Re: [PATCH v2 12/14] conf: Introduce migrate_tls_x509_cert_dir

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 02/23/2017 01:42 PM, John Ferlan wrote:
> Add a new TLS X.509 certificate type - "migrate". This will handle the
> creation of a TLS certificate capability (and possibly repository) to
> be used for migrations. Similar to chardev's, credentials will be handled
> via a libvirt secrets.
> 
> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
> ---
>  src/qemu/libvirtd_qemu.aug         |  6 ++++++
>  src/qemu/qemu.conf                 | 39 ++++++++++++++++++++++++++++++++++++++
>  src/qemu/qemu_conf.c               |  2 ++
>  src/qemu/qemu_conf.h               |  5 +++++
>  src/qemu/test_libvirtd_qemu.aug.in |  4 ++++
>  5 files changed, 56 insertions(+)
> 
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index 82bae9e..18679c1 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -54,6 +54,11 @@ module Libvirtd_qemu =
>                   | bool_entry "chardev_tls_x509_verify"
>                   | str_entry "chardev_tls_x509_secret_uuid"
>  
> +   let migrate_entry = bool_entry "migrate_tls"
> +                 | str_entry "migrate_tls_x509_cert_dir"
> +                 | bool_entry "migrate_tls_x509_verify"
> +                 | str_entry "migrate_tls_x509_secret_uuid"
> +
>     let nogfx_entry = bool_entry "nographics_allow_host_audio"
>  
>     let remote_display_entry = int_entry "remote_display_port_min"
> @@ -116,6 +121,7 @@ module Libvirtd_qemu =
>               | vnc_entry
>               | spice_entry
>               | chardev_entry
> +             | migrate_entry
>               | nogfx_entry
>               | remote_display_entry
>               | security_entry
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 9f990c2..c4e228b 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -238,6 +238,45 @@
>  #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
>  
>  
> +# Enable use of TLS encryption for migration
> +#
> +# It is necessary to setup CA and issue a server certificate
> +# before enabling this.
> +#
> +#migrate_tls = 1
> +
> +
> +# In order to override the default TLS certificate location for migration
> +# certificates, supply a valid path to the certificate directory. If the
> +# provided path does not exist then the default_tls_x509_cert_dir path
> +# will be used.
> +#
> +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
> +
> +
> +# The default TLS configuration only uses certificates for the server
> +# allowing the client to verify the server's identity and establish
> +# an encrypted channel.
> +#
> +# It is possible to use x509 certificates for authentication too, by
> +# issuing a x509 certificate to every client who needs to connect.
> +#
> +# Enabling this option will reject any client who does not have a
> +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem
> +#
> +#migrate_tls_x509_verify = 1
> +
> +
> +# Uncomment and use the following option to override the default secret
> +# UUID provided in the default_tls_x509_secret_uuid parameter.
> +#
> +# NB This default all-zeros UUID will not work. Replace it with the
> +# output from the UUID for the TLS secret from a 'virsh secret-list'
> +# command and then uncomment the entry
> +#
> +#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
> +
> +
>  # By default, if no graphical front end is configured, libvirt will disable
>  # QEMU audio output since directly talking to alsa/pulseaudio may not work
>  # with various security settings. If you know what you're doing, enable
> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index b75cd54..f63d9c2 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -555,6 +555,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
>  
>      GET_CONFIG_TLS_CERT(chardev);
>  
> +    GET_CONFIG_TLS_CERT(migrate);
> +
>  #undef GET_CONFIG_TLS_CERT
>  
>      if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSocketPortMin) < 0)
> diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
> index e585f81..ac7badb 100644
> --- a/src/qemu/qemu_conf.h
> +++ b/src/qemu/qemu_conf.h
> @@ -137,6 +137,11 @@ struct _virQEMUDriverConfig {
>      bool chardevTLSx509verify;
>      char *chardevTLSx509secretUUID;
>  
> +    bool migrateTLS;
> +    char *migrateTLSx509certdir;
> +    bool migrateTLSx509verify;
> +    char *migrateTLSx509secretUUID;
> +
>      unsigned int remotePortMin;
>      unsigned int remotePortMax;
>  
> diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
> index 6f03898..71ddf7d 100644
> --- a/src/qemu/test_libvirtd_qemu.aug.in
> +++ b/src/qemu/test_libvirtd_qemu.aug.in
> @@ -25,6 +25,10 @@ module Test_libvirtd_qemu =
>  { "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" }
>  { "chardev_tls_x509_verify" = "1" }
>  { "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
> +{ "migrate_tls" = "1" }
> +{ "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
> +{ "migrate_tls_x509_verify" = "1" }
> +{ "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
>  { "nographics_allow_host_audio" = "1" }
>  { "remote_display_port_min" = "5900" }
>  { "remote_display_port_max" = "65535" }
> 

Consider the following diff to be merged into this one (reminded while
looking at the code going through how the default config is set up...)

John

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index f63d9c2..f1ee4ee 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -279,6 +279,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool
privileged)
     SET_TLS_X509_CERT_DEFAULT(vnc);
     SET_TLS_X509_CERT_DEFAULT(spice);
     SET_TLS_X509_CERT_DEFAULT(chardev);
+    SET_TLS_X509_CERT_DEFAULT(migrate);

 #undef SET_TLS_X509_CERT_DEFAULT

@@ -394,6 +395,9 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->chardevTLSx509certdir);
     VIR_FREE(cfg->chardevTLSx509secretUUID);

+    VIR_FREE(cfg->migrateTLSx509certdir);
+    VIR_FREE(cfg->migrateTLSx509secretUUID);
+
     while (cfg->nhugetlbfs) {
         cfg->nhugetlbfs--;
         VIR_FREE(cfg->hugetlbfs[cfg->nhugetlbfs].mnt_dir);

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux