On 09/18/2014 09:52 AM, Pavel Hrdina wrote: > We are not detecting the presence of FIPS from QEMU, but from procfs and > that means it's not QEMU capability. It was decided that we will pass > this flag to QEMU even if it's not supported by old QEMU binaries. > > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1135431 > > Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx> > --- > > Note: The original bug is that we are not detecting whether libvirtd > binary has been updated, we detect that only for QEMU binary. So you > could update libvirt without updating QEMU and new capabilities that could > already exists in QEMU, but was recently implemented in libvirt wasn't > enabled. I'll post a patch to fix this bug. > > src/qemu/qemu_capabilities.c | 24 ------------------------ > src/qemu/qemu_command.c | 25 +++++++++++++++++++++++-- > 2 files changed, 23 insertions(+), 26 deletions(-) > I agree with moving the detection of the bit out of cached capability bit and delaying it instead to qemu startup time (although it means a stat() call for every qemu spawned, instead of the former behavior of checking only once). I also agree with the way you removed setting the bit in qemu_capabilities.c but not the bit itself (the bit is still defined and named from qemu_capabilities.h, so that if we upgrade libvirtd and parse the XML for a running qemu domain that was started from earlier libvirt, we don't mis-behave when seeing that capability bit, even if we no longer use it for anything). However, I still think you need a v2: > +++ b/src/qemu/qemu_command.c > @@ -7656,8 +7656,29 @@ qemuBuildCommandLine(virConnectPtr conn, > if (!standalone) > virCommandAddArg(cmd, "-S"); /* freeze CPU */ > > - if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS)) > - virCommandAddArg(cmd, "-enable-fips"); > + /* Qemu 1.2 and later have a binary flag -enable-fips that must be > + * used for VNC auth to obey FIPS settings; but the flag only > + * exists on Linux, and with no way to probe for it via QMP. Our > + * solution: if FIPS mode is required, then unconditionally use > + * the flag, regardless of qemu version, for the following matrix: > + * > + * old QEMU new QEMU > + * FIPS enabled doesn't start VNC auth disabled > + * FIPS disabled/missing VNC auth enabled VNC auth enabled > + * > + * Setting the flag here instead of in virQEMUCapsInitQMPMonitor > + * or virQEMUCapsInitHelp also allows the testsuite to be > + * independent of FIPS setting. > + */ > + if (virFileExists("/proc/sys/crypto/fips_enabled")) { Ouch. This will make our testsuite differ based on whether it is run on Linux in FIPS mode (where FIPS might exist) or on any other setup. I think you need to hoist the check for virFileExists() to the caller, and pass in the result as a new bool parameter to this function, so that the testsuite has full control over the boolean without regards to the current system's level of FIPS support. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list