[libvirt PATCH v4 27/31] qemu: implement password auth for ssh disks with nbdkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



For ssh disks that are served by nbdkit, lookup the password from the
configured secret and securely pass it to the nbdkit process using fd
passing.

Signed-off-by: Jonathon Jongsma <jjongsma@xxxxxxxxxx>
---
 src/qemu/qemu_nbdkit.c                        | 87 ++++++++++---------
 .../disk-network-ssh-password.args.disk0      |  8 ++
 ...k-network-ssh-password.args.disk0.pipe.778 |  1 +
 .../disk-network-ssh.args.disk1               |  8 ++
 .../disk-network-ssh.args.disk1.pipe.778      |  1 +
 tests/qemunbdkittest.c                        |  1 +
 ...sk-network-ssh-password.x86_64-latest.args | 36 ++++++++
 .../disk-network-ssh-password.xml             | 34 ++++++++
 tests/qemuxml2argvtest.c                      |  1 +
 9 files changed, 138 insertions(+), 39 deletions(-)
 create mode 100644 tests/qemunbdkitdata/disk-network-ssh-password.args.disk0
 create mode 100644 tests/qemunbdkitdata/disk-network-ssh-password.args.disk0.pipe.778
 create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk1
 create mode 100644 tests/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.778
 create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-password.x86_64-latest.args
 create mode 100644 tests/qemuxml2argvdata/disk-network-ssh-password.xml

diff --git a/src/qemu/qemu_nbdkit.c b/src/qemu/qemu_nbdkit.c
index 98f8b70391..39afad106a 100644
--- a/src/qemu/qemu_nbdkit.c
+++ b/src/qemu/qemu_nbdkit.c
@@ -999,6 +999,46 @@ qemuNbdkitCommandPassDataByPipe(virCommand *cmd,
 }
 
 
+static int
+qemuNbdkitProcessBuildCommandAuth(virStorageAuthDef *authdef,
+                                  virCommand *cmd)
+{
+    g_autoptr(virConnect) conn = NULL;
+    g_autofree uint8_t *secret = NULL;
+    size_t secretlen = 0;
+    int secrettype;
+
+    if (!authdef)
+        return 0;
+
+    if ((secrettype = virSecretUsageTypeFromString(authdef->secrettype)) < 0) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                       _("invalid secret type %s"),
+                       authdef->secrettype);
+        return -1;
+    }
+
+    conn = virGetConnectSecret();
+    if (virSecretGetSecretString(conn,
+                                 &authdef->seclookupdef,
+                                 secrettype,
+                                 &secret,
+                                 &secretlen) < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("failed to get auth secret for storage"));
+        return -1;
+    }
+
+    virCommandAddArgPair(cmd, "user", authdef->username);
+
+    if (qemuNbdkitCommandPassDataByPipe(cmd, "password",
+                                        &secret, secretlen) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static int
 qemuNbdkitProcessBuildCommandCurl(qemuNbdkitProcess *proc,
                                   virCommand *cmd)
@@ -1020,37 +1060,8 @@ qemuNbdkitProcessBuildCommandCurl(qemuNbdkitProcess *proc,
     }
     virCommandAddArgPair(cmd, "url", uristring);
 
-    if (proc->source->auth) {
-        g_autoptr(virConnect) conn = virGetConnectSecret();
-        g_autofree uint8_t *secret = NULL;
-        size_t secretlen = 0;
-        int secrettype;
-        virStorageAuthDef *authdef = proc->source->auth;
-
-        virCommandAddArgPair(cmd, "user",
-                             proc->source->auth->username);
-
-        if ((secrettype = virSecretUsageTypeFromString(proc->source->auth->secrettype)) < 0) {
-            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
-                           _("invalid secret type %s"),
-                           proc->source->auth->secrettype);
-            return -1;
-        }
-
-        if (virSecretGetSecretString(conn,
-                                     &authdef->seclookupdef,
-                                     secrettype,
-                                     &secret,
-                                     &secretlen) < 0) {
-            virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
-                           _("failed to get auth secret for storage"));
-            return -1;
-        }
-
-        if (qemuNbdkitCommandPassDataByPipe(cmd, "password",
-                                            &secret, secretlen) < 0)
-            return -1;
-    }
+    if (proc->source->auth && qemuNbdkitProcessBuildCommandAuth(proc->source->auth, cmd) < 0)
+        return -1;
 
     /* Create a pipe to send the cookies to the nbdkit process. */
     if (proc->source->ncookies) {
@@ -1079,7 +1090,6 @@ static int
 qemuNbdkitProcessBuildCommandSSH(qemuNbdkitProcess *proc,
                                  virCommand *cmd)
 {
-    const char *user = NULL;
     virStorageNetHostDef *host = &proc->source->hosts[0];
     g_autofree char *portstr = g_strdup_printf("%u", host->port);
 
@@ -1090,13 +1100,12 @@ qemuNbdkitProcessBuildCommandSSH(qemuNbdkitProcess *proc,
     virCommandAddArgPair(cmd, "port", portstr);
     virCommandAddArgPair(cmd, "path", proc->source->path);
 
