Re: [PATCH v2 5/6] qemu: Add support for TLS X.509 path to TCP chardev backend

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jun 16, 2016 at 06:42:26AM -0400, John Ferlan wrote:
> When building a chardev device string for tcp, add the necessary pieces to
> access provide the TLS X.509 path to qemu.  This includes generating the
> 'tls-creds-x509' object and then adding the 'tls-creds' parameter to the
> VIR_DOMAIN_CHR_TYPE_TCP command line.
> 
> Finally add the tests for the qemu command line. This test will make use
> of the "new(ish)" /etc/pki/libvirt-default setting for a TLS certificate
> environment by *not* "resetting" the charTCPTLSx509certdir prior to
> running the test.
> 
> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
> ---
>  src/qemu/qemu_command.c                            | 102 ++++++++++++++++++++-
>  .../qemuxml2argv-serial-tcp-tlsx509-chardev.args   |  33 +++++++
>  tests/qemuxml2argvtest.c                           |   6 ++
>  3 files changed, 140 insertions(+), 1 deletion(-)
>  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
> 
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 4a8def1..815785c 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -701,6 +701,97 @@ qemuBuildRBDSecinfoURI(virBufferPtr buf,
>  }
>  
>  
> +/* qemuBuildTLSx509BackendProps:
> + * @tlspath: path to the TLS credentials
> + * @listen: boolen listen for client or server setting
> + * @qemuCaps: capabilities
> + * @propsret: json properties to return
> + *
> + * Create a backend string for the tls-creds-x509 object.
> + *
> + * Returns 0 on success, -1 on failure with error set.
> + */
> +static int
> +qemuBuildTLSx509BackendProps(const char *tlspath,
> +                             bool listen,
> +                             virQEMUCapsPtr qemuCaps,
> +                             virJSONValuePtr *propsret)
> +{
> +    virBuffer buf = VIR_BUFFER_INITIALIZER;
> +    char *path = NULL;
> +    int ret = -1;
> +
> +    if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_OBJECT_TLS_CREDS_X509)) {
> +        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                       _("tls-creds-x509 not supported in this QEMU binary"));
> +        return -1;
> +    }
> +
> +    qemuBufferEscapeComma(&buf, tlspath);
> +    if (virBufferCheckError(&buf) < 0)
> +        goto cleanup;
> +    path = virBufferContentAndReset(&buf);
> +
> +    if (virJSONValueObjectCreate(propsret,
> +                                 "s:dir", path,
> +                                 "s:endpoint", (listen ? "server": "client"),

We should also have ability to set 'verify-peer' to yes/no


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]