Use the configured TLS env to setup encryption of the TLS transport. https://bugzilla.redhat.com/show_bug.cgi?id=1822631 Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> --- src/qemu/qemu_backup.c | 80 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c index 8dc9d2504d..b711f8f623 100644 --- a/src/qemu/qemu_backup.c +++ b/src/qemu/qemu_backup.c @@ -18,6 +18,7 @@ #include <config.h> +#include "qemu_alias.h" #include "qemu_block.h" #include "qemu_conf.h" #include "qemu_capabilities.h" @@ -642,6 +643,50 @@ qemuBackupJobCancelBlockjobs(virDomainObjPtr vm, } +#define QEMU_BACKUP_TLS_ALIAS_BASE "libvirt_backup" + +static int +qemuBackupBeginPrepareTLS(virDomainObjPtr vm, + virQEMUDriverConfigPtr cfg, + virDomainBackupDefPtr def, + virJSONValuePtr *tlsProps, + virJSONValuePtr *tlsSecretProps) +{ + qemuDomainObjPrivatePtr priv = vm->privateData; + g_autofree char *tlsObjAlias = qemuAliasTLSObjFromSrcAlias(QEMU_BACKUP_TLS_ALIAS_BASE); + g_autoptr(qemuDomainSecretInfo) secinfo = NULL; + const char *tlsKeySecretAlias = NULL; + + if (def->tls != VIR_TRISTATE_BOOL_YES) + return 0; + + if (!cfg->backupTLSx509certdir) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("backup TLS directory not configured")); + return -1; + } + + if (cfg->backupTLSx509secretUUID) { + if (!(secinfo = qemuDomainSecretInfoTLSNew(priv, tlsObjAlias, + cfg->backupTLSx509secretUUID))) + return -1; + + if (qemuBuildSecretInfoProps(secinfo, tlsSecretProps) < 0) + return -1; + + tlsKeySecretAlias = secinfo->s.aes.alias; + } + + if (qemuBuildTLSx509BackendProps(cfg->backupTLSx509certdir, true, + cfg->backupTLSx509verify, tlsObjAlias, + tlsKeySecretAlias, priv->qemuCaps, + tlsProps) < 0) + return -1; + + return 0; +} + + int qemuBackupBegin(virDomainObjPtr vm, const char *backupXML, @@ -656,6 +701,10 @@ qemuBackupBegin(virDomainObjPtr vm, virDomainMomentObjPtr chk = NULL; g_autoptr(virDomainCheckpointDef) chkdef = NULL; g_autoptr(virJSONValue) actions = NULL; + g_autoptr(virJSONValue) tlsProps = NULL; + g_autofree char *tlsAlias = NULL; + g_autoptr(virJSONValue) tlsSecretProps = NULL; + g_autofree char *tlsSecretAlias = NULL; struct qemuBackupDiskData *dd = NULL; ssize_t ndd = 0; g_autoptr(virHashTable) blockNamedNodeData = NULL; @@ -719,6 +768,9 @@ qemuBackupBegin(virDomainObjPtr vm, if (qemuBackupPrepare(def) < 0) goto endjob; + if (qemuBackupBeginPrepareTLS(vm, cfg, def, &tlsProps, &tlsSecretProps) < 0) + goto endjob; + if (virDomainBackupAlignDisks(def, vm->def, suffix) < 0) goto endjob; @@ -755,8 +807,16 @@ qemuBackupBegin(virDomainObjPtr vm, /* TODO: TLS is a must-have for the modern age */ if (pull) { - if ((rc = qemuMonitorNBDServerStart(priv->mon, priv->backup->server, NULL)) == 0) - nbd_running = true; + if (tlsSecretProps) + rc = qemuMonitorAddObject(priv->mon, &tlsSecretProps, &tlsSecretAlias); + + if (rc == 0 && tlsProps) + rc = qemuMonitorAddObject(priv->mon, &tlsProps, &tlsAlias); + + if (rc == 0) { + if ((rc = qemuMonitorNBDServerStart(priv->mon, priv->backup->server, tlsAlias)) == 0) + nbd_running = true; + } } if (rc == 0) @@ -789,6 +849,9 @@ qemuBackupBegin(virDomainObjPtr vm, } } + priv->backup->tlsAlias = g_steal_pointer(&tlsAlias); + priv->backup->tlsSecretAlias = g_steal_pointer(&tlsSecretAlias); + ret = 0; endjob: @@ -797,9 +860,14 @@ qemuBackupBegin(virDomainObjPtr vm, /* if 'chk' is non-NULL here it's a failure and it must be rolled back */ qemuCheckpointRollbackMetadata(vm, chk); - if (!job_started && nbd_running && + if (!job_started && (nbd_running || tlsAlias || tlsSecretAlias) && qemuDomainObjEnterMonitorAsync(priv->driver, vm, QEMU_ASYNC_JOB_BACKUP) == 0) { - ignore_value(qemuMonitorNBDServerStop(priv->mon)); + if (nbd_running) + ignore_value(qemuMonitorNBDServerStop(priv->mon)); + if (tlsAlias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias, false)); + if (tlsSecretAlias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsSecretAlias, false)); ignore_value(qemuDomainObjExitMonitor(priv->driver, vm)); } @@ -862,6 +930,10 @@ qemuBackupNotifyBlockjobEnd(virDomainObjPtr vm, if (qemuDomainObjEnterMonitorAsync(priv->driver, vm, asyncJob) < 0) return; ignore_value(qemuMonitorNBDServerStop(priv->mon)); + if (backup->tlsAlias) + ignore_value(qemuMonitorDelObject(priv->mon, backup->tlsAlias, false)); + if (backup->tlsSecretAlias) + ignore_value(qemuMonitorDelObject(priv->mon, backup->tlsSecretAlias, false)); if (qemuDomainObjExitMonitor(priv->driver, vm) < 0) return; -- 2.26.2
