[PATCH 3/6] admin: Introduce virAdmServerUpdateTlsFiles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The server needs to use CA certificate, CRL, server certificate/key to
complete the TLS handshake. If these files change, we need to restart
libvirtd for them to take effect. This API can update the TLS context
without restarting libvirtd.
---
 include/libvirt/libvirt-admin.h      |  4 ++++
 src/admin/admin_protocol.x           | 13 ++++++++++-
 src/admin/admin_server.c             | 13 +++++++++++
 src/admin/admin_server.h             |  4 ++++
 src/admin/libvirt-admin.c            | 34 ++++++++++++++++++++++++++++
 src/admin/libvirt_admin_private.syms |  1 +
 src/admin/libvirt_admin_public.syms  |  1 +
 7 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/include/libvirt/libvirt-admin.h b/include/libvirt/libvirt-admin.h
index 3edc044490..6e38261129 100644
--- a/include/libvirt/libvirt-admin.h
+++ b/include/libvirt/libvirt-admin.h
@@ -410,6 +410,10 @@ int virAdmServerSetClientLimits(virAdmServerPtr srv,
                                 int nparams,
                                 unsigned int flags);
 
+int virAdmServerUpdateTlsFiles(virAdmServerPtr srv,
+                               unsigned int filetypes,
+                               unsigned int flags);
+
 int virAdmConnectGetLoggingOutputs(virAdmConnectPtr conn,
                                    char **outputs,
                                    unsigned int flags);
diff --git a/src/admin/admin_protocol.x b/src/admin/admin_protocol.x
index 42e215d23a..0fc8c54c80 100644
--- a/src/admin/admin_protocol.x
+++ b/src/admin/admin_protocol.x
@@ -181,6 +181,12 @@ struct admin_server_set_client_limits_args {
     unsigned int flags;
 };
 
+struct admin_server_update_tls_files_args {
+    admin_nonnull_server srv;
+    unsigned int filetypes;
+    unsigned int flags;
+};
+
 struct admin_connect_get_logging_outputs_args {
     unsigned int flags;
 };
@@ -314,5 +320,10 @@ enum admin_procedure {
     /**
      * @generate: both
      */
-    ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS = 17
+    ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS = 17,
+
+    /**
+     * @generate: both
+     */
+    ADMIN_PROC_SERVER_UPDATE_TLS_FILES = 18
 };
diff --git a/src/admin/admin_server.c b/src/admin/admin_server.c
index ba87f701c3..558913367b 100644
--- a/src/admin/admin_server.c
+++ b/src/admin/admin_server.c
@@ -367,3 +367,16 @@ adminServerSetClientLimits(virNetServerPtr srv,
 
     return 0;
 }
+
+int
+adminServerUpdateTlsFiles(virNetServerPtr srv,
+                          unsigned int filetypes,
+                          unsigned int flags)
+{
+    virCheckFlags(0, -1);
+
+    if (virNetServerUpdateTlsFiles(srv, filetypes) < 0)
+        return -1;
+
+    return 0;
+}
diff --git a/src/admin/admin_server.h b/src/admin/admin_server.h
index 1d5cbec55f..bd355017f2 100644
--- a/src/admin/admin_server.h
+++ b/src/admin/admin_server.h
@@ -67,3 +67,7 @@ int adminServerSetClientLimits(virNetServerPtr srv,
                                virTypedParameterPtr params,
                                int nparams,
                                unsigned int flags);
+
+int adminServerUpdateTlsFiles(virNetServerPtr srv,
+                              unsigned int filetypes,
+                              unsigned int flags);
diff --git a/src/admin/libvirt-admin.c b/src/admin/libvirt-admin.c
index 4099a54854..f3f92ed91c 100644
--- a/src/admin/libvirt-admin.c
+++ b/src/admin/libvirt-admin.c
@@ -1082,6 +1082,40 @@ virAdmServerSetClientLimits(virAdmServerPtr srv,
     return ret;
 }
 
+/**
+ * virAdmServerUpdateTlsFiles:
+ * @srv: a valid server object reference
+ * @filetypes: bitwise-OR of virServerTlsFiletype
+ * @flags: extra flags; not used yet, so callers should always pass 0
+ *
+ * Notify server to update tls file, such as cacert, cacrl, server cert / key.
+ * Mark the files that need to be updated by the @filetypes parameter.
+ * See virServerTlsFiletype for detailed description of accepted filetypes.
+ *
+ * Returns 0 if the TLS files have been updated successfully or -1 in case of an
+ * error.
+ */
+int
+virAdmServerUpdateTlsFiles(virAdmServerPtr srv,
+                          unsigned int filetypes,
+                          unsigned int flags)
+{
+    int ret = -1;
+
+    VIR_DEBUG("srv=%p, filetypes=%u, flags=0x%x", srv, filetypes, flags);
+    virResetLastError();
+
+    virCheckAdmServerGoto(srv, error);
+
+    if ((ret = remoteAdminServerUpdateTlsFiles(srv, filetypes, flags)) < 0)
+        goto error;
+
+    return ret;
+ error:
+    virDispatchError(NULL);
+    return ret;
+}
+
 /**
  * virAdmConnectGetLoggingOutputs:
  * @conn: pointer to an active admin connection
diff --git a/src/admin/libvirt_admin_private.syms b/src/admin/libvirt_admin_private.syms
index 9526412de8..157a45341e 100644
--- a/src/admin/libvirt_admin_private.syms
+++ b/src/admin/libvirt_admin_private.syms
@@ -31,6 +31,7 @@ xdr_admin_server_lookup_client_args;
 xdr_admin_server_lookup_client_ret;
 xdr_admin_server_set_client_limits_args;
 xdr_admin_server_set_threadpool_parameters_args;
+xdr_admin_server_update_tls_files_args;
 
 # datatypes.h
 virAdmClientClass;
diff --git a/src/admin/libvirt_admin_public.syms b/src/admin/libvirt_admin_public.syms
index 9a3f843780..8126973e5b 100644
--- a/src/admin/libvirt_admin_public.syms
+++ b/src/admin/libvirt_admin_public.syms
@@ -38,6 +38,7 @@ LIBVIRT_ADMIN_2.0.0 {
         virAdmClientClose;
         virAdmServerGetClientLimits;
         virAdmServerSetClientLimits;
+        virAdmServerUpdateTlsFiles;
 };
 
 LIBVIRT_ADMIN_3.0.0 {
-- 
2.23.0.windows.1







[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux