Re: [PATCH v9 5/5] qemu: Add the ability to hotplug a secret object for TCP chardev TLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Oct 14, 2016 at 04:23:08PM -0400, John Ferlan wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1300776
> 
> Complete the implementation of support for TLS encryption on
> chardev TCP transports by adding the hotplug ability of a secret
> to generate the passwordid for the TLS object
> 
> Likewise, add the ability to hot unplug that secret object as well
> 
> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
> ---
>  src/qemu/qemu_driver.c  |  2 +-
>  src/qemu/qemu_hotplug.c | 62 +++++++++++++++++++++++++++++++++++++++++++++----
>  src/qemu/qemu_hotplug.h |  3 ++-
>  tests/qemuhotplugtest.c |  2 +-
>  4 files changed, 61 insertions(+), 8 deletions(-)
> 
> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> index 8789c9d..5a1cf7b 100644
> --- a/src/qemu/qemu_driver.c
> +++ b/src/qemu/qemu_driver.c
> @@ -7567,7 +7567,7 @@ qemuDomainAttachDeviceLive(virDomainObjPtr vm,
>          break;
>  
>      case VIR_DOMAIN_DEVICE_CHR:
> -        ret = qemuDomainAttachChrDevice(driver, vm,
> +        ret = qemuDomainAttachChrDevice(conn, driver, vm,
>                                          dev->data.chr);
>          if (!ret) {
>              alias = dev->data.chr->info.alias;
> diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
> index aad7fa1..69d562f 100644
> --- a/src/qemu/qemu_hotplug.c
> +++ b/src/qemu/qemu_hotplug.c
> @@ -1690,7 +1690,8 @@ qemuDomainAttachChrDeviceAssignAddr(virDomainDefPtr def,
>      return ret;
>  }
>  
> -int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
> +int qemuDomainAttachChrDevice(virConnectPtr conn,
> +                              virQEMUDriverPtr driver,
>                                virDomainObjPtr vm,
>                                virDomainChrDefPtr chr)
>  {
> @@ -1704,8 +1705,11 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
>      char *charAlias = NULL;
>      bool chardevAttached = false;
>      bool tlsobjAdded = false;
> +    bool secobjAdded = false;
>      virJSONValuePtr tlsProps = NULL;
>      char *tlsAlias = NULL;
> +    virJSONValuePtr secProps = NULL;
> +    char *secAlias = NULL;
>      bool need_release = false;
>  
>      if (chr->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CHANNEL &&
> @@ -1729,12 +1733,30 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
>      if (qemuDomainChrPreInsert(vmdef, chr) < 0)
>          goto cleanup;
>  
> +    if (qemuDomainSecretChardevPrepare(conn, driver, priv, chr) < 0)
> +        goto cleanup;
> +
>      if (cfg->chardevTLS &&
>          dev->data.tcp.haveTLS != VIR_TRISTATE_BOOL_NO) {
> +        qemuDomainChardevPrivatePtr chardevPriv =
> +            QEMU_DOMAIN_CHARDEV_PRIVATE(chr);
> +        qemuDomainSecretInfoPtr secinfo = chardevPriv->secinfo;
> +
> +        /* Add a secret object in order to access the TLS environment.
> +         * The secinfo will only be created for serial TCP device. */
> +        if (secinfo) {
> +            if (qemuBuildSecretInfoProps(secinfo, &secProps) < 0)
> +                goto cleanup;
> +
> +            if (!(secAlias = qemuDomainGetSecretAESAlias(chr->info.alias,
> +                                                         false)))
> +                goto cleanup;
> +        }
> +
>          if (qemuBuildTLSx509BackendProps(cfg->chardevTLSx509certdir,
>                                           dev->data.tcp.listen,
>                                           cfg->chardevTLSx509verify,
> -                                         NULL,
> +                                         secAlias,
>                                           priv->qemuCaps,
>                                           &tlsProps) < 0)
>              goto cleanup;
> @@ -1745,6 +1767,15 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
>      }
>  
>      qemuDomainObjEnterMonitor(driver, vm);
> +    if (secAlias) {
> +        rc = qemuMonitorAddObject(priv->mon, "secret",
> +                                  secAlias, secProps);
> +        secProps = NULL;
> +        if (rc < 0)
> +            goto exit_monitor;
> +        secobjAdded = true;
> +    }
> +
>      if (tlsAlias) {
>          rc = qemuMonitorAddObject(priv->mon, "tls-creds-x509",
>                                    tlsAlias, tlsProps);
> @@ -1775,6 +1806,8 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
>          qemuDomainReleaseDeviceAddress(vm, &chr->info, NULL);
>      VIR_FREE(tlsAlias);
>      virJSONValueFree(tlsProps);
> +    VIR_FREE(secAlias);
> +    virJSONValueFree(secProps);
>      VIR_FREE(charAlias);
>      VIR_FREE(devstr);
>      virObjectUnref(cfg);
> @@ -1782,6 +1815,8 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
>  
>   exit_monitor:
>      orig_err = virSaveLastError();
> +    if (secobjAdded)
> +        ignore_value(qemuMonitorDelObject(priv->mon, secAlias));
>      if (tlsobjAdded)
>          ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias));
>      /* detach associated chardev on error */
> @@ -4387,6 +4422,7 @@ int qemuDomainDetachChrDevice(virQEMUDriverPtr driver,
>      virDomainDefPtr vmdef = vm->def;
>      virDomainChrDefPtr tmpChr;
>      char *objAlias = NULL;
> +    char *secAlias = NULL;
>      char *devstr = NULL;
>  
>      if (!(tmpChr = virDomainChrFind(vmdef, chr))) {
> @@ -4400,9 +4436,21 @@ int qemuDomainDetachChrDevice(virQEMUDriverPtr driver,
>  
>      sa_assert(tmpChr->info.alias);
>  
> -    if (cfg->chardevTLS &&
> -        !(objAlias = qemuAliasTLSObjFromChardevAlias(tmpChr->info.alias)))
> -        goto cleanup;
> +    if (cfg->chardevTLS) {

This needs to test serial->source.data.tcp.haveTLS.

Pavel

> +        if (!(objAlias = qemuAliasTLSObjFromChardevAlias(tmpChr->info.alias)))
> +            goto cleanup;
> +
> +        /* Best shot at this as the secinfo is destroyed after process launch
> +         * and this path does not recreate it. Thus, if the config has the
> +         * secret UUID and we have a serial TCP chardev, then formulate a
> +         * secAlias which we'll attempt to destroy. */
> +        if (cfg->chardevTLSx509secretUUID &&
> +            tmpChr->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_SERIAL &&
> +            tmpChr->source.type == VIR_DOMAIN_CHR_TYPE_TCP &&
> +            !(secAlias = qemuDomainGetSecretAESAlias(tmpChr->info.alias,
> +                                                     false)))
> +            goto cleanup;
> +    }
>  
>      if (qemuBuildChrDeviceStr(&devstr, vmdef, chr, priv->qemuCaps) < 0)
>          goto cleanup;
> @@ -4416,6 +4464,10 @@ int qemuDomainDetachChrDevice(virQEMUDriverPtr driver,
>      if (objAlias && qemuMonitorDelObject(priv->mon, objAlias) < 0)
>          goto exit_monitor;
>  
> +    /* If it fails, then so be it - it was a best shot */
> +    if (secAlias)
> +        ignore_value(qemuMonitorDelObject(priv->mon, secAlias));
> +
>      if (qemuDomainObjExitMonitor(driver, vm) < 0)
>          goto cleanup;
>  
> diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h
> index b048cf4..8f23176 100644
> --- a/src/qemu/qemu_hotplug.h
> +++ b/src/qemu/qemu_hotplug.h
> @@ -92,7 +92,8 @@ int qemuDomainAttachLease(virQEMUDriverPtr driver,
>  int qemuDomainDetachLease(virQEMUDriverPtr driver,
>                            virDomainObjPtr vm,
>                            virDomainLeaseDefPtr lease);
> -int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
> +int qemuDomainAttachChrDevice(virConnectPtr conn,
> +                              virQEMUDriverPtr driver,
>                                virDomainObjPtr vm,
>                                virDomainChrDefPtr chr);
>  int qemuDomainDetachChrDevice(virQEMUDriverPtr driver,
> diff --git a/tests/qemuhotplugtest.c b/tests/qemuhotplugtest.c
> index 43eb1cf..14561a8 100644
> --- a/tests/qemuhotplugtest.c
> +++ b/tests/qemuhotplugtest.c
> @@ -118,7 +118,7 @@ testQemuHotplugAttach(virDomainObjPtr vm,
>          ret = qemuDomainAttachDeviceDiskLive(NULL, &driver, vm, dev);
>          break;
>      case VIR_DOMAIN_DEVICE_CHR:
> -        ret = qemuDomainAttachChrDevice(&driver, vm, dev->data.chr);
> +        ret = qemuDomainAttachChrDevice(NULL, &driver, vm, dev->data.chr);
>          break;
>      default:
>          VIR_TEST_VERBOSE("device type '%s' cannot be attached\n",
> -- 
> 2.7.4
> 
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list

Attachment: signature.asc
Description: Digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]