[PATCH v2 00/14] Use secret objects to pass iSCSI passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



v1: https://www.redhat.com/archives/libvir-list/2017-September/msg00100.html

Other than patch 1 from v1, everything changed... Don't bother comparing.

Highlights - 

 * Two patches of essentially movement of virSecretUsageType because I
   found (as seen in patch 2) that a previous patch altered the API
   being used to format the <secret type='%s'.../> field.

 * The next 8 patches add XML parsing for "auth/secret" and "encryption/
   secret" processing as a child of the _virStorageSource and then move
   the private data from qemuDomainDiskPrivatePtr to a new private data
   for qemuDomainDiskSrcPrivatePtr.

 * Patch11 is "somewhat" of an add on and not necessary for this series,
   but while I was thinking about it and because I believe it'll be useful
   for some other work - I added a hash lookaside table to be able to
   map the domain disk source secret objects to the usageType and secret
   by usage or UUID that was used to generate them. The output in the
   running XML on my host looks like:

  <diskSecretObjectAlias>
    <diskObject alias='hostdev0-secret0'>
      <secret type='iscsi' usage='libvirtiscsi'/>
    </diskObject>
    <diskObject alias='virtio-disk2-secret0'>
      <secret type='iscsi' usage='libvirtiscsi'/>
    </diskObject>
  </diskSecretObjectAlias>

   My thought was that since the username is included in the object
   already that it wouldn't have to be saved, but it could be as well.

 * Patch12 is the capabilities change from patch 1 of v1 with the one
   minor addition to add the capability to the qemu2.10 replies/xml.

 * Patch13 is the adjust in virstoragefile and virstoragetest to fetch
   and format the user/password-secret objects similar to how RBD did
   this. Guess where I tripped across the virSecretUsageTypeToString
   issue...

 * Patch14 handles all the magic in order to use AES secrets for both
   SCSI disk and hostdev including command line and hotplug.

Of "possible concern":

 * I found no "easy way" manage whether the secret information was a child
   of disk or disk->src, so I moved everything on output to disk->src even
   if it was read as a child of disk. The concern here for me is migration
   and save files... If the domain xml changes - an older libvirt could
   "lose" the secret information since it wouldn't be a child of disk.

   It is possible to keep the "top-level" as a child of disk and then any
   backingStore would be able to have their own. But I figured I'd give the
   move or else a shot first. 

John Ferlan (14):
  util: Move virSecretUsageType to virsecret.h
  util: Fix secret generation in virStorageSourceParseRBDColonString
  conf: Add/Allow parsing the auth in the disk source
  conf: Move auth formatting to disk source
  docs: Add news article regarding auth placement
  qemu: Introduce privateData for _virStorageSource
  conf: Add/Allow parsing the encryption in the disk source
  conf: Move LUKS encryption formatting to disk source
  docs: Add news article for encryption in disk source
  qemu: Move encinfo from private disk to private disk src
  qemu: Add disk secret object hash table to _qemuDomainObjPrivate
  qemu: Get capabilities to use iscsi password-secret argument
  util: Add iSCSI auth/password-secret processing
  qemu: Use secret objects to pass iSCSI passwords

 docs/formatdomain.html.in                          |  81 +++--
 docs/news.xml                                      |  24 ++
 docs/schemas/domaincommon.rng                      |  50 ++-
 src/conf/domain_conf.c                             | 142 ++++++++-
 src/conf/domain_conf.h                             |   1 +
 src/conf/secret_conf.c                             |   4 +-
 src/conf/secret_conf.h                             |   2 -
 src/qemu/qemu_block.c                              |  64 +++-
 src/qemu/qemu_capabilities.c                       |   4 +
 src/qemu/qemu_capabilities.h                       |   3 +
 src/qemu/qemu_command.c                            |  85 ++++-
 src/qemu/qemu_command.h                            |   3 +-
 src/qemu/qemu_domain.c                             | 351 ++++++++++++++++++++-
 src/qemu/qemu_domain.h                             |  25 +-
 src/qemu/qemu_hotplug.c                            |  97 +++++-
 src/qemu/qemu_parse_command.c                      |   2 +-
 src/storage/storage_driver.c                       |   1 +
 src/util/virsecret.c                               |   2 +
 src/util/virsecret.h                               |   3 +
 src/util/virstoragefile.c                          |  34 +-
 src/util/virstoragefile.h                          |   3 +
 .../qemuargv2xml-disk-drive-network-iscsi-auth.xml |   6 +-
 .../qemuargv2xml-disk-drive-network-rbd-auth.xml   |   6 +-
 tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml  |   1 +
 tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml  |   1 +
 tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml    |   1 +
 tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml   |   1 +
 ...xml2argv-disk-drive-network-iscsi-auth-AES.args |  41 +++
 ...uxml2argv-disk-drive-network-iscsi-auth-AES.xml |  43 +++
 ...v-disk-drive-network-iscsi-source-auth-both.xml |  36 +++
 ...2argv-disk-drive-network-iscsi-source-auth.args |  31 ++
 ...l2argv-disk-drive-network-iscsi-source-auth.xml |  43 +++
 ...rgv-disk-drive-network-rbd-source-auth-both.xml |  45 +++
 ...ml2argv-disk-drive-network-rbd-source-auth.args |  29 ++
 ...xml2argv-disk-drive-network-rbd-source-auth.xml |  42 +++
 ...ml2argv-hostdev-scsi-virtio-iscsi-auth-AES.args |  45 +++
 ...xml2argv-hostdev-scsi-virtio-iscsi-auth-AES.xml |  48 +++
 .../qemuxml2argv-luks-disks-source-both.xml        |  40 +++
 .../qemuxml2argv-luks-disks-source.args            |  62 ++++
 .../qemuxml2argv-luks-disks-source.xml             |  81 +++++
 tests/qemuxml2argvtest.c                           |  16 +
 .../qemuxml2xmlout-disk-backing-chains-active.xml  |   6 +-
 ...qemuxml2xmlout-disk-backing-chains-inactive.xml |   6 +-
 ...emuxml2xmlout-disk-drive-network-iscsi-auth.xml |  12 +-
 ...xmlout-disk-drive-network-iscsi-source-auth.xml |  47 +++
 .../qemuxml2xmlout-disk-drive-network-rbd-auth.xml |   6 +-
 ...l2xmlout-disk-drive-network-rbd-source-auth.xml |  47 +++
 .../qemuxml2xmlout-disk-source-pool-mode.xml       |   3 -
 .../qemuxml2xmlout-luks-disks-source.xml           |  84 +++++
 .../qemuxml2xmlout-luks-disks.xml                  |  48 ++-
 tests/qemuxml2xmltest.c                            |   3 +
 tests/virstoragetest.c                             |  21 ++
 tools/virsh-secret.c                               |   2 +-
 53 files changed, 1756 insertions(+), 128 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-AES.args
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-AES.xml
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-source-auth-both.xml
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-source-auth.args
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-source-auth.xml
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-source-auth-both.xml
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-source-auth.args
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-source-auth.xml
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-AES.args
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-AES.xml
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source-both.xml
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.args
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.xml
 create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-iscsi-source-auth.xml
 create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-rbd-source-auth.xml
 create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks-source.xml
 mode change 120000 => 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks.xml

-- 
2.13.5

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux