ping? Tks - John On 06/29/2017 10:32 AM, John Ferlan wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1458630 > > Introduce virQEMUDriverConfigSetCertDir which will handle reading the > qemu.conf config file specific setting for default, vnc, spice, chardev, > and migrate. If a setting is provided, then validate the existence of the > directory and overwrite the default set by virQEMUDriverConfigNew. > > Update the qemu.conf description for default to describe the consequences > if the default directory path does not exist and as well as the descriptions > for each of the *_tls_x509_cert_dir entries. > > Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> > --- > > v1: https://www.redhat.com/archives/libvir-list/2017-June/msg01278.html > > - Dropped the former 1/2 patch > > - Alter the logic of virQEMUDriverConfigSetCertDir to fail instead of > VIR_INFO if an uncommented entry for one of the *_tls_x509_cert_dir > has a path that does not exist. This will cause a libvirtd startup > failure as opposed to the previous logic which would have failed only > when a domain using TLS was started. > > - Alter the description for each of the values to more accurately describe > what happens. > > src/qemu/qemu.conf | 29 ++++++++++++++++++++--------- > src/qemu/qemu_conf.c | 38 +++++++++++++++++++++++++++++++++----- > 2 files changed, 53 insertions(+), 14 deletions(-) > > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > index e6c0832..b0ccffb 100644 > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf > @@ -3,7 +3,7 @@ > # defaults are used. > > # Use of TLS requires that x509 certificates be issued. The default is > -# to keep them in /etc/pki/qemu. This directory must contain > +# to keep them in /etc/pki/qemu. This directory must exist and contain: > # > # ca-cert.pem - the CA master certificate > # server-cert.pem - the server certificate signed with ca-cert.pem > @@ -13,6 +13,12 @@ > # > # dh-params.pem - the DH params configuration file > # > +# If the directory does not exist or does not contain the necessary files, > +# QEMU domains will fail to start if they are configured to use TLS. > +# > +# In order to overwrite the default path alter the following. If the provided > +# path does not exist, then startup will fail. > +# > #default_tls_x509_cert_dir = "/etc/pki/qemu" > > > @@ -79,8 +85,9 @@ > > # In order to override the default TLS certificate location for > # vnc certificates, supply a valid path to the certificate directory. > -# If the provided path does not exist then the default_tls_x509_cert_dir > -# path will be used. > +# If the default listed here does not exist, then the default /etc/pki/qemu > +# is used. If uncommented and the provided path does not exist, then startup > +# will fail. > # > #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" > > @@ -164,8 +171,9 @@ > > # In order to override the default TLS certificate location for > # spice certificates, supply a valid path to the certificate directory. > -# If the provided path does not exist then the default_tls_x509_cert_dir > -# path will be used. > +# If the default listed here does not exist, then the default /etc/pki/qemu > +# is used. If uncommented and the provided path does not exist, then startup > +# will fail. > # > #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" > > @@ -216,8 +224,9 @@ > > # In order to override the default TLS certificate location for character > # device TCP certificates, supply a valid path to the certificate directory. > -# If the provided path does not exist then the default_tls_x509_cert_dir > -# path will be used. > +# If the default listed here does not exist, then the default /etc/pki/qemu > +# is used. If uncommented and the provided path does not exist, then startup > +# will fail. > # > #chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev" > > @@ -252,8 +261,10 @@ > > # In order to override the default TLS certificate location for migration > # certificates, supply a valid path to the certificate directory. If the > -# provided path does not exist then the default_tls_x509_cert_dir path > -# will be used. Once/if a default certificate is enabled/defined, migration > +# default listed here does not exist, then the default /etc/pki/qemu is used. > +# If uncommented and the provided path does not exist, then startup will fail. > +# > +# Once/if a default certificate is enabled/defined, migration > # will then be able to use the certificate via migration API flags. > # > #migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" > diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c > index 73c33d6..4eb6f0c 100644 > --- a/src/qemu/qemu_conf.c > +++ b/src/qemu/qemu_conf.c > @@ -440,6 +440,34 @@ virQEMUDriverConfigHugeTLBFSInit(virHugeTLBFSPtr hugetlbfs, > } > > > +static int > +virQEMUDriverConfigSetCertDir(virConfPtr conf, > + const char *setting, > + char **value) > +{ > + char *tlsCertDir = NULL; > + > + if (virConfGetValueString(conf, setting, &tlsCertDir) < 0) > + return -1; > + > + if (!tlsCertDir) > + return 0; > + > + if (!virFileExists(tlsCertDir)) { > + virReportError(VIR_ERR_CONF_SYNTAX, > + _("directory '%s' does not exist for setting '%s'"), > + tlsCertDir, setting); > + VIR_FREE(tlsCertDir); > + return -1; > + } else { > + VIR_FREE(*value); > + VIR_STEAL_PTR(*value, tlsCertDir); > + } > + > + return 0; > +} > + > + > int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, > const char *filename, > bool privileged) > @@ -467,7 +495,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, > if (!(conf = virConfReadFile(filename, 0))) > goto cleanup; > > - if (virConfGetValueString(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir) < 0) > + if (virQEMUDriverConfigSetCertDir(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir) < 0) > goto cleanup; > if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0) > goto cleanup; > @@ -483,7 +511,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, > goto cleanup; > if (rv == 0) > cfg->vncTLSx509verify = cfg->defaultTLSx509verify; > - if (virConfGetValueString(conf, "vnc_tls_x509_cert_dir", &cfg->vncTLSx509certdir) < 0) > + if (virQEMUDriverConfigSetCertDir(conf, "vnc_tls_x509_cert_dir", &cfg->vncTLSx509certdir) < 0) > goto cleanup; > if (virConfGetValueString(conf, "vnc_listen", &cfg->vncListen) < 0) > goto cleanup; > @@ -521,7 +549,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, > > if (virConfGetValueBool(conf, "spice_tls", &cfg->spiceTLS) < 0) > goto cleanup; > - if (virConfGetValueString(conf, "spice_tls_x509_cert_dir", &cfg->spiceTLSx509certdir) < 0) > + if (virQEMUDriverConfigSetCertDir(conf, "spice_tls_x509_cert_dir", &cfg->spiceTLSx509certdir) < 0) > goto cleanup; > if (virConfGetValueBool(conf, "spice_sasl", &cfg->spiceSASL) < 0) > goto cleanup; > @@ -541,8 +569,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, > goto cleanup; \ > if (rv == 0) \ > cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \ > - if (virConfGetValueString(conf, #val "_tls_x509_cert_dir", \ > - &cfg->val## TLSx509certdir) < 0) \ > + if (virQEMUDriverConfigSetCertDir(conf, #val "_tls_x509_cert_dir", \ > + &cfg->val## TLSx509certdir) < 0) \ > goto cleanup; \ > if (virConfGetValueString(conf, \ > #val "_tls_x509_secret_uuid", \ > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
