ctxt,
@@ -9351,6 +9407,7 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
g_autofree char *haveTLS = NULL;
g_autofree char *tlsCfg = NULL;
g_autofree char *sslverifystr = NULL;
+ xmlNodePtr tmpnode;
if (!(protocol = virXMLPropString(node, "protocol"))) {
virReportError(VIR_ERR_XML_ERROR, "%s",
@@ -9436,6 +9493,13 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
src->sslverify = verify;
}
+ if ((src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTP ||
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS) &&
+ (tmpnode = virXPathNode("./cookies", ctxt))) {
+ if (virDomainStorageCookiesParse(tmpnode, ctxt, src) < 0)
+ return -1;
+ }
+
return 0;
}
@@ -24500,6 +24564,22 @@ virDomainSourceDefFormatSeclabel(virBufferPtr buf,
}
+static void
+virDomainDiskSourceFormatNetworkCookies(virBufferPtr buf,
+ virStorageSourcePtr src)
+{
+ g_auto(virBuffer) childBuf = VIR_BUFFER_INIT_CHILD(buf);
+ size_t i;
+
+ for (i = 0; i < src->ncookies; i++) {
+ virBufferEscapeString(&childBuf, "<cookie
name='%s'>", src->cookies[i]->name);
+ virBufferEscapeString(&childBuf, "%s</cookie>\n",
src->cookies[i]->value);
+ }
+
+ virXMLFormatElement(buf, "cookies", NULL, &childBuf);
+}
+
+
static int
virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
virBufferPtr childBuf,
@@ -24549,6 +24629,8 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
virBufferAsprintf(childBuf, "<ssl verify='%s'/>\n",
virTristateBoolTypeToString(src->sslverify));
+ virDomainDiskSourceFormatNetworkCookies(childBuf, src);
+
return 0;
}
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 511fb88872..73db753652 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -3143,6 +3143,7 @@ virStorageSourceIsEmpty;
virStorageSourceIsLocalStorage;
virStorageSourceIsRelative;
virStorageSourceIsSameLocation;
+virStorageSourceNetCookiesValidate;
virStorageSourceNetworkAssignDefaultPorts;
virStorageSourceNew;
virStorageSourceNewFromBacking;
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index ca91fc65ba..fb5fff5c5f 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2157,6 +2157,118 @@ virStorageSourceSeclabelsCopy(virStorageSourcePtr to,
}
+void
+virStorageNetCookieDefFree(virStorageNetCookieDefPtr def)
+{
+ if (!def)
+ return;
+
+ g_free(def->name);
+ g_free(def->value);
+
+ g_free(def);
+}
+
+
+static void
+virStorageSourceCookiesClear(virStorageSourcePtr src)
+{
+ size_t i;
+
+ if (!src || !src->cookies)
+ return;
+
+ for (i = 0; i < src->ncookies; i++)
+ virStorageNetCookieDefFree(src->cookies[i]);
+
+ g_clear_pointer(&src->cookies, g_free);
+ src->ncookies = 0;
+}
+
+
+static void
+virStorageSourceNetCookiesCopy(virStorageSourcePtr to,
+ const virStorageSource *from)
+{
+ size_t i;
+
+ if (from->ncookies == 0)
+ return;
+
+ to->cookies = g_new0(virStorageNetCookieDefPtr, from->ncookies);
+ to->ncookies = from->ncookies;
+
+ for (i = 0; i < from->ncookies; i++) {
+ to->cookies[i]->name = g_strdup(from->cookies[i]->name);
+ to->cookies[i]->value = g_strdup(from->cookies[i]->value);
+ }
+}
+
+
+/* see https://tools.ietf.org/html/rfc6265#section-4.1.1 */
+static const char virStorageSourceCookieValueInvalidChars[] =
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
+ "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F"
+ " \",;\\";
+
+/* in addition cookie name can't contain these */
+static const char virStorageSourceCookieNameInvalidChars[] =
+ "()<>@:/[]?={}";
+
+static int
+virStorageSourceNetCookieValidate(virStorageNetCookieDefPtr def)
+{
+ /* name must have at least 1 character */
+ if (*(def->name) == '\0') {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("cookie name must not be empty"));
+ return -1;
+ }
+
+ /* check invalid characters in name */
+ if (virStringHasChars(def->name, virStorageSourceCookieValueInvalidChars) ||
+ virStringHasChars(def->name, virStorageSourceCookieNameInvalidChars)) {
+ virReportError(VIR_ERR_XML_ERROR,
+ _("cookie name '%s' contains invalid
characters"),
+ def->name);
+ return -1;
+ }
+
+ /* check invalid characters in value */
+ if (virStringHasChars(def->value, virStorageSourceCookieValueInvalidChars)) {
+ virReportError(VIR_ERR_XML_ERROR,
+ _("value of cookie '%s' contains invalid
characters"),
+ def->name);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+int
+virStorageSourceNetCookiesValidate(virStorageSourcePtr src)
+{
+ size_t i;
+ size_t j;
+
+ for (i = 0; i < src->ncookies; i++) {
+ if (virStorageSourceNetCookieValidate(src->cookies[i]) < 0)
+ return -1;
+
+ for (j = i + 1; j < src->ncookies; j++) {
+ if (STREQ(src->cookies[i]->name, src->cookies[j]->name)) {
+ virReportError(VIR_ERR_XML_ERROR, _("duplicate cookie
'%s'"),
+ src->cookies[i]->name);
+ return -1;
+ }
+ }
+ }
+
+ return 0;
+}
+
+
static virStorageTimestampsPtr
virStorageTimestampsCopy(const virStorageTimestamps *src)
{
@@ -2299,6 +2411,8 @@ virStorageSourceCopy(const virStorageSource *src,
def->nhosts = src->nhosts;
}
+ virStorageSourceNetCookiesCopy(def, src);
+
if (src->srcpool &&
!(def->srcpool = virStorageSourcePoolDefCopy(src->srcpool)))
return NULL;
@@ -2560,6 +2674,7 @@ virStorageSourceClear(virStorageSourcePtr def)
VIR_FREE(def->volume);
VIR_FREE(def->snapshot);
VIR_FREE(def->configFile);
+ virStorageSourceCookiesClear(def);
virStorageSourcePoolDefFree(def->srcpool);
virBitmapFree(def->features);
VIR_FREE(def->compat);
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index 49718b51d8..95d9501dd8 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -161,6 +161,17 @@ struct _virStorageNetHostDef {
char *socket; /* path to unix socket */
};
+typedef struct _virStorageNetCookieDef virStorageNetCookieDef;
+typedef virStorageNetCookieDef *virStorageNetCookieDefPtr;
+struct _virStorageNetCookieDef {
+ char *name;
+ char *value;
+};
+
+void virStorageNetCookieDefFree(virStorageNetCookieDefPtr def);
+
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(virStorageNetCookieDef, virStorageNetCookieDefFree);
+
/* Information for a storage volume from a virStoragePool */
/*
@@ -275,6 +286,8 @@ struct _virStorageSource {
the source definition */
size_t nhosts;
virStorageNetHostDefPtr hosts;
+ size_t ncookies;
+ virStorageNetCookieDefPtr *cookies;
virStorageSourcePoolDefPtr srcpool;
virStorageAuthDefPtr auth;
bool authInherited;
@@ -476,6 +489,8 @@ int virStorageSourceUpdateCapacity(virStorageSourcePtr src,
int virStorageSourceNewFromBacking(virStorageSourcePtr parent,
virStorageSourcePtr *backing);
+int virStorageSourceNetCookiesValidate(virStorageSourcePtr src);
+
virStorageSourcePtr virStorageSourceCopy(const virStorageSource *src,
bool backingChain)
ATTRIBUTE_NONNULL(1);
diff --git a/tests/genericxml2xmlindata/disk-network-http.xml
b/tests/genericxml2xmlindata/disk-network-http.xml
index bdcc1977f2..bafb77c8ec 100644
--- a/tests/genericxml2xmlindata/disk-network-http.xml
+++ b/tests/genericxml2xmlindata/disk-network-http.xml
@@ -33,6 +33,10 @@
<driver name='qemu' type='raw'/>
<source protocol='http' name='test3.img'>
<host name='example.org' port='1234'/>
+ <cookies>
+ <cookie name='test'>testcookievalue</cookie>
+ <cookie name='test2'>blurb</cookie>
+ </cookies>
</source>
<target dev='vdc' bus='virtio'/>
</disk>
@@ -41,6 +45,10 @@
<source protocol='https' name='test4.img'>
<host name='example.org' port='1234'/>
<ssl verify='yes'/>
+ <cookies>
+ <cookie name='test'>testcookievalue</cookie>
+ <cookie name='test2'>blurb</cookie>
+ </cookies>
</source>
<target dev='vdd' bus='virtio'/>
</disk>
--
2.24.1
12:11 p.m.
New subject: [PATCH 14/30] conf: Add support for cookies for HTTP based disks
On a Monday in 2020, Peter Krempa wrote:
Add possibility to specify one or more cookies for http based disks.
This patch adds the config parser, storage and validation of the
cookies.
Cookies are delicious delicacies.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
docs/formatdomain.html.in | 10 ++
docs/schemas/domaincommon.rng | 24 ++++
src/conf/domain_conf.c | 82 +++++++++++++
src/libvirt_private.syms | 1 +
src/util/virstoragefile.c | 115 ++++++++++++++++++
src/util/virstoragefile.h | 15 +++
.../disk-network-http.xml | 8 ++
7 files changed, 255 insertions(+)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index dd3a3a1439..dc7a47dd21 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -9340,6 +9340,62 @@ virDomainDiskSourcePoolDefParse(xmlNodePtr node,
}
+static virStorageNetCookieDefPtr
You have Net in the type name
+virDomainStorageCookieParse(xmlNodePtr node,
no Net in this function name
+ xmlXPathContextPtr ctxt)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
+ g_autoptr(virStorageNetCookieDef) cookie = NULL;
+
+ ctxt->node = node;
+
+ cookie = g_new0(virStorageNetCookieDef, 1);
+
+ if (!(cookie->name = virXPathString("string(./@name)", ctxt))) {
+ virReportError(VIR_ERR_XML_ERROR, "%s", _("missing cookie
name"));
+ return NULL;
+ }
+
+ if (!(cookie->value = virXPathString("string(.)", ctxt))) {
+ virReportError(VIR_ERR_XML_ERROR, _("missing value for cookie
'%s'"),
+ cookie->name);
+ return NULL;
+ }
+
+ return g_steal_pointer(&cookie);
+}
+
+
+static int
+virDomainStorageCookiesParse(xmlNodePtr node,
no Net here either
+ xmlXPathContextPtr ctxt,
+ virStorageSourcePtr src)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
+ g_autofree xmlNodePtr *nodes = NULL;
+ ssize_t nnodes;
+ size_t i;
+
+ ctxt->node = node;
+
+ if ((nnodes = virXPathNodeSet("./cookie", ctxt, &nodes)) < 0)
+ return -1;
+
+ src->cookies = g_new0(virStorageNetCookieDefPtr, nnodes);
+ src->ncookies = nnodes;
+
+ for (i = 0; i < nnodes; i++) {
+ if (!(src->cookies[i] = virDomainStorageCookieParse(nodes[i], ctxt)))
+ return -1;
+ }
+
+ if (virStorageSourceNetCookiesValidate(src) < 0)
+ return -1;
+
+ return 0;
+}
+
+
static int
virDomainDiskSourceNetworkParse(xmlNodePtr node,
xmlXPathContextPtr ctxt,
@@ -24500,6 +24564,22 @@ virDomainSourceDefFormatSeclabel(virBufferPtr buf,
}
+static void
+virDomainDiskSourceFormatNetworkCookies(virBufferPtr buf,
Network here for a change
+ virStorageSourcePtr src)
+{
+ g_auto(virBuffer) childBuf = VIR_BUFFER_INIT_CHILD(buf);
+ size_t i;
+
+ for (i = 0; i < src->ncookies; i++) {
+ virBufferEscapeString(&childBuf, "<cookie
name='%s'>", src->cookies[i]->name);
+ virBufferEscapeString(&childBuf, "%s</cookie>\n",
src->cookies[i]->value);
+ }
+
+ virXMLFormatElement(buf, "cookies", NULL, &childBuf);
+}
+
+
static int
virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
virBufferPtr childBuf,
@@ -24549,6 +24629,8 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
virBufferAsprintf(childBuf, "<ssl verify='%s'/>\n",
virTristateBoolTypeToString(src->sslverify));
+ virDomainDiskSourceFormatNetworkCookies(childBuf, src);
+
return 0;
}
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 511fb88872..73db753652 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -3143,6 +3143,7 @@ virStorageSourceIsEmpty;
virStorageSourceIsLocalStorage;
virStorageSourceIsRelative;
virStorageSourceIsSameLocation;
+virStorageSourceNetCookiesValidate;
virStorageSourceNetworkAssignDefaultPorts;
virStorageSourceNew;
virStorageSourceNewFromBacking;
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index ca91fc65ba..fb5fff5c5f 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2157,6 +2157,118 @@ virStorageSourceSeclabelsCopy(virStorageSourcePtr to,
}
+void
+virStorageNetCookieDefFree(virStorageNetCookieDefPtr def)
+{
+ if (!def)
+ return;
+
+ g_free(def->name);
+ g_free(def->value);
+
+ g_free(def);
+}
+
+
+static void
+virStorageSourceCookiesClear(virStorageSourcePtr src)
no Net here
+{
+ size_t i;
+
+ if (!src || !src->cookies)
+ return;
+
+ for (i = 0; i < src->ncookies; i++)
+ virStorageNetCookieDefFree(src->cookies[i]);
+
+ g_clear_pointer(&src->cookies, g_free);
+ src->ncookies = 0;
+}
+
+
+static void
+virStorageSourceNetCookiesCopy(virStorageSourcePtr to,
+ const virStorageSource *from)
+{
+ size_t i;
+
+ if (from->ncookies == 0)
+ return;
+
+ to->cookies = g_new0(virStorageNetCookieDefPtr, from->ncookies);
+ to->ncookies = from->ncookies;
+
+ for (i = 0; i < from->ncookies; i++) {
+ to->cookies[i]->name = g_strdup(from->cookies[i]->name);
+ to->cookies[i]->value = g_strdup(from->cookies[i]->value);
+ }
+}
+
+
Consider using 'Net' at least for those identifiers that do not have
'Network' in them.
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 15/30] conf: Add support for setting timeout and readahead size for network disks
Some disk backends support configuring the readahead buffer or timeout
for requests. Add the knobs to the XML.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
docs/formatdomain.html.in | 16 +++++++++++++
docs/schemas/domaincommon.rng | 23 +++++++++++++++++++
src/conf/domain_conf.c | 19 +++++++++++++++
src/util/virstoragefile.c | 2 ++
src/util/virstoragefile.h | 3 +++
.../disk-network-http.xml | 2 ++
6 files changed, 65 insertions(+)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index dfea614907..79cf82522f 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2852,6 +2852,8 @@
<cookies>
<cookie name="test">somevalue</cookie>
</cookies>
+ <readahead size='65536'/>
+ <timeout seconds='6'/>
</source>
<target dev='hde' bus='ide' tray='open'/>
<readonly/>
@@ -3402,6 +3404,20 @@
must conform to the HTTP specification.
<span class="since">Since 6.2.0</span>
</dd>
+ <dt><code>readahead</code></dt>
+ <dd>
+ Specifies the size of the readahead buffer for protocols
+ which support it. (all 'curl' based drivers in qemu). The size
+ is in bytes. Note that '0' is considered as if the value is not
+ provided.
+ <span class="since">Since 6.2.0</span>
+ </dd>
+ <dt><code>timeout</code></dt>
+ <dd>
+ Specifies the connection timeout for protocols which support it.
+ Note that '0' is considered as if the value is not provided.
+ <span class="since">Since 6.2.0</span>
+ </dd>
</dl>
<p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 85d6484dbd..6805420451 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1808,6 +1808,25 @@
</element>
</define>
+ <define name="diskSourceNetworkProtocolPropsCommon">
+ <optional>
+ <element name="readahead">
+ <attribute name="size">
+ <ref name="positiveInteger"/>
+ </attribute>
+ <empty/>
+ </element>
+ </optional>
+ <optional>
+ <element name="timeout">
+ <attribute name="seconds">
+ <ref name="positiveInteger"/>
+ </attribute>
+ <empty/>
+ </element>
+ </optional>
+ </define>
+
<define name="diskSourceNetworkProtocolSSLVerify">
<element name="ssl">
<attribute name="verify">
@@ -1854,6 +1873,7 @@
<optional>
<ref name="diskSourceNetworkProtocolHTTPCookies"/>
</optional>
+ <ref name="diskSourceNetworkProtocolPropsCommon"/>
</element>
</define>
@@ -1873,6 +1893,7 @@
<optional>
<ref name="diskSourceNetworkProtocolHTTPCookies"/>
</optional>
+ <ref name="diskSourceNetworkProtocolPropsCommon"/>
</element>
</define>
@@ -1892,6 +1913,7 @@
<optional>
<ref name="diskSourceNetworkProtocolSSLVerify"/>
</optional>
+ <ref name="diskSourceNetworkProtocolPropsCommon"/>
</element>
</define>
@@ -1910,6 +1932,7 @@
<optional>
<ref name="encryption"/>
</optional>
+ <ref name="diskSourceNetworkProtocolPropsCommon"/>
</element>
</define>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index dc7a47dd21..81352c7b5d 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -9500,6 +9500,19 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
return -1;
}
+ if (src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTP ||
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_FTP ||
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) {
+
+ if (virXPathULongLong("string(./readahead/@size)", ctxt,
&src->readahead) == -2 ||
+ virXPathULongLong("string(./timeout/@seconds)", ctxt,
&src->timeout) == -2) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("invalid readahead size or timeout"));
+ return -1;
+ }
+ }
+
return 0;
}
@@ -24631,6 +24644,12 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
virDomainDiskSourceFormatNetworkCookies(childBuf, src);
+ if (src->readahead)
+ virBufferAsprintf(childBuf, "<readahead size='%llu'/>\n",
src->readahead);
+
+ if (src->timeout)
+ virBufferAsprintf(childBuf, "<timeout
seconds='%llu'/>\n", src->timeout);
+
return 0;
}
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index fb5fff5c5f..9e740419eb 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2383,6 +2383,8 @@ virStorageSourceCopy(const virStorageSource *src,
def->discard = src->discard;
def->detect_zeroes = src->detect_zeroes;
def->sslverify = src->sslverify;
+ def->readahead = src->readahead;
+ def->timeout = src->timeout;
/* storage driver metadata are not copied */
def->drv = NULL;
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index 95d9501dd8..dd2186c4ff 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -295,6 +295,9 @@ struct _virStorageSource {
bool encryptionInherited;
virStoragePRDefPtr pr;
virTristateBool sslverify;
+ /* both values below have 0 as default value */
+ unsigned long long readahead; /* size of the readahead buffer in bytes */
+ unsigned long long timeout; /* connection timeout in seconds */
virStorageSourceNVMeDefPtr nvme; /* type == VIR_STORAGE_TYPE_NVME */
diff --git a/tests/genericxml2xmlindata/disk-network-http.xml
b/tests/genericxml2xmlindata/disk-network-http.xml
index bafb77c8ec..a8430b8365 100644
--- a/tests/genericxml2xmlindata/disk-network-http.xml
+++ b/tests/genericxml2xmlindata/disk-network-http.xml
@@ -49,6 +49,8 @@
<cookie name='test'>testcookievalue</cookie>
<cookie name='test2'>blurb</cookie>
</cookies>
+ <readahead size='65536'/>
+ <timeout seconds='10'/>
</source>
<target dev='vdd' bus='virtio'/>
</disk>
--
2.24.1
12:27 a.m.
New subject: [PATCH 15/30] conf: Add support for setting timeout and readahead size for network disks
On a Monday in 2020, Peter Krempa wrote:
Some disk backends support configuring the readahead buffer or
timeout
for requests. Add the knobs to the XML.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
docs/formatdomain.html.in | 16 +++++++++++++
docs/schemas/domaincommon.rng | 23 +++++++++++++++++++
src/conf/domain_conf.c | 19 +++++++++++++++
src/util/virstoragefile.c | 2 ++
src/util/virstoragefile.h | 3 +++
.../disk-network-http.xml | 2 ++
6 files changed, 65 insertions(+)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 16/30] qemuDomainValidateStorageSource: Validate new network storage parameters
Ensure that the new fields are allowed only when -blockdev is used or
when they are in the detected part of the backing chain where qemu will
handle them internally.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 55 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 1d551f248f..e7aaded4d5 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -6881,6 +6881,61 @@ qemuDomainValidateStorageSource(virStorageSourcePtr src,
}
}
+ if (src->sslverify != VIR_TRISTATE_BOOL_ABSENT) {
+ if (actualType != VIR_STORAGE_TYPE_NETWORK ||
+ (src->protocol != VIR_STORAGE_NET_PROTOCOL_HTTPS &&
+ src->protocol != VIR_STORAGE_NET_PROTOCOL_FTPS)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("ssl verification is supported only with HTTPS/FTPS
protocol"));
+ return -1;
+ }
+
+ if (!src->detected &&
+ !virQEMUCapsGet(qemuCaps, QEMU_CAPS_BLOCKDEV)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("ssl verification setting is not supported by this QEMU
binary"));
+ return -1;
+ }
+ }
+
+ if (src->ncookies > 0) {
+ if (actualType != VIR_STORAGE_TYPE_NETWORK ||
+ (src->protocol != VIR_STORAGE_NET_PROTOCOL_HTTPS &&
+ src->protocol != VIR_STORAGE_NET_PROTOCOL_HTTP)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("http cookies are supported only with HTTP(S)
protocol"));
+ return -1;
+ }
+
+ if (!src->detected &&
+ !virQEMUCapsGet(qemuCaps, QEMU_CAPS_BLOCKDEV)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("http cookies are not supported by this QEMU
binary"));
+ return -1;
+ }
+
+ if (virStorageSourceNetCookiesValidate(src) < 0)
+ return -1;
+ }
+
+ if (src->readahead > 0) {
+ if (!src->detected &&
+ !virQEMUCapsGet(qemuCaps, QEMU_CAPS_BLOCKDEV)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("readahead setting is not supported by this QEMU
binary"));
+ return -1;
+ }
+ }
+
+ if (src->timeout > 0) {
+ if (!src->detected &&
+ !virQEMUCapsGet(qemuCaps, QEMU_CAPS_BLOCKDEV)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("timeout setting is not supported by this QEMU
binary"));
+ return -1;
+ }
+ }
+
return 0;
}
--
2.24.1
12:41 a.m.
New subject: [PATCH 16/30] qemuDomainValidateStorageSource: Validate new network storage parameters
On a Monday in 2020, Peter Krempa wrote:
Ensure that the new fields are allowed only when -blockdev is used or
when they are in the detected part of the backing chain where qemu will
handle them internally.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 55 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 1d551f248f..e7aaded4d5 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
+
+ if (src->readahead > 0) {
+ if (!src->detected &&
Is this supported for non-network sources?
+ !virQEMUCapsGet(qemuCaps, QEMU_CAPS_BLOCKDEV)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("readahead setting is not supported by this QEMU
binary"));
Either way - readahead in QEMU's curl backend seems to be there for a
long time now. "supported with this QEMU binary" would be more accurate
phrasing
+ return -1;
+ }
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 17/30] qemuxml2argvtest: Add test case for disks with http(s) source
Upcoming patches will implement the support for sslverify, cookies,
readahead, and timeout properties. Add a test file which will collect
the cases.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
.../disk-network-http.x86_64-latest.args | 57 +++++++++++++++++++
tests/qemuxml2argvdata/disk-network-http.xml | 50 ++++++++++++++++
tests/qemuxml2argvtest.c | 1 +
3 files changed, 108 insertions(+)
create mode 100644 tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-http.xml
diff --git a/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
new file mode 100644
index 0000000000..61daecf6f1
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
@@ -0,0 +1,57 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-QEMUGuest1 \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-x86_64 \
+-name guest=QEMUGuest1,debug-threads=on \
+-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
+-machine pc,accel=kvm,usb=off,dump-guest-core=off \
+-cpu qemu64 \
+-m 214 \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-no-acpi \
+-boot strict=on \
+-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
+-blockdev
'{"driver":"http","url":"http://example.org:80/test.img",\
+"node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-4-format","read-only":false,"driver":"raw",\
+"file":"libvirt-4-storage"}' \
+-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x2,drive=libvirt-4-format,\
+id=virtio-disk0,bootindex=1 \
+-blockdev
'{"driver":"https","url":"https://example.org:443/test2.img",\
+"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-3-format","read-only":false,"driver":"raw",\
+"file":"libvirt-3-storage"}' \
+-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x3,drive=libvirt-3-format,\
+id=virtio-disk1 \
+-blockdev
'{"driver":"http","url":"http://example.org:1234/test3.img",\
+"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-2-format","read-only":false,"driver":"raw",\
+"file":"libvirt-2-storage"}' \
+-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=libvirt-2-format,\
+id=virtio-disk2 \
+-blockdev
'{"driver":"https","url":"https://example.org:1234/test4.img",\
+"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-1-format","read-only":false,"driver":"raw",\
+"file":"libvirt-1-storage"}' \
+-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=libvirt-1-format,\
+id=virtio-disk3 \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
+resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/disk-network-http.xml
b/tests/qemuxml2argvdata/disk-network-http.xml
new file mode 100644
index 0000000000..83a9865c83
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-http.xml
@@ -0,0 +1,50 @@
+<domain type='kvm'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='http' name='test.img'>
+ <host name='example.org'/>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='https' name='test2.img'>
+ <host name='example.org'/>
+ </source>
+ <target dev='vdb' bus='virtio'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='http' name='test3.img'>
+ <host name='example.org' port='1234'/>
+ </source>
+ <target dev='vdc' bus='virtio'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='https' name='test4.img'>
+ <host name='example.org' port='1234'/>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ </disk>
+ <controller type='usb' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 35d413d40b..e81d1d7fa1 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1092,6 +1092,7 @@ mymain(void)
QEMU_CAPS_OBJECT_TLS_CREDS_X509, QEMU_CAPS_NBD_TLS);
DO_TEST_CAPS_VER("disk-network-tlsx509", "2.12.0");
DO_TEST_CAPS_LATEST("disk-network-tlsx509");
+ DO_TEST_CAPS_LATEST("disk-network-http");
driver.config->vxhsTLS = 0;
VIR_FREE(driver.config->vxhsTLSx509certdir);
DO_TEST("disk-no-boot", NONE);
--
2.24.1
12:42 a.m.
New subject: [PATCH 17/30] qemuxml2argvtest: Add test case for disks with http(s) source
On a Monday in 2020, Peter Krempa wrote:
Upcoming patches will implement the support for sslverify, cookies,
readahead, and timeout properties. Add a test file which will collect
the cases.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
.../disk-network-http.x86_64-latest.args | 57 +++++++++++++++++++
tests/qemuxml2argvdata/disk-network-http.xml | 50 ++++++++++++++++
tests/qemuxml2argvtest.c | 1 +
3 files changed, 108 insertions(+)
create mode 100644 tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-http.xml
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 18/30] qemu: block: Implement ssl verification configuration
Allow disabling of SSL certificate validation for HTTPS and FTPS drives
in qemu.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 1 +
tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args | 3 ++-
tests/qemuxml2argvdata/disk-network-http.xml | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 0357815b07..6bfd46a489 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -713,6 +713,7 @@ qemuBlockStorageSourceGetCURLProps(virStorageSourcePtr src,
"s:url", uristr,
"S:username", username,
"S:password-secret", passwordalias,
+ "T:sslverify", src->sslverify,
NULL));
return ret;
diff --git a/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
index 61daecf6f1..a700c26bf6 100644
--- a/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
@@ -47,7 +47,8 @@ id=virtio-disk1 \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=libvirt-2-format,\
id=virtio-disk2 \
-blockdev
'{"driver":"https","url":"https://example.org:1234/test4.img",\
-"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}'
\
+"sslverify":false,"node-name":"libvirt-1-storage","auto-read-only":true,\
+"discard":"unmap"}' \
-blockdev
'{"node-name":"libvirt-1-format","read-only":false,"driver":"raw",\
"file":"libvirt-1-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=libvirt-1-format,\
diff --git a/tests/qemuxml2argvdata/disk-network-http.xml
b/tests/qemuxml2argvdata/disk-network-http.xml
index 83a9865c83..8c475aec1d 100644
--- a/tests/qemuxml2argvdata/disk-network-http.xml
+++ b/tests/qemuxml2argvdata/disk-network-http.xml
@@ -38,6 +38,7 @@
<driver name='qemu' type='raw'/>
<source protocol='https' name='test4.img'>
<host name='example.org' port='1234'/>
+ <ssl verify='no'/>
</source>
<target dev='vdd' bus='virtio'/>
</disk>
--
2.24.1
12:43 a.m.
New subject: [PATCH 18/30] qemu: block: Implement ssl verification configuration
On a Monday in 2020, Peter Krempa wrote:
Allow disabling of SSL certificate validation for HTTPS and FTPS
drives
in qemu.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 1 +
tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args | 3 ++-
tests/qemuxml2argvdata/disk-network-http.xml | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:22 a.m.
New subject: [PATCH 19/30] qemu: domain: Store data for 'secret' object representing http cookies
The http cookies can have potentially sensitive values and thus should
not be leaked into the command line. This means that we'll need to
instantiate a 'secret' object in qemu to pass the value encrypted.
This patch adds infrastructure for storing of the alias in the status
XML.t
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 8 +++++++-
src/qemu/qemu_domain.h | 3 +++
tests/qemustatusxml2xmldata/modern-in.xml | 1 +
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index e7aaded4d5..b36ff434f3 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -2314,6 +2314,7 @@ qemuStorageSourcePrivateDataParse(xmlXPathContextPtr ctxt,
qemuDomainStorageSourcePrivatePtr priv;
g_autofree char *authalias = NULL;
g_autofree char *encalias = NULL;
+ g_autofree char *httpcookiealias = NULL;
src->nodestorage =
virXPathString("string(./nodenames/nodename[@type='storage']/@name)",
ctxt);
src->nodeformat =
virXPathString("string(./nodenames/nodename[@type='format']/@name)",
ctxt);
@@ -2327,8 +2328,9 @@ qemuStorageSourcePrivateDataParse(xmlXPathContextPtr ctxt,
authalias =
virXPathString("string(./objects/secret[@type='auth']/@alias)", ctxt);
encalias =
virXPathString("string(./objects/secret[@type='encryption']/@alias)",
ctxt);
+ httpcookiealias =
virXPathString("string(./objects/secret[@type='httpcookie']/@alias)",
ctxt);
- if (authalias || encalias) {
+ if (authalias || encalias || httpcookiealias) {
if (!src->privateData &&
!(src->privateData = qemuDomainStorageSourcePrivateNew()))
return -1;
@@ -2340,6 +2342,9 @@ qemuStorageSourcePrivateDataParse(xmlXPathContextPtr ctxt,
if (qemuStorageSourcePrivateDataAssignSecinfo(&priv->encinfo,
&encalias) < 0)
return -1;
+
+ if (qemuStorageSourcePrivateDataAssignSecinfo(&priv->httpcookie,
&httpcookiealias) < 0)
+ return -1;
}
if (virStorageSourcePrivateDataParseRelPath(ctxt, src) < 0)
@@ -2390,6 +2395,7 @@ qemuStorageSourcePrivateDataFormat(virStorageSourcePtr src,
if (srcPriv) {
qemuStorageSourcePrivateDataFormatSecinfo(&tmp, srcPriv->secinfo,
"auth");
qemuStorageSourcePrivateDataFormatSecinfo(&tmp, srcPriv->encinfo,
"encryption");
+ qemuStorageSourcePrivateDataFormatSecinfo(&tmp, srcPriv->httpcookie,
"httpcookie");
}
if (src->tlsAlias)
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 202b85e39a..4e59f316fa 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -460,6 +460,9 @@ struct _qemuDomainStorageSourcePrivate {
/* data required for decryption of encrypted storage source */
qemuDomainSecretInfoPtr encinfo;
+
+ /* secure passthrough of the http cookie */
+ qemuDomainSecretInfoPtr httpcookie;
};
virObjectPtr qemuDomainStorageSourcePrivateNew(void);
diff --git a/tests/qemustatusxml2xmldata/modern-in.xml
b/tests/qemustatusxml2xmldata/modern-in.xml
index c8d21ceada..cb56cdcef9 100644
--- a/tests/qemustatusxml2xmldata/modern-in.xml
+++ b/tests/qemustatusxml2xmldata/modern-in.xml
@@ -332,6 +332,7 @@
<objects>
<secret type='auth' alias='test-auth-alias'/>
<secret type='encryption'
alias='test-encryption-alias'/>
+ <secret type='httpcookie'
alias='http-cookie-alias'/>
<TLSx509 alias='transport-alias'/>
</objects>
</privateData>
--
2.24.1
12:46 a.m.
New subject: [PATCH 19/30] qemu: domain: Store data for 'secret' object representing http cookies
On a Monday in 2020, Peter Krempa wrote:
The http cookies can have potentially sensitive values and thus
should
not be leaked into the command line. This means that we'll need to
instantiate a 'secret' object in qemu to pass the value encrypted.
This patch adds infrastructure for storing of the alias in the status
XML.t
t
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 8 +++++++-
src/qemu/qemu_domain.h | 3 +++
tests/qemustatusxml2xmldata/modern-in.xml | 1 +
3 files changed, 11 insertions(+), 1 deletion(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 20/30] qemuDomainSecretStorageSourcePrepare: Setup secret for http cookies
QEMU's curl driver requires the cookes concatenated and allows them
passed in via a secret. Prepare the value for the secret and encrypt it.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index b36ff434f3..5c8fc83417 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1727,6 +1727,30 @@ qemuDomainDiskHasEncryptionSecret(virStorageSourcePtr src)
}
+static qemuDomainSecretInfoPtr
+qemuDomainSecretStorageSourcePrepareCookies(qemuDomainObjPrivatePtr priv,
+ virStorageSourcePtr src,
+ const char *aliasprotocol)
+{
+ g_autofree char *secretalias = qemuAliasForSecret(aliasprotocol,
"httpcookie");
+ g_autofree char *cookies = NULL;
+ g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+ size_t i;
+
+ for (i = 0; i < src->ncookies; i++) {
+ virStorageNetCookieDefPtr cookie = src->cookies[i];
+
+ virBufferAsprintf(&buf, "%s=%s; ", cookie->name,
cookie->value);
+ }
+
+ virBufferTrim(&buf, "; ");
+ cookies = virBufferContentAndReset(&buf);
+
+ return qemuDomainSecretAESSetup(priv, secretalias, NULL,
+ (uint8_t *) cookies, strlen(cookies));
+}
+
+
/**
* qemuDomainSecretStorageSourcePrepare:
* @priv: domain private object
@@ -1752,7 +1776,7 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr priv,
bool hasAuth = qemuDomainStorageSourceHasAuth(src);
bool hasEnc = qemuDomainDiskHasEncryptionSecret(src);
- if (!hasAuth && !hasEnc)
+ if (!hasAuth && !hasEnc && src->ncookies == 0)
return 0;
if (!(src->privateData = qemuDomainStorageSourcePrivateNew()))
@@ -1792,6 +1816,13 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr priv,
return -1;
}
+ if (src->ncookies &&
+ virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_BLOCKDEV) &&
+ !(srcPriv->httpcookie = qemuDomainSecretStorageSourcePrepareCookies(priv,
+ src,
+
aliasprotocol)))
+ return -1;
+
return 0;
}
--
2.24.1
12:59 a.m.
New subject: [PATCH 20/30] qemuDomainSecretStorageSourcePrepare: Setup secret for http cookies
On a Monday in 2020, Peter Krempa wrote:
QEMU's curl driver requires the cookes concatenated and allows
them
cookies
allows them to be
passed in via a secret. Prepare the value for the secret and encrypt
it.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_domain.c | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 21/30] qemu: Handle hotplug and commandline for secret objects for http cookies
Implement both commandline support and hotplug by adding the http cookie
handling to 'qemuBlockStorageSourceAttachData' handling functions for
it.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 13 +++++++++++++
src/qemu/qemu_block.h | 3 +++
src/qemu/qemu_command.c | 5 +++++
3 files changed, 21 insertions(+)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 6bfd46a489..aba0f31f94 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -1499,11 +1499,13 @@
qemuBlockStorageSourceAttachDataFree(qemuBlockStorageSourceAttachDataPtr data)
virJSONValueFree(data->formatProps);
virJSONValueFree(data->prmgrProps);
virJSONValueFree(data->authsecretProps);
+ virJSONValueFree(data->httpcookiesecretProps);
virJSONValueFree(data->encryptsecretProps);
virJSONValueFree(data->tlsProps);
VIR_FREE(data->tlsAlias);
VIR_FREE(data->authsecretAlias);
VIR_FREE(data->encryptsecretAlias);
+ VIR_FREE(data->httpcookiesecretAlias);
VIR_FREE(data->driveCmd);
VIR_FREE(data->driveAlias);
VIR_FREE(data);
@@ -1570,6 +1572,11 @@ qemuBlockStorageSourceAttachApplyStorageDeps(qemuMonitorPtr mon,
&data->authsecretAlias) < 0)
return -1;
+ if (data->httpcookiesecretProps &&
+ qemuMonitorAddObject(mon, &data->httpcookiesecretProps,
+ &data->httpcookiesecretAlias) < 0)
+ return -1;
+
if (data->tlsProps &&
qemuMonitorAddObject(mon, &data->tlsProps, &data->tlsAlias) <
0)
return -1;
@@ -1713,6 +1720,9 @@ qemuBlockStorageSourceAttachRollback(qemuMonitorPtr mon,
if (data->encryptsecretAlias)
ignore_value(qemuMonitorDelObject(mon, data->encryptsecretAlias));
+ if (data->httpcookiesecretAlias)
+ ignore_value(qemuMonitorDelObject(mon, data->httpcookiesecretAlias));
+
if (data->tlsAlias)
ignore_value(qemuMonitorDelObject(mon, data->tlsAlias));
@@ -1768,6 +1778,9 @@ qemuBlockStorageSourceDetachPrepare(virStorageSourcePtr src,
if (srcpriv->encinfo && srcpriv->encinfo->type ==
VIR_DOMAIN_SECRET_INFO_TYPE_AES)
data->encryptsecretAlias = g_strdup(srcpriv->encinfo->s.aes.alias);
+
+ if (srcpriv->httpcookie)
+ data->httpcookiesecretAlias =
g_strdup(srcpriv->httpcookie->s.aes.alias);
}
return g_steal_pointer(&data);
diff --git a/src/qemu/qemu_block.h b/src/qemu/qemu_block.h
index eab0128d5d..197f5dae97 100644
--- a/src/qemu/qemu_block.h
+++ b/src/qemu/qemu_block.h
@@ -100,6 +100,9 @@ struct qemuBlockStorageSourceAttachData {
virJSONValuePtr encryptsecretProps;
char *encryptsecretAlias;
+ virJSONValuePtr httpcookiesecretProps;
+ char *httpcookiesecretAlias;
+
virJSONValuePtr tlsProps;
char *tlsAlias;
};
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 9e0334a3e7..9790c92cf8 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -2398,6 +2398,7 @@ qemuBuildBlockStorageSourceAttachDataCommandline(virCommandPtr cmd,
if (qemuBuildObjectCommandline(cmd, data->prmgrProps) < 0 ||
qemuBuildObjectCommandline(cmd, data->authsecretProps) < 0 ||
qemuBuildObjectCommandline(cmd, data->encryptsecretProps) < 0 ||
+ qemuBuildObjectCommandline(cmd, data->httpcookiesecretProps) < 0 ||
qemuBuildObjectCommandline(cmd, data->tlsProps) < 0)
return -1;
@@ -10333,6 +10334,10 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSourcePtr
src,
if (srcpriv->encinfo &&
qemuBuildSecretInfoProps(srcpriv->encinfo,
&data->encryptsecretProps) < 0)
return -1;
+
+ if (srcpriv->httpcookie &&
+ qemuBuildSecretInfoProps(srcpriv->httpcookie,
&data->httpcookiesecretProps) < 0)
+ return -1;
}
if (src->haveTLS == VIR_TRISTATE_BOOL_YES &&
--
2.24.1
1 a.m.
New subject: [PATCH 21/30] qemu: Handle hotplug and commandline for secret objects for http cookies
On a Monday in 2020, Peter Krempa wrote:
Implement both commandline support and hotplug by adding the http
cookie
handling to 'qemuBlockStorageSourceAttachData' handling functions for
it.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 13 +++++++++++++
src/qemu/qemu_block.h | 3 +++
src/qemu/qemu_command.c | 5 +++++
3 files changed, 21 insertions(+)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 22/30] qemu: block: Add support for HTTP cookies
Pass the alias of the secret object holding the cookie data as
'cookie-secret' to qemu.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 14 +++++++++++---
.../disk-network-http.x86_64-latest.args | 11 +++++++++--
tests/qemuxml2argvdata/disk-network-http.xml | 8 ++++++++
3 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index aba0f31f94..119b34f869 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -680,6 +680,7 @@ qemuBlockStorageSourceGetCURLProps(virStorageSourcePtr src,
{
qemuDomainStorageSourcePrivatePtr srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src);
const char *passwordalias = NULL;
+ const char *cookiealias = NULL;
const char *username = NULL;
virJSONValuePtr ret = NULL;
g_autoptr(virURI) uri = NULL;
@@ -704,9 +705,15 @@ qemuBlockStorageSourceGetCURLProps(virStorageSourcePtr src,
if (!(uristr = virURIFormat(uri)))
return NULL;
- if (!onlytarget && src->auth) {
- username = src->auth->username;
- passwordalias = srcPriv->secinfo->s.aes.alias;
+ if (!onlytarget) {
+ if (src->auth) {
+ username = src->auth->username;
+ passwordalias = srcPriv->secinfo->s.aes.alias;
+ }
+
+ if (srcPriv &&
+ srcPriv->httpcookie)
+ cookiealias = srcPriv->httpcookie->s.aes.alias;
}
ignore_value(virJSONValueObjectCreate(&ret,
@@ -714,6 +721,7 @@ qemuBlockStorageSourceGetCURLProps(virStorageSourcePtr src,
"S:username", username,
"S:password-secret", passwordalias,
"T:sslverify", src->sslverify,
+ "S:cookie-secret", cookiealias,
NULL));
return ret;
diff --git a/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
index a700c26bf6..5798235b55 100644
--- a/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
@@ -40,15 +40,22 @@ id=virtio-disk0,bootindex=1 \
"file":"libvirt-3-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x3,drive=libvirt-3-format,\
id=virtio-disk1 \
+-object secret,id=libvirt-2-storage-httpcookie-secret0,\
+data=DrPR9NA6GKJb7qi1KbjHad3f3UIGTTDmAmOZHHv1F5w5T8rhnk3f+uSKStHe0J2O,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"http","url":"http://example.org:1234/test3.img",\
+"cookie-secret":"libvirt-2-storage-httpcookie-secret0",\
"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-2-format","read-only":false,"driver":"raw",\
"file":"libvirt-2-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=libvirt-2-format,\
id=virtio-disk2 \
+-object secret,id=libvirt-1-storage-httpcookie-secret0,\
+data=DrPR9NA6GKJb7qi1KbjHad3f3UIGTTDmAmOZHHv1F5w5T8rhnk3f+uSKStHe0J2O,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
-blockdev
'{"driver":"https","url":"https://example.org:1234/test4.img",\
-"sslverify":false,"node-name":"libvirt-1-storage","auto-read-only":true,\
-"discard":"unmap"}' \
+"sslverify":false,"cookie-secret":"libvirt-1-storage-httpcookie-secret0",\
+"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}'
\
-blockdev
'{"node-name":"libvirt-1-format","read-only":false,"driver":"raw",\
"file":"libvirt-1-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=libvirt-1-format,\
diff --git a/tests/qemuxml2argvdata/disk-network-http.xml
b/tests/qemuxml2argvdata/disk-network-http.xml
index 8c475aec1d..6acf75cf65 100644
--- a/tests/qemuxml2argvdata/disk-network-http.xml
+++ b/tests/qemuxml2argvdata/disk-network-http.xml
@@ -31,6 +31,10 @@
<driver name='qemu' type='raw'/>
<source protocol='http' name='test3.img'>
<host name='example.org' port='1234'/>
+ <cookies>
+ <cookie name='test'>testcookievalue</cookie>
+ <cookie name='test2'>blurb</cookie>
+ </cookies>
</source>
<target dev='vdc' bus='virtio'/>
</disk>
@@ -39,6 +43,10 @@
<source protocol='https' name='test4.img'>
<host name='example.org' port='1234'/>
<ssl verify='no'/>
+ <cookies>
+ <cookie name='test'>testcookievalue</cookie>
+ <cookie name='test2'>blurb</cookie>
+ </cookies>
</source>
<target dev='vdd' bus='virtio'/>
</disk>
--
2.24.1
1:01 a.m.
New subject: [PATCH 22/30] qemu: block: Add support for HTTP cookies
On a Monday in 2020, Peter Krempa wrote:
Pass the alias of the secret object holding the cookie data as
'cookie-secret' to qemu.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 14 +++++++++++---
.../disk-network-http.x86_64-latest.args | 11 +++++++++--
tests/qemuxml2argvdata/disk-network-http.xml | 8 ++++++++
3 files changed, 28 insertions(+), 5 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 23/30] qemu: block: Implement readahead and timeout properties for 'curl' driver
Pass in the correct fields.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 2 ++
tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args | 6 ++++--
tests/qemuxml2argvdata/disk-network-http.xml | 2 ++
3 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 119b34f869..f64bd8254b 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -722,6 +722,8 @@ qemuBlockStorageSourceGetCURLProps(virStorageSourcePtr src,
"S:password-secret", passwordalias,
"T:sslverify", src->sslverify,
"S:cookie-secret", cookiealias,
+ "P:timeout", src->timeout,
+ "P:readahead", src->readahead,
NULL));
return ret;
diff --git a/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
index 5798235b55..e14498f778 100644
--- a/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args
@@ -29,13 +29,15 @@ file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
-boot strict=on \
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
-blockdev
'{"driver":"http","url":"http://example.org:80/test.img",\
-"node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"}'
\
+"timeout":1234,"node-name":"libvirt-4-storage","auto-read-only":true,\
+"discard":"unmap"}' \
-blockdev
'{"node-name":"libvirt-4-format","read-only":false,"driver":"raw",\
"file":"libvirt-4-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x2,drive=libvirt-4-format,\
id=virtio-disk0,bootindex=1 \
-blockdev
'{"driver":"https","url":"https://example.org:443/test2.img",\
-"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}'
\
+"readahead":1024,"node-name":"libvirt-3-storage","auto-read-only":true,\
+"discard":"unmap"}' \
-blockdev
'{"node-name":"libvirt-3-format","read-only":false,"driver":"raw",\
"file":"libvirt-3-storage"}' \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x3,drive=libvirt-3-format,\
diff --git a/tests/qemuxml2argvdata/disk-network-http.xml
b/tests/qemuxml2argvdata/disk-network-http.xml
index 6acf75cf65..20024c732e 100644
--- a/tests/qemuxml2argvdata/disk-network-http.xml
+++ b/tests/qemuxml2argvdata/disk-network-http.xml
@@ -17,6 +17,7 @@
<driver name='qemu' type='raw'/>
<source protocol='http' name='test.img'>
<host name='example.org'/>
+ <timeout seconds='1234'/>
</source>
<target dev='vda' bus='virtio'/>
</disk>
@@ -24,6 +25,7 @@
<driver name='qemu' type='raw'/>
<source protocol='https' name='test2.img'>
<host name='example.org'/>
+ <readahead size='1024'/>
</source>
<target dev='vdb' bus='virtio'/>
</disk>
--
2.24.1
1:01 a.m.
New subject: [PATCH 23/30] qemu: block: Implement readahead and timeout properties for 'curl' driver
On a Monday in 2020, Peter Krempa wrote:
Pass in the correct fields.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 2 ++
tests/qemuxml2argvdata/disk-network-http.x86_64-latest.args | 6 ++++--
tests/qemuxml2argvdata/disk-network-http.xml | 2 ++
3 files changed, 8 insertions(+), 2 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 24/30] virstoragefile: Add JSON parser for 'sslverify', 'readahead', 'cookies' and 'timeout'
Add support for parsing the recently added fields from backing file
pseudo-protocol strings.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/util/virstoragefile.c | 91 ++++++++++++++++++++++++++++++++++++++-
tests/qemublocktest.c | 6 +++
tests/virstoragetest.c | 15 +++++++
3 files changed, 111 insertions(+), 1 deletion(-)
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index 9e740419eb..efc4c60681 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -3210,10 +3210,61 @@ virStorageSourceParseBackingJSONUriStr(virStorageSourcePtr src,
}
+static int
+virStorageSourceParseBackingJSONUriCookies(virStorageSourcePtr src,
+ virJSONValuePtr json,
+ const char *jsonstr)
+{
+ const char *cookiestr;
+ VIR_AUTOSTRINGLIST cookies = NULL;
+ size_t ncookies = 0;
+ size_t i;
+
+ if (!virJSONValueObjectHasKey(json, "cookie"))
+ return 0;
+
+ if (!(cookiestr = virJSONValueObjectGetString(json, "cookie"))) {
+ virReportError(VIR_ERR_INVALID_ARG,
+ _("wrong format of 'cookie' field in backing store
definition '%s'"),
+ jsonstr);
+ return -1;
+ }
+
+ if (!(cookies = virStringSplitCount(cookiestr, ";", 0, &ncookies)))
+ return -1;
+
+ src->cookies = g_new0(virStorageNetCookieDefPtr, ncookies);
+ src->ncookies = ncookies;
+
+ for (i = 0; i < ncookies; i++) {
+ char *cookiename = cookies[i];
+ char *cookievalue;
+
+ virSkipSpaces((const char **) &cookiename);
+
+ if (!(cookievalue = strchr(cookiename, '='))) {
+ virReportError(VIR_ERR_INVALID_ARG,
+ _("malformed http cookie '%s' in backing store
definition '%s'"),
+ cookies[i], jsonstr);
+ return -1;
+ }
+
+ *cookievalue = '\0';
+ cookievalue++;
+
+ src->cookies[i] = g_new0(virStorageNetCookieDef, 1);
+ src->cookies[i]->name = g_strdup(cookiename);
+ src->cookies[i]->value = g_strdup(cookievalue);
+ }
+
+ return 0;
+}
+
+
static int
virStorageSourceParseBackingJSONUri(virStorageSourcePtr src,
virJSONValuePtr json,
- const char *jsonstr G_GNUC_UNUSED,
+ const char *jsonstr,
int protocol)
{
const char *uri;
@@ -3224,6 +3275,44 @@ virStorageSourceParseBackingJSONUri(virStorageSourcePtr src,
return -1;
}
+ if (protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
+ protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) {
+ if (virJSONValueObjectHasKey(json, "sslverify")) {
+ bool tmp;
+
+ if (virJSONValueObjectGetBoolean(json, "sslverify", &tmp) <
0) {
+ virReportError(VIR_ERR_INVALID_ARG,
+ _("malformed 'sslverify' field in backing
store definition '%s'"),
+ jsonstr);
+ return -1;
+ }
+
+ src->sslverify = virTristateBoolFromBool(tmp);
+ }
+ }
+
+ if (protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
+ protocol == VIR_STORAGE_NET_PROTOCOL_HTTP) {
+ if (virStorageSourceParseBackingJSONUriCookies(src, json, jsonstr) < 0)
+ return -1;
+ }
+
+ if (virJSONValueObjectHasKey(json, "readahead") &&
+ virJSONValueObjectGetNumberUlong(json, "readahead",
&src->readahead) < 0) {
+ virReportError(VIR_ERR_INVALID_ARG,
+ _("malformed 'readahead' field in backing store
definition '%s'"),
+ jsonstr);
+ return -1;
+ }
+
+ if (virJSONValueObjectHasKey(json, "timeout") &&
+ virJSONValueObjectGetNumberUlong(json, "timeout", &src->timeout)
< 0) {
+ virReportError(VIR_ERR_INVALID_ARG,
+ _("malformed 'timeout' field in backing store
definition '%s'"),
+ jsonstr);
+ return -1;
+ }
+
return virStorageSourceParseBackingJSONUriStr(src, uri, protocol);
}
diff --git a/tests/qemublocktest.c b/tests/qemublocktest.c
index 7b7948d4c6..96a3c7fc41 100644
--- a/tests/qemublocktest.c
+++ b/tests/qemublocktest.c
@@ -917,6 +917,12 @@ mymain(void)
TEST_JSON_FORMAT_NET("<source protocol='https'
name='file'>\n"
" <host name='example.com'
port='432'/>\n"
"</source>\n");
+ TEST_JSON_FORMAT_NET("<source protocol='https'
name='file'>\n"
+ " <host name='example.com'
port='432'/>\n"
+ " <ssl verify='no'/>\n"
+ " <readahead size='1024'/>\n"
+ " <timeout seconds='1337'/>\n"
+ "</source>\n");
TEST_JSON_FORMAT_NET("<source protocol='gluster'
name='vol/file'>\n"
" <host name='example.com'
port='24007'/>\n"
"</source>\n");
diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c
index 97c22d42af..b49dfd2598 100644
--- a/tests/virstoragetest.c
+++ b/tests/virstoragetest.c
@@ -1607,6 +1607,21 @@ mymain(void)
" </slices>\n"
"</source>\n", 0);
+ TEST_BACKING_PARSE_FULL("json:{ \"file.cookie\":
\"vmware_soap_session=\\\"0c8db85112873a79b7ef74f294cb70ef7f\\\"\","
+ "\"file.sslverify\": false,"
+ "\"file.driver\":
\"https\","
+ "\"file.url\":
\"https://host/folder/esx6.5-rhel7.7-x86%5f64/esx6.5-rhel7.7-x86%5f64-flat.vmdk?dcPath=data&dsName=esx6.5-matrix\","
+ "\"file.timeout\": 2000"
+ "}",
+ "<source protocol='https'
name='folder/esx6.5-rhel7.7-x86_64/esx6.5-rhel7.7-x86_64-flat.vmdk'>\n"
+ " <host name='host'
port='443'/>\n"
+ " <ssl verify='no'/>\n"
+ " <cookies>\n"
+ " <cookie
name='vmware_soap_session'>"0c8db85112873a79b7ef74f294cb70ef7f"</cookie>\n"
+ " </cookies>\n"
+ " <timeout seconds='2000'/>\n"
+ "</source>\n", 0);
+
#endif /* WITH_YAJL */
cleanup:
--
2.24.1
1:03 a.m.
New subject: [PATCH 24/30] virstoragefile: Add JSON parser for 'sslverify', 'readahead', 'cookies' and 'timeout'
On a Monday in 2020, Peter Krempa wrote:
Add support for parsing the recently added fields from backing file
pseudo-protocol strings.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/util/virstoragefile.c | 91 ++++++++++++++++++++++++++++++++++++++-
tests/qemublocktest.c | 6 +++
tests/virstoragetest.c | 15 +++++++
3 files changed, 111 insertions(+), 1 deletion(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 25/30] virStorageSourceParseBackingJSONUri: Handle undocumented value 'off' for sslverify
libguestfs abuses a quirk of qemu's parser to accept also other variants
of the 'sslverify' field which would be valid on the command line but
are not documented in the QMP schema.
If we encounter the 'off' string instead of an boolean handle it rather
than erroring out to continue support of pre-blockdev configurations.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/util/virstoragefile.c | 21 ++++++++++++++-------
tests/virstoragetest.c | 15 +++++++++++++++
2 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index efc4c60681..a85b95fd09 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -3278,16 +3278,23 @@ virStorageSourceParseBackingJSONUri(virStorageSourcePtr src,
if (protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) {
if (virJSONValueObjectHasKey(json, "sslverify")) {
+ const char *tmpstr;
bool tmp;
- if (virJSONValueObjectGetBoolean(json, "sslverify", &tmp) <
0) {
- virReportError(VIR_ERR_INVALID_ARG,
- _("malformed 'sslverify' field in backing
store definition '%s'"),
- jsonstr);
- return -1;
- }
+ /* libguestfs still uses undocumented legacy value of 'off' */
+ if ((tmpstr = virJSONValueObjectGetString(json, "sslverify"))
&&
+ STREQ(tmpstr, "off")) {
+ src->sslverify = VIR_TRISTATE_BOOL_NO;
+ } else {
+ if (virJSONValueObjectGetBoolean(json, "sslverify", &tmp)
< 0) {
+ virReportError(VIR_ERR_INVALID_ARG,
+ _("malformed 'sslverify' field in backing
store definition '%s'"),
+ jsonstr);
+ return -1;
+ }
- src->sslverify = virTristateBoolFromBool(tmp);
+ src->sslverify = virTristateBoolFromBool(tmp);
+ }
}
}
diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c
index b49dfd2598..c59511114d 100644
--- a/tests/virstoragetest.c
+++ b/tests/virstoragetest.c
@@ -1622,6 +1622,21 @@ mymain(void)
" <timeout seconds='2000'/>\n"
"</source>\n", 0);
+ TEST_BACKING_PARSE_FULL("json:{ \"file.cookie\":
\"vmware_soap_session=\\\"0c8db85112873a79b7ef74f294cb70ef7f\\\"\","
+ "\"file.sslverify\":
\"off\","
+ "\"file.driver\":
\"https\","
+ "\"file.url\":
\"https://host/folder/esx6.5-rhel7.7-x86%5f64/esx6.5-rhel7.7-x86%5f64-flat.vmdk?dcPath=data&dsName=esx6.5-matrix\","
+ "\"file.timeout\": 2000"
+ "}",
+ "<source protocol='https'
name='folder/esx6.5-rhel7.7-x86_64/esx6.5-rhel7.7-x86_64-flat.vmdk'>\n"
+ " <host name='host'
port='443'/>\n"
+ " <ssl verify='no'/>\n"
+ " <cookies>\n"
+ " <cookie
name='vmware_soap_session'>"0c8db85112873a79b7ef74f294cb70ef7f"</cookie>\n"
+ " </cookies>\n"
+ " <timeout seconds='2000'/>\n"
+ "</source>\n", 0);
+
#endif /* WITH_YAJL */
cleanup:
--
2.24.1
1:04 a.m.
New subject: [PATCH 25/30] virStorageSourceParseBackingJSONUri: Handle undocumented value 'off' for sslverify
On a Monday in 2020, Peter Krempa wrote:
libguestfs abuses a quirk of qemu's parser to accept also other
variants
of the 'sslverify' field which would be valid on the command line but
are not documented in the QMP schema.
If we encounter the 'off' string instead of an boolean handle it rather
than erroring out to continue support of pre-blockdev configurations.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/util/virstoragefile.c | 21 ++++++++++++++-------
tests/virstoragetest.c | 15 +++++++++++++++
2 files changed, 29 insertions(+), 7 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 26/30] qemublocktest: Load QMP schema earlier
Multiple tests require the schema. Extract the loading into a separate
variable to avoid issues with ownership of the pointer.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tests/qemublocktest.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/tests/qemublocktest.c b/tests/qemublocktest.c
index 96a3c7fc41..735ba5cdde 100644
--- a/tests/qemublocktest.c
+++ b/tests/qemublocktest.c
@@ -867,6 +867,7 @@ mymain(void)
struct testQemuBlockBitmapBlockcopyData blockbitmapblockcopydata;
char *capslatest_x86_64 = NULL;
virQEMUCapsPtr caps_x86_64 = NULL;
+ g_autoptr(virHashTable) qmp_schema_x86_64 = NULL;
g_autoptr(virStorageSource) bitmapSourceChain = NULL;
if (qemuTestDriverInit(&driver) < 0)
@@ -889,6 +890,11 @@ mymain(void)
diskxmljsondata.qemuCaps = caps_x86_64;
imagecreatedata.qemuCaps = caps_x86_64;
+ if (!(qmp_schema_x86_64 = testQEMUSchemaLoad("x86_64"))) {
+ ret = -1;
+ goto cleanup;
+ }
+
virTestCounterReset("qemu storage source xml->json->xml ");
#define TEST_JSON_FORMAT(tpe, xmlstr) \
@@ -987,10 +993,7 @@ mymain(void)
#define TEST_DISK_TO_JSON(nme) TEST_DISK_TO_JSON_FULL(nme, false)
- if (!(diskxmljsondata.schema = testQEMUSchemaLoad("x86_64"))) {
- ret = -1;
- goto cleanup;
- }
+ diskxmljsondata.schema = qmp_schema_x86_64;
if (virQEMUQAPISchemaPathGet("blockdev-add/arg-type",
diskxmljsondata.schema,
@@ -1049,7 +1052,9 @@ mymain(void)
&imagecreatedata) < 0) \
ret = -1; \
} while (0)
- imagecreatedata.schema = diskxmljsondata.schema;
+
+ imagecreatedata.schema = qmp_schema_x86_64;
+
if (virQEMUQAPISchemaPathGet("blockdev-create/arg-type/options",
imagecreatedata.schema,
&imagecreatedata.schemaroot) < 0 ||
@@ -1202,7 +1207,6 @@ mymain(void)
TEST_BITMAP_BLOCKCOPY("snapshots-deep", false, "snapshots");
cleanup:
- virHashFree(diskxmljsondata.schema);
qemuTestDriverFree(&driver);
VIR_FREE(capslatest_x86_64);
virObjectUnref(caps_x86_64);
--
2.24.1
1:05 a.m.
New subject: [PATCH 26/30] qemublocktest: Load QMP schema earlier
On a Monday in 2020, Peter Krempa wrote:
Multiple tests require the schema. Extract the loading into a
separate
variable to avoid issues with ownership of the pointer.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tests/qemublocktest.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 27/30] qemublocktest: Extract schema root for blockdev-add validation
Move lookup of the schema root earlier so that multiple functions
can use it for validation.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tests/qemublocktest.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/tests/qemublocktest.c b/tests/qemublocktest.c
index 735ba5cdde..f803c9c6b3 100644
--- a/tests/qemublocktest.c
+++ b/tests/qemublocktest.c
@@ -868,6 +868,7 @@ mymain(void)
char *capslatest_x86_64 = NULL;
virQEMUCapsPtr caps_x86_64 = NULL;
g_autoptr(virHashTable) qmp_schema_x86_64 = NULL;
+ virJSONValuePtr qmp_schemaroot_x86_64_blockdev_add = NULL;
g_autoptr(virStorageSource) bitmapSourceChain = NULL;
if (qemuTestDriverInit(&driver) < 0)
@@ -895,6 +896,15 @@ mymain(void)
goto cleanup;
}
+ if (virQEMUQAPISchemaPathGet("blockdev-add/arg-type",
+ qmp_schema_x86_64,
+ &qmp_schemaroot_x86_64_blockdev_add) < 0 ||
+ !qmp_schemaroot_x86_64_blockdev_add) {
+ VIR_TEST_VERBOSE("failed to find schema entry for blockdev-add");
+ ret = -1;
+ goto cleanup;
+ }
+
virTestCounterReset("qemu storage source xml->json->xml ");
#define TEST_JSON_FORMAT(tpe, xmlstr) \
@@ -994,15 +1004,7 @@ mymain(void)
#define TEST_DISK_TO_JSON(nme) TEST_DISK_TO_JSON_FULL(nme, false)
diskxmljsondata.schema = qmp_schema_x86_64;
-
- if (virQEMUQAPISchemaPathGet("blockdev-add/arg-type",
- diskxmljsondata.schema,
- &diskxmljsondata.schemaroot) < 0 ||
- !diskxmljsondata.schemaroot) {
- VIR_TEST_VERBOSE("failed to find schema entry for blockdev-add");
- ret = -1;
- goto cleanup;
- }
+ diskxmljsondata.schemaroot = qmp_schemaroot_x86_64_blockdev_add;
TEST_DISK_TO_JSON_FULL("nodename-long-format", true);
TEST_DISK_TO_JSON_FULL("nodename-long-protocol", true);
--
2.24.1
1:05 a.m.
New subject: [PATCH 27/30] qemublocktest: Extract schema root for blockdev-add validation
On a Monday in 2020, Peter Krempa wrote:
Move lookup of the schema root earlier so that multiple functions
can use it for validation.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tests/qemublocktest.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 28/30] qemublocktest: XMLjsonXML: Test formatting/parsing of modern JSON
The test was invoking the JSON formatter with the 'legacy' flag thus
formatting bunch of obsolete JSON blockdev definitions. We also should
test the modern ones. Add a boolean and re-run all the tests in both
cases.
Additionally for any modern invocation we should also validate that the
output conforms to the QAPI schema.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tests/qemublocktest.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/tests/qemublocktest.c b/tests/qemublocktest.c
index f803c9c6b3..77484cc8e7 100644
--- a/tests/qemublocktest.c
+++ b/tests/qemublocktest.c
@@ -41,6 +41,9 @@ VIR_LOG_INIT("tests.storagetest");
struct testBackingXMLjsonXMLdata {
int type;
const char *xml;
+ bool legacy;
+ virHashTablePtr schema;
+ virJSONValuePtr schemaroot;
};
static int
@@ -57,6 +60,7 @@ testBackingXMLjsonXML(const void *args)
g_autofree char *actualxml = NULL;
g_autoptr(virStorageSource) xmlsrc = NULL;
g_autoptr(virStorageSource) jsonsrc = NULL;
+ g_auto(virBuffer) debug = VIR_BUFFER_INITIALIZER;
if (!(xmlsrc = virStorageSourceNew()))
return -1;
@@ -71,12 +75,27 @@ testBackingXMLjsonXML(const void *args)
return -1;
}
- if (!(backendprops = qemuBlockStorageSourceGetBackendProps(xmlsrc, true, false,
+ if (!(backendprops = qemuBlockStorageSourceGetBackendProps(xmlsrc,
+ data->legacy,
+ false,
false))) {
fprintf(stderr, "failed to format disk source json\n");
return -1;
}
+ if (!data->legacy) {
+ if (testQEMUSchemaValidate(backendprops, data->schemaroot,
+ data->schema, &debug) < 0) {
+ g_autofree char *debugmsg = virBufferContentAndReset(&debug);
+ g_autofree char *debugprops = virJSONValueToString(backendprops, true);
+
+ VIR_TEST_VERBOSE("json does not conform to QAPI schema");
+ VIR_TEST_DEBUG("json:\n%s\ndoes not match schema. Debug output:\n
%s",
+ debugprops, NULLSTR(debugmsg));
+ return -1;
+ }
+ }
+
if (virJSONValueObjectCreate(&wrapper, "a:file", &backendprops,
NULL) < 0)
return -1;
@@ -911,6 +930,10 @@ mymain(void)
do { \
xmljsonxmldata.type = tpe; \
xmljsonxmldata.xml = xmlstr; \
+ xmljsonxmldata.legacy = true; \
+ if (virTestRun(virTestCounterNext(), testBackingXMLjsonXML, \
+ &xmljsonxmldata) < 0) \
+ xmljsonxmldata.legacy = false; \
if (virTestRun(virTestCounterNext(), testBackingXMLjsonXML, \
&xmljsonxmldata) < 0) \
ret = -1; \
@@ -919,6 +942,9 @@ mymain(void)
#define TEST_JSON_FORMAT_NET(xmlstr) \
TEST_JSON_FORMAT(VIR_STORAGE_TYPE_NETWORK, xmlstr)
+ xmljsonxmldata.schema = qmp_schema_x86_64;
+ xmljsonxmldata.schemaroot = qmp_schemaroot_x86_64_blockdev_add;
+
TEST_JSON_FORMAT(VIR_STORAGE_TYPE_FILE, "<source
file='/path/to/file'/>\n");
/* type VIR_STORAGE_TYPE_BLOCK is not tested since it parses back to 'file'
*/
--
2.24.1
1:06 a.m.
New subject: [PATCH 28/30] qemublocktest: XMLjsonXML: Test formatting/parsing of modern JSON
On a Monday in 2020, Peter Krempa wrote:
The test was invoking the JSON formatter with the 'legacy'
flag thus
formatting bunch of obsolete JSON blockdev definitions. We also should
test the modern ones. Add a boolean and re-run all the tests in both
cases.
Additionally for any modern invocation we should also validate that the
output conforms to the QAPI schema.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tests/qemublocktest.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 29/30] qemublocktest: Add JSON->JSON test cases for block device backends
Add testing of the interpretation of the JSON pseudo-protocol backing
store into JSON structs for blockdev. This will be used to test JSON
pseudo-URIs used by libguestfs while actually also validating the output
against the QMP schema. Since libguestfs uses obsolete/undocumented
values the outputs will differ and a benefit is that modern output is
used now.
The example test case covers the fields and values used by libguestfs
when using the https driver.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tests/qemublocktest.c | 65 +++++++++++++++++++
.../jsontojson/curl-libguestfs-in.json | 1 +
.../jsontojson/curl-libguestfs-out.json | 9 +++
3 files changed, 75 insertions(+)
create mode 100644 tests/qemublocktestdata/jsontojson/curl-libguestfs-in.json
create mode 100644 tests/qemublocktestdata/jsontojson/curl-libguestfs-out.json
diff --git a/tests/qemublocktest.c b/tests/qemublocktest.c
index 77484cc8e7..ec32d28188 100644
--- a/tests/qemublocktest.c
+++ b/tests/qemublocktest.c
@@ -128,6 +128,57 @@ testBackingXMLjsonXML(const void *args)
return 0;
}
+static const char *testJSONtoJSONPath = abs_srcdir
"/qemublocktestdata/jsontojson/";
+
+struct testJSONtoJSONData {
+ const char *name;
+ virHashTablePtr schema;
+ virJSONValuePtr schemaroot;
+};
+
+static int
+testJSONtoJSON(const void *args)
+{
+ const struct testJSONtoJSONData *data = args;
+ g_auto(virBuffer) debug = VIR_BUFFER_INITIALIZER;
+ g_autoptr(virJSONValue) jsonsrcout = NULL;
+ g_autoptr(virStorageSource) src = NULL;
+ g_autofree char *actual = NULL;
+ g_autofree char *in = NULL;
+ g_autofree char *infile = g_strdup_printf("%s%s-in.json",
testJSONtoJSONPath,
+ data->name);
+ g_autofree char *outfile = g_strdup_printf("%s%s-out.json",
testJSONtoJSONPath,
+ data->name);
+
+ if (virTestLoadFile(infile, &in) < 0)
+ return -1;
+
+ if (virStorageSourceNewFromBackingAbsolute(in, &src) < 0) {
+ fprintf(stderr, "failed to parse disk json\n");
+ return -1;
+ }
+
+ if (!(jsonsrcout = qemuBlockStorageSourceGetBackendProps(src, false, false, true)))
{
+ fprintf(stderr, "failed to format disk source json\n");
+ return -1;
+ }
+
+ if (!(actual = virJSONValueToString(jsonsrcout, true)))
+ return -1;
+
+ if (testQEMUSchemaValidate(jsonsrcout, data->schemaroot,
+ data->schema, &debug) < 0) {
+ g_autofree char *debugmsg = virBufferContentAndReset(&debug);
+
+ VIR_TEST_VERBOSE("json does not conform to QAPI schema");
+ VIR_TEST_DEBUG("json:\n%s\ndoes not match schema. Debug output:\n %s",
+ actual, NULLSTR(debugmsg));
+ return -1;
+ }
+
+ return virTestCompareToFile(actual, outfile);
+}
+
struct testQemuDiskXMLToJSONData {
virQEMUDriverPtr driver;
@@ -879,6 +930,7 @@ mymain(void)
virQEMUDriver driver;
struct testBackingXMLjsonXMLdata xmljsonxmldata;
struct testQemuDiskXMLToJSONData diskxmljsondata;
+ struct testJSONtoJSONData jsontojsondata;
struct testQemuImageCreateData imagecreatedata;
struct testQemuBackupIncrementalBitmapCalculateData backupbitmapcalcdata;
struct testQemuCheckpointDeleteMergeData checkpointdeletedata;
@@ -1072,6 +1124,19 @@ mymain(void)
TEST_DISK_TO_JSON("block-raw-noopts");
TEST_DISK_TO_JSON("block-raw-reservations");
+#define TEST_JSON_TO_JSON(nme) \
+ do { \
+ jsontojsondata.name = nme; \
+ if (virTestRun("JSON to JSON " nme, testJSONtoJSON, \
+ &jsontojsondata) < 0) \
+ ret = -1; \
+ } while (0)
+
+ jsontojsondata.schema = qmp_schema_x86_64;
+ jsontojsondata.schemaroot = qmp_schemaroot_x86_64_blockdev_add;
+
+ TEST_JSON_TO_JSON("curl-libguestfs");
+
#define TEST_IMAGE_CREATE(testname, testbacking) \
do { \
imagecreatedata.name = testname; \
diff --git a/tests/qemublocktestdata/jsontojson/curl-libguestfs-in.json
b/tests/qemublocktestdata/jsontojson/curl-libguestfs-in.json
new file mode 100644
index 0000000000..0b92dabc6d
--- /dev/null
+++ b/tests/qemublocktestdata/jsontojson/curl-libguestfs-in.json
@@ -0,0 +1 @@
+json:{"file.driver":"https","file.url":"https://test.host/whatever.img","file.timeout":2000,"file.readahead":65536,"file.sslverify":"off","file.cookie":"some_cookie=\"some_value_or_whatever\""}
diff --git a/tests/qemublocktestdata/jsontojson/curl-libguestfs-out.json
b/tests/qemublocktestdata/jsontojson/curl-libguestfs-out.json
new file mode 100644
index 0000000000..e130c7bd3c
--- /dev/null
+++ b/tests/qemublocktestdata/jsontojson/curl-libguestfs-out.json
@@ -0,0 +1,9 @@
+{
+ "driver": "https",
+ "url": "https://test.host:443/whatever.img",
+ "sslverify": false,
+ "timeout": 2000,
+ "readahead": 65536,
+ "auto-read-only": true,
+ "discard": "unmap"
+}
--
2.24.1
1:07 a.m.
New subject: [PATCH 29/30] qemublocktest: Add JSON->JSON test cases for block device backends
On a Monday in 2020, Peter Krempa wrote:
Add testing of the interpretation of the JSON pseudo-protocol backing
store into JSON structs for blockdev. This will be used to test JSON
pseudo-URIs used by libguestfs while actually also validating the output
against the QMP schema. Since libguestfs uses obsolete/undocumented
values the outputs will differ and a benefit is that modern output is
used now.
The example test case covers the fields and values used by libguestfs
when using the https driver.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tests/qemublocktest.c | 65 +++++++++++++++++++
.../jsontojson/curl-libguestfs-in.json | 1 +
.../jsontojson/curl-libguestfs-out.json | 9 +++
3 files changed, 75 insertions(+)
create mode 100644 tests/qemublocktestdata/jsontojson/curl-libguestfs-in.json
create mode 100644 tests/qemublocktestdata/jsontojson/curl-libguestfs-out.json
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
11:23 a.m.
New subject: [PATCH 30/30] qemu: Pass through arguments of 'ssh' block driver used by libguestfs
We currently don't model the 'ssh' protocol properties properly and
since it seems impossible for now (agent path passed via environment
variable). To allow libguestfs to work as it used in pre-blockdev era we
must carry the properties over to the command line. For this instance we
just store it internally and format it back.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 10 ++++++++++
src/util/virstoragefile.c | 13 +++++++++++++
src/util/virstoragefile.h | 5 +++++
tests/qemublocktest.c | 1 +
.../jsontojson/ssh-passthrough-libguestfs-in.json | 1 +
.../jsontojson/ssh-passthrough-libguestfs-out.json | 14 ++++++++++++++
6 files changed, 44 insertions(+)
create mode 100644 tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-in.json
create mode 100644
tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-out.json
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index f64bd8254b..5ddf7f1f7c 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -911,6 +911,7 @@ qemuBlockStorageSourceGetSshProps(virStorageSourcePtr src)
g_autoptr(virJSONValue) serverprops = NULL;
virJSONValuePtr ret = NULL;
const char *username = NULL;
+ g_autoptr(virJSONValue) host_key_check = NULL;
if (src->nhosts != 1) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@@ -924,11 +925,20 @@ qemuBlockStorageSourceGetSshProps(virStorageSourcePtr src)
if (src->auth)
username = src->auth->username;
+ else if (src->ssh_user)
+ username = src->ssh_user;
+
+ if (src->ssh_host_key_check_disabled &&
+ virJSONValueObjectCreate(&host_key_check,
+ "s:mode", "none",
+ NULL) < 0)
+ return NULL;
if (virJSONValueObjectCreate(&ret,
"s:path", src->path,
"a:server", &serverprops,
"S:user", username,
+ "A:host-key-check", &host_key_check,
NULL) < 0)
return NULL;
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index a85b95fd09..e4235316d8 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -2464,6 +2464,10 @@ virStorageSourceCopy(const virStorageSource *src,
return NULL;
}
+ /* ssh config passthrough for libguestfs */
+ def->ssh_host_key_check_disabled = src->ssh_host_key_check_disabled;
+ def->ssh_user = g_strdup(src->ssh_user);
+
return g_steal_pointer(&def);
}
@@ -2705,6 +2709,8 @@ virStorageSourceClear(virStorageSourcePtr def)
VIR_FREE(def->tlsAlias);
VIR_FREE(def->tlsCertdir);
+ VIR_FREE(def->ssh_user);
+
virStorageSourceInitiatorClear(&def->initiator);
/* clear everything except the class header as the object APIs
@@ -3635,6 +3641,8 @@ virStorageSourceParseBackingJSONSSH(virStorageSourcePtr src,
const char *path = virJSONValueObjectGetString(json, "path");
const char *host = virJSONValueObjectGetString(json, "host");
const char *port = virJSONValueObjectGetString(json, "port");
+ const char *user = virJSONValueObjectGetString(json, "user");
+ const char *host_key_check = virJSONValueObjectGetString(json,
"host_key_check");
virJSONValuePtr server = virJSONValueObjectGetObject(json, "server");
if (!(host || server) || !path) {
@@ -3665,6 +3673,11 @@ virStorageSourceParseBackingJSONSSH(virStorageSourcePtr src,
return -1;
}
+ /* these two are parsed just to be passed back as we don't model them yet */
+ src->ssh_user = g_strdup(user);
+ if (STREQ_NULLABLE(host_key_check, "no"))
+ src->ssh_host_key_check_disabled = true;
+
return 0;
}
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
index dd2186c4ff..f2a73feb6a 100644
--- a/src/util/virstoragefile.h
+++ b/src/util/virstoragefile.h
@@ -384,6 +384,11 @@ struct _virStorageSource {
as a source for floppy drive */
bool hostcdrom; /* backing device is a cdrom */
+
+ /* passthrough variables for the ssh driver which we don't handle properly */
+ /* these must not be used apart from formatting the output JSON in the qemu driver
*/
+ char *ssh_user;
+ bool ssh_host_key_check_disabled;
};
G_DEFINE_AUTOPTR_CLEANUP_FUNC(virStorageSource, virObjectUnref);
diff --git a/tests/qemublocktest.c b/tests/qemublocktest.c
index ec32d28188..7a2204787e 100644
--- a/tests/qemublocktest.c
+++ b/tests/qemublocktest.c
@@ -1136,6 +1136,7 @@ mymain(void)
jsontojsondata.schemaroot = qmp_schemaroot_x86_64_blockdev_add;
TEST_JSON_TO_JSON("curl-libguestfs");
+ TEST_JSON_TO_JSON("ssh-passthrough-libguestfs");
#define TEST_IMAGE_CREATE(testname, testbacking) \
do { \
diff --git a/tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-in.json
b/tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-in.json
new file mode 100644
index 0000000000..da8fedef07
--- /dev/null
+++ b/tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-in.json
@@ -0,0 +1 @@
+json:{"file.driver":"ssh","file.user":"testuser","file.host":"random.host","file.port":1234,"file.path":"somewhere/something","file.host_key_check":"no"}
diff --git a/tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-out.json
b/tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-out.json
new file mode 100644
index 0000000000..1f6032deb4
--- /dev/null
+++ b/tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-out.json
@@ -0,0 +1,14 @@
+{
+ "driver": "ssh",
+ "path": "somewhere/something",
+ "server": {
+ "host": "random.host",
+ "port": "22"
+ },
+ "user": "testuser",
+ "host-key-check": {
+ "mode": "none"
+ },
+ "auto-read-only": true,
+ "discard": "unmap"
+}
--
2.24.1
1:08 a.m.
New subject: [PATCH 30/30] qemu: Pass through arguments of 'ssh' block driver used by libguestfs
On a Monday in 2020, Peter Krempa wrote:
We currently don't model the 'ssh' protocol properties
properly and
since it seems impossible for now (agent path passed via environment
variable). To allow libguestfs to work as it used in pre-blockdev era we
must carry the properties over to the command line. For this instance we
just store it internally and format it back.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_block.c | 10 ++++++++++
src/util/virstoragefile.c | 13 +++++++++++++
src/util/virstoragefile.h | 5 +++++
tests/qemublocktest.c | 1 +
.../jsontojson/ssh-passthrough-libguestfs-in.json | 1 +
.../jsontojson/ssh-passthrough-libguestfs-out.json | 14 ++++++++++++++
6 files changed, 44 insertions(+)
create mode 100644 tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-in.json
create mode 100644
tests/qemublocktestdata/jsontojson/ssh-passthrough-libguestfs-out.json
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
1715
days inactive
1719
days old
61 comments
3 participants
participants (3)
-
Eric Blake -
Ján Tomko -
Peter Krempa