[libvirt] [PATCH 0/4] Introduce VIR_MIGRATE_PARAM_TLS_DESTINATION migration param
Normally the TLS certificate from the destination host must match the host's name for TLS verification to succeed. When the certificate does not match the destination hostname and the expected cetificate's hostname is known, this parameter can be used to pass this expected hostname when starting the migration. Jiri Denemark (4): qemu: Add support for setting string migration params Introduce VIR_MIGRATE_PARAM_TLS_DESTINATION migration param qemu: Implement VIR_MIGRATE_PARAM_TLS_DESTINATION virsh: Add --tls-destination option for migrate command include/libvirt/libvirt-domain.h | 14 +++++++ src/qemu/qemu_migration.h | 1 + src/qemu/qemu_migration_params.c | 65 +++++++++++++++++++++++++++++++- tools/virsh-domain.c | 11 ++++++ tools/virsh.pod | 8 +++- 5 files changed, 96 insertions(+), 3 deletions(-) -- 2.24.0
The functions for converting migration typed parameters to QEMU migration parameters and back were only implemented for integer types. This patch adds support for string parameters. Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- src/qemu/qemu_migration_params.c | 56 ++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c index c28814bc5b..88c08528bc 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -412,6 +412,51 @@ qemuMigrationParamsSetTPULL(qemuMigrationParamsPtr migParams, } +static int +qemuMigrationParamsGetTPString(qemuMigrationParamsPtr migParams, + qemuMigrationParam param, + virTypedParameterPtr params, + int nparams, + const char *name) +{ + const char *value = NULL; + int rc; + + if (qemuMigrationParamsCheckType(param, QEMU_MIGRATION_PARAM_TYPE_STRING) < 0) + return -1; + + if (!params) + return 0; + + if ((rc = virTypedParamsGetString(params, nparams, name, &value)) < 0) + return -1; + + migParams->params[param].value.s = g_strdup(value); + migParams->params[param].set = !!rc; + return 0; +} + + +static int +qemuMigrationParamsSetTPString(qemuMigrationParamsPtr migParams, + qemuMigrationParam param, + virTypedParameterPtr *params, + int *nparams, + int *maxparams, + const char *name) +{ + if (qemuMigrationParamsCheckType(param, QEMU_MIGRATION_PARAM_TYPE_STRING) < 0) + return -1; + + if (!migParams->params[param].set) + return 0; + + return virTypedParamsAddString(params, nparams, maxparams, name, + migParams->params[param].value.s); +} + + + static int qemuMigrationParamsSetCompression(virTypedParameterPtr params, int nparams, @@ -536,7 +581,12 @@ qemuMigrationParamsFromFlags(virTypedParameterPtr params, break; case QEMU_MIGRATION_PARAM_TYPE_BOOL: + break; + case QEMU_MIGRATION_PARAM_TYPE_STRING: + if (qemuMigrationParamsGetTPString(migParams, item->param, params, + nparams, item->typedParam) < 0) + goto error; break; } } @@ -612,7 +662,13 @@ qemuMigrationParamsDump(qemuMigrationParamsPtr migParams, break; case QEMU_MIGRATION_PARAM_TYPE_BOOL: + break; + case QEMU_MIGRATION_PARAM_TYPE_STRING: + if (qemuMigrationParamsSetTPString(migParams, item->param, + params, nparams, maxparams, + item->typedParam) < 0) + return -1; break; } } -- 2.24.0
Normally the TLS certificate from the destination host must match the host's name for TLS verification to succeed. When the certificate does not match the destination hostname and the expected cetificate's hostname is known, this parameter can be used to pass this expected hostname when starting the migration. Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- include/libvirt/libvirt-domain.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-domain.h index 40c71091ec..a099b3d891 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -1051,6 +1051,20 @@ typedef enum { */ # define VIR_MIGRATE_PARAM_PARALLEL_CONNECTIONS "parallel.connections" +/** + * VIR_MIGRATE_PARAM_TLS_DESTINATION: + * + * virDomainMigrate* params field: override the destination host name used for + * TLS verification. As VIR_TYPED_PARAM_STRING. + * + * Normally the TLS certificate from the destination host must match the host's + * name for TLS verification to succeed. When the certificate does not match + * the destination hostname and the expected cetificate's hostname is known, + * this parameter can be used to pass this expected hostname when starting + * the migration. + */ +# define VIR_MIGRATE_PARAM_TLS_DESTINATION "tls.destination" + /* Domain migration. */ virDomainPtr virDomainMigrate (virDomainPtr domain, virConnectPtr dconn, unsigned long flags, const char *dname, -- 2.24.0
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- src/qemu/qemu_migration.h | 1 + src/qemu/qemu_migration_params.c | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index d98fe9f80a..b6f88d3fd9 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -83,6 +83,7 @@ VIR_MIGRATE_PARAM_AUTO_CONVERGE_INCREMENT, VIR_TYPED_PARAM_INT, \ VIR_MIGRATE_PARAM_BANDWIDTH_POSTCOPY, VIR_TYPED_PARAM_ULLONG, \ VIR_MIGRATE_PARAM_PARALLEL_CONNECTIONS, VIR_TYPED_PARAM_INT, \ + VIR_MIGRATE_PARAM_TLS_DESTINATION, VIR_TYPED_PARAM_STRING, \ NULL diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c index 88c08528bc..e6cf6b4b0b 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -197,6 +197,10 @@ static const qemuMigrationParamsTPMapItem qemuMigrationParamsTPMap[] = { {.typedParam = VIR_MIGRATE_PARAM_PARALLEL_CONNECTIONS, .param = QEMU_MIGRATION_PARAM_MULTIFD_CHANNELS, .party = QEMU_MIGRATION_SOURCE | QEMU_MIGRATION_DESTINATION}, + + {.typedParam = VIR_MIGRATE_PARAM_TLS_DESTINATION, + .param = QEMU_MIGRATION_PARAM_TLS_HOSTNAME, + .party = QEMU_MIGRATION_SOURCE}, }; static const qemuMigrationParamType qemuMigrationParamTypes[] = { @@ -1007,7 +1011,10 @@ qemuMigrationParamsEnableTLS(virQEMUDriverPtr driver, if (qemuMigrationParamsSetString(migParams, QEMU_MIGRATION_PARAM_TLS_CREDS, - *tlsAlias) < 0 || + *tlsAlias) < 0) + goto error; + + if (!migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].set && qemuMigrationParamsSetString(migParams, QEMU_MIGRATION_PARAM_TLS_HOSTNAME, NULLSTR_EMPTY(hostname)) < 0) -- 2.24.0
This option can be used to override the destination host name used for TLS verification. Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- tools/virsh-domain.c | 11 +++++++++++ tools/virsh.pod | 8 ++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 21ea1a69ea..c2cfcf409d 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -10566,6 +10566,10 @@ static const vshCmdOptDef opts_migrate[] = { .type = VSH_OT_INT, .help = N_("migration bandwidth limit in MiB/s") }, + {.name = "tls-destination", + .type = VSH_OT_STRING, + .help = N_("override the destination host name used for TLS verification") + }, {.name = NULL} }; @@ -10789,6 +10793,13 @@ doMigrate(void *opaque) goto save_error; } + if (vshCommandOptStringReq(ctl, cmd, "tls-destination", &opt) < 0) + goto out; + if (opt && + virTypedParamsAddString(¶ms, &nparams, &maxparams, + VIR_MIGRATE_PARAM_TLS_DESTINATION, opt) < 0) + goto save_error; + if (vshCommandOptBool(cmd, "live")) flags |= VIR_MIGRATE_LIVE; if (vshCommandOptBool(cmd, "p2p")) diff --git a/tools/virsh.pod b/tools/virsh.pod index a8331154e1..aaf1eba825 100644 --- a/tools/virsh.pod +++ b/tools/virsh.pod @@ -2174,7 +2174,7 @@ I<domain> I<desturi> [I<migrateuri>] [I<graphicsuri>] [I<listen-address>] [I<dna [I<auto-converge-increment>] [I<--persistent-xml> B<file>] [I<--tls>] [I<--postcopy-bandwidth> B<bandwidth>] [I<--parallel> [I<--parallel-connections> B<connections>]] -[I<--bandwidth> B<bandwidth>] +[I<--bandwidth> B<bandwidth>] [I<--tls-destination> B<hostname>] Migrate domain to another host. Add I<--live> for live migration; <--p2p> for peer-2-peer migration; I<--direct> for direct migration; or I<--tunnelled> @@ -2267,7 +2267,11 @@ respectively. I<--comp-xbzrle-cache> sets size of page cache in bytes. Providing I<--tls> causes the migration to use the host configured TLS setup (see migrate_tls_x509_cert_dir in /etc/libvirt/qemu.conf) in order to perform the migration of the domain. Usage requires proper TLS setup for both source -and target. +and target. Normally the TLS certificate from the destination host must match +the host's name for TLS verification to succeed. When the certificate does not +match the destination hostname and the expected cetificate's hostname is +known, I<--tls-destination> can be used to pass the expected B<hostname> when +starting the migration. I<--parallel> option will cause migration data to be sent over multiple parallel connections. The number of such connections can be set using -- 2.24.0
On Tue, Dec 03, 2019 at 04:33:54PM +0100, Jiri Denemark wrote:
Normally the TLS certificate from the destination host must match the host's name for TLS verification to succeed. When the certificate does not match the destination hostname and the expected cetificate's hostname is known, this parameter can be used to pass this expected hostname when starting the migration.
Jiri Denemark (4): qemu: Add support for setting string migration params Introduce VIR_MIGRATE_PARAM_TLS_DESTINATION migration param qemu: Implement VIR_MIGRATE_PARAM_TLS_DESTINATION virsh: Add --tls-destination option for migrate command
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
participants (2)
-
Jiri Denemark -
Pavel Hrdina