-    if (proc->source->auth)
-        user = proc->source->auth->username;
-    else if (proc->source->ssh_user)
-        user = proc->source->ssh_user;
-
-    if (user)
-        virCommandAddArgPair(cmd, "user", user);
+    if (proc->source->auth) {
+        if (qemuNbdkitProcessBuildCommandAuth(proc->source->auth, cmd) < 0)
+            return -1;
+    } else if (proc->source->ssh_user) {
+        virCommandAddArgPair(cmd, "user", proc->source->ssh_user);
+    }
 
     if (proc->source->ssh_host_key_check_disabled)
         virCommandAddArgPair(cmd, "verify-remote-host", "false");
diff --git a/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0 b/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0
new file mode 100644
index 0000000000..30711f7f07
--- /dev/null
+++ b/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0
@@ -0,0 +1,8 @@
+nbdkit \
+--unix /tmp/statedir-0/nbdkit-test-disk-0.socket \
+--foreground ssh \
+host=example.org \
+port=2222 \
+path=test2.img \
+user=testuser \
+password=-777
diff --git a/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0.pipe.778 b/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0.pipe.778
new file mode 100644
index 0000000000..ccdd4033fc
--- /dev/null
+++ b/tests/qemunbdkitdata/disk-network-ssh-password.args.disk0.pipe.778
@@ -0,0 +1 @@
+iscsi-mycluster_myname-secret
\ No newline at end of file
diff --git a/tests/qemunbdkitdata/disk-network-ssh.args.disk1 b/tests/qemunbdkitdata/disk-network-ssh.args.disk1
new file mode 100644
index 0000000000..9a8a16c8d5
--- /dev/null
+++ b/tests/qemunbdkitdata/disk-network-ssh.args.disk1
@@ -0,0 +1,8 @@
+nbdkit \
+--unix /tmp/statedir-1/nbdkit-test-disk-1.socket \
+--foreground ssh \
+host=example.org \
+port=2222 \
+path=test2.img \
+user=testuser \
+password=-777
diff --git a/tests/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.778 b/tests/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.778
new file mode 100644
index 0000000000..ccdd4033fc
--- /dev/null
+++ b/tests/qemunbdkitdata/disk-network-ssh.args.disk1.pipe.778
@@ -0,0 +1 @@
+iscsi-mycluster_myname-secret
\ No newline at end of file
diff --git a/tests/qemunbdkittest.c b/tests/qemunbdkittest.c
index 5606e155eb..492077e56e 100644
--- a/tests/qemunbdkittest.c
+++ b/tests/qemunbdkittest.c
@@ -291,6 +291,7 @@ mymain(void)
     DO_TEST("disk-network-source-curl-nbdkit-backing", QEMU_NBDKIT_CAPS_PLUGIN_CURL);
     DO_TEST("disk-network-source-curl", QEMU_NBDKIT_CAPS_PLUGIN_CURL);
     DO_TEST("disk-network-ssh", QEMU_NBDKIT_CAPS_PLUGIN_SSH);
+    DO_TEST("disk-network-ssh-password", QEMU_NBDKIT_CAPS_PLUGIN_SSH);
 
     qemuTestDriverFree(&driver);
 
diff --git a/tests/qemuxml2argvdata/disk-network-ssh-password.x86_64-latest.args b/tests/qemuxml2argvdata/disk-network-ssh-password.x86_64-latest.args
new file mode 100644
index 0000000000..e22ba095b1
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-ssh-password.x86_64-latest.args
@@ -0,0 +1,36 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-QEMUGuest1 \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=QEMUGuest1,debug-threads=on \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}' \
+-machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram \
+-accel kvm \
+-cpu qemu64 \
+-m 214 \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-no-acpi \
+-boot strict=on \
+-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
+-blockdev '{"driver":"nbd","server":{"type":"unix","path":"/tmp/lib/domain--1-QEMUGuest1/nbdkit-libvirt-1-storage.socket"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
+-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x2","drive":"libvirt-1-format","id":"virtio-disk0","bootindex":1}' \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/disk-network-ssh-password.xml b/tests/qemuxml2argvdata/disk-network-ssh-password.xml
new file mode 100644
index 0000000000..266acb761f
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-ssh-password.xml
@@ -0,0 +1,34 @@
+<domain type='kvm'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219136</memory>
+  <currentMemory unit='KiB'>219136</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='ssh' name='test2.img'>
+        <host name='example.org' port='2222'/>
+        <timeout seconds='1234'/>
+        <readahead size='1024'/>
+        <auth username='testuser'>
+          <secret type='iscsi' usage='mycluster_myname'/>
+        </auth>
+      </source>
+      <target dev='vda' bus='virtio'/>
+    </disk>
+    <controller type='usb' index='0'/>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <memballoon model='none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 59f416ef72..6e610185b5 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1319,6 +1319,7 @@ mymain(void)
     DO_TEST_CAPS_LATEST_NBDKIT("disk-network-http-nbdkit", QEMU_NBDKIT_CAPS_PLUGIN_CURL);
     DO_TEST_CAPS_LATEST("disk-network-ssh");
     DO_TEST_CAPS_LATEST_NBDKIT("disk-network-ssh-nbdkit", QEMU_NBDKIT_CAPS_PLUGIN_SSH);
+    DO_TEST_CAPS_LATEST_NBDKIT("disk-network-ssh-password", QEMU_NBDKIT_CAPS_PLUGIN_SSH);
     driver.config->vxhsTLS = 0;
     VIR_FREE(driver.config->vxhsTLSx509certdir);
     DO_TEST_CAPS_LATEST("disk-no-boot");
-- 
2.39.0




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux