[PATCH v2 4/4] qemu: command: Implement ssl verification configuration

Peter Krempa <pkrempa@xxxxxxxxxx> · Fri, 28 Apr 2017 13:10:27 +0200

Allow disabling of SSL certificate validation for HTTPS and FTPS drives
in qemu.
---
 src/qemu/qemu_command.c                            | 22 +++++++--
 .../qemuxml2argv-disk-drive-network-http.args      | 37 +++++++++++++++
 .../qemuxml2argv-disk-drive-network-http.xml       | 52 ++++++++++++++++++++++
 3 files changed, 107 insertions(+), 4 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.args
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.xml

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 196716a6f..2c4704aa6 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1528,10 +1528,24 @@ qemuBuildDriveSourceStr(virDomainDiskDefPtr disk,
     }
     virBufferAddLit(buf, ",");

-    if (disk->src->type == VIR_STORAGE_TYPE_NETWORK &&
-        disk->src->protocol == VIR_STORAGE_NET_PROTOCOL_GLUSTER) {
-        if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_GLUSTER_DEBUG_LEVEL))
-            virBufferAsprintf(buf, "file.debug=%d,", cfg->glusterDebugLevel);
+    if (disk->src->type == VIR_STORAGE_TYPE_NETWORK) {
+        if ((disk->src->protocol == VIR_STORAGE_NET_PROTOCOL_FTPS ||
+             disk->src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS) &&
+            disk->src->sslverify != VIR_TRISTATE_BOOL_ABSENT) {
+            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_BLOCK_CURL_SSLVERIFY)) {
+                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                               _("can't set SSL verification for https/ftps disks"));
+                goto cleanup;
+            }
+
+            virBufferAsprintf(buf, "file.sslverify=%s,",
+                              virTristateSwitchTypeToString(disk->src->sslverify));
+        }
+
+        if (disk->src->protocol == VIR_STORAGE_NET_PROTOCOL_GLUSTER) {
+            if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_GLUSTER_DEBUG_LEVEL))
+                virBufferAsprintf(buf, "file.debug=%d,", cfg->glusterDebugLevel);
+        }
     }

     if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) {
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.args
new file mode 100644
index 000000000..e1bfd42a8
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.args
@@ -0,0 +1,37 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-i686 \
+-name QEMUGuest1 \
+-S \
+-M pc \
+-m 214 \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-nographic \
+-nodefaults \
+-monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \
+-no-acpi \
+-boot c \
+-usb \
+-drive file=http://example.org:80/test.img,format=raw,if=none,\
+id=drive-virtio-disk0 \
+-device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,\
+id=virtio-disk0 \
+-drive file=https://example.org:443/test2.img,format=raw,if=none,\
+id=drive-virtio-disk1 \
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk1,\
+id=virtio-disk1 \
+-drive 'file=http://example.org:1234/test3.img,\
+file.cookie=test=testcookievalue; test2=blurb,format=raw,if=none,\
+id=drive-virtio-disk2' \
+-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk2,\
+id=virtio-disk2 \
+-drive 'file=https://example.org:1234/test4.img,file.sslverify=off,\
+file.cookie=test=testcookievalue; test2=blurb,format=raw,if=none,\
+id=drive-virtio-disk3' \
+-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk3,\
+id=virtio-disk3
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.xml
new file mode 100644
index 000000000..50bd6a0e0
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.xml
@@ -0,0 +1,52 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219136</memory>
+  <currentMemory unit='KiB'>219136</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-i686</emulator>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='http' name='test.img'>
+        <host name='example.org'/>
+      </source>
+      <target dev='vda' bus='virtio'/>
+    </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='https' name='test2.img'>
+        <host name='example.org'/>
+      </source>
+      <target dev='vdb' bus='virtio'/>
+    </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='http' name='test3.img'>
+        <host name='example.org' port='1234'/>
+      </source>
+      <target dev='vdc' bus='virtio'/>
+    </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='https' name='test4.img'>
+        <host name='example.org' port='1234'/>
+        <ssl verify='no'/>
+      </source>
+      <target dev='vdd' bus='virtio'/>
+    </disk>
+    <controller type='usb' index='0'/>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <memballoon model='none'/>
+  </devices>
+</domain>
-- 
2.12.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list






