[PATCH v6 2/5] conf: Introduce {default|chardev}_tls_x509_secret_uuid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Add a new qemu.conf variables to store the UUID for the secret that could
be used to present credentials to access the TLS chardev.  Since this will
be a server level and it's possible to use some sort of default, introduce
both the default and chardev logic at the same time making the setting of
the chardev check for it's own value, then if not present checking whether
the default value had been set.

The chardevTLSx509haveUUID bool will be used as the marker for whether
the chardevTLSx509secretUUID was successfully read. In the future this
is how it'd determined whether to add the secret object for a TLS object.

Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
---
 src/qemu/libvirtd_qemu.aug         |  2 ++
 src/qemu/qemu.conf                 | 24 ++++++++++++++++++++++++
 src/qemu/qemu_conf.c               | 22 ++++++++++++++++++++++
 src/qemu/qemu_conf.h               |  3 +++
 src/qemu/test_libvirtd_qemu.aug.in |  2 ++
 5 files changed, 53 insertions(+)

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 988201e..73ebeda 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -29,6 +29,7 @@ module Libvirtd_qemu =
    (* Config entry grouped by function - same order as example config *)
    let default_tls_entry = str_entry "default_tls_x509_cert_dir"
                  | bool_entry "default_tls_x509_verify"
+                 | str_entry "default_tls_x509_secret_uuid"
 
    let vnc_entry = str_entry "vnc_listen"
                  | bool_entry "vnc_auto_unix_socket"
@@ -51,6 +52,7 @@ module Libvirtd_qemu =
    let chardev_entry = bool_entry "chardev_tls"
                  | str_entry "chardev_tls_x509_cert_dir"
                  | bool_entry "chardev_tls_x509_verify"
+                 | str_entry "chardev_tls_x509_secret_uuid"
 
    let nogfx_entry = bool_entry "nographics_allow_host_audio"
 
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index e4c2aae..7114fa1 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -28,6 +28,20 @@
 #
 #default_tls_x509_verify = 1
 
+#
+# In order to provide a password to unlock the private key to be used
+# in order to provide the TLS credentials, a libvirt secret will need
+# to be created and then the UUID of that secret added as a configuration
+# parameter. See the libvirt documentation for specific details regarding
+# how to create a "tls" secret type.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
 # VNC is configured to listen on 127.0.0.1 by default.
 # To make it listen on all public interfaces, uncomment
 # this next option.
@@ -214,6 +228,16 @@
 #chardev_tls_x509_verify = 1
 
 
+# Uncomment and use the following option to override the default secret
+# uuid provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
 # By default, if no graphical front end is configured, libvirt will disable
 # QEMU audio output since directly talking to alsa/pulseaudio may not work
 # with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index e7b2d8d..c735357 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -365,6 +365,7 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->nvramDir);
 
     VIR_FREE(cfg->defaultTLSx509certdir);
+    VIR_FREE(cfg->defaultTLSx509secretUUID);
 
     VIR_FREE(cfg->vncTLSx509certdir);
     VIR_FREE(cfg->vncListen);
@@ -377,6 +378,7 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->spiceSASLdir);
 
     VIR_FREE(cfg->chardevTLSx509certdir);
+    VIR_FREE(cfg->chardevTLSx509secretUUID);
 
     while (cfg->nhugetlbfs) {
         cfg->nhugetlbfs--;
@@ -424,6 +426,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
     int ret = -1;
     int rv;
     size_t i, j;
+    bool defaultTLSx509haveUUID;
     char *stdioHandler = NULL;
     char *user = NULL, *group = NULL;
     char **controllers = NULL;
@@ -446,6 +449,12 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
         goto cleanup;
     if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0)
         goto cleanup;
+    if ((rv = virConfGetValueString(conf, "default_tls_x509_secret_uuid",
+                                    &cfg->defaultTLSx509secretUUID)) < 0)
+        goto cleanup;
+    if (rv == 1)
+        defaultTLSx509haveUUID = true;
+
     if (virConfGetValueBool(conf, "vnc_auto_unix_socket", &cfg->vncAutoUnixSocket) < 0)
         goto cleanup;
     if (virConfGetValueBool(conf, "vnc_tls", &cfg->vncTLS) < 0)
@@ -513,6 +522,19 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
         goto cleanup;
     if (rv == 0)
         cfg->chardevTLSx509verify = cfg->defaultTLSx509verify;
+    if ((rv = virConfGetValueString(conf, "chardev_tls_x509_secret_uuid",
+                                    &cfg->chardevTLSx509secretUUID)) < 0)
+        goto cleanup;
+    if (rv == 1) {
+        cfg->chardevTLSx509haveUUID = true;
+    } else {
+        if (defaultTLSx509haveUUID) {
+            if (VIR_STRDUP(cfg->chardevTLSx509secretUUID,
+                           cfg->defaultTLSx509secretUUID) < 0)
+                goto cleanup;
+            cfg->chardevTLSx509haveUUID = true;
+        }
+    }
 
     if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSocketPortMin) < 0)
         goto cleanup;
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index d8232cc..2887ba6 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -111,6 +111,7 @@ struct _virQEMUDriverConfig {
 
     char *defaultTLSx509certdir;
     bool defaultTLSx509verify;
+    char *defaultTLSx509secretUUID;
 
     bool vncAutoUnixSocket;
     bool vncTLS;
@@ -132,6 +133,8 @@ struct _virQEMUDriverConfig {
     bool chardevTLS;
     char *chardevTLSx509certdir;
     bool chardevTLSx509verify;
+    bool chardevTLSx509haveUUID;
+    char *chardevTLSx509secretUUID;
 
     unsigned int remotePortMin;
     unsigned int remotePortMax;
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index cd162ae..805fa0e 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -4,6 +4,7 @@ module Test_libvirtd_qemu =
    test Libvirtd_qemu.lns get conf =
 { "default_tls_x509_cert_dir" = "/etc/pki/qemu" }
 { "default_tls_x509_verify" = "1" }
+{ "default_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "vnc_listen" = "0.0.0.0" }
 { "vnc_auto_unix_socket" = "1" }
 { "vnc_tls" = "1" }
@@ -23,6 +24,7 @@ module Test_libvirtd_qemu =
 { "chardev_tls" = "1" }
 { "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" }
 { "chardev_tls_x509_verify" = "1" }
+{ "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "nographics_allow_host_audio" = "1" }
 { "remote_display_port_min" = "5900" }
 { "remote_display_port_max" = "65535" }
-- 
2.7.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]