On 03/02/2016 01:54 PM, John Ferlan wrote:
> This series replaces the usage of linked list in secret driver with a
> hashed object list as was suggested in the review in the last patch of
> the previous secret driver changes series:
>
> http://www.redhat.com/archives/libvir-list/2016-February/ms
Modeled after the qemuDomainDiskPrivatePtr logic, create a privateData
pointer in the _virDomainHostdevDef to allow storage of private data
for a hypervisor in order to at least temporarily store auth/secrets
data for usage during qemuBuildCommandLine.
NB: Since the qemu_parse_command (qemuParseCo
Add the data structure and infrastructure to support an initialization
vector (IV) secret. The IV secret generation will need to have access
to the domain private master key, so let's make sure the prepare disk
and hostdev functions can accept that now.
Anywhere that needs to make a decision over
Since support for QEMU_CAPS_DEVICE is not assumed, let's drop the legacy
code to make life easier going forward.
Signed-off-by: John Ferlan
---
src/qemu/qemu_hotplug.c | 79 +
1 file changed, 33 insertions(+), 46 deletions(-)
diff --git a/src/qemu
Adjust error path logic to make it clearer how to undo the failed add.
Signed-off-by: John Ferlan
---
src/qemu/qemu_hotplug.c | 55 -
1 file changed, 32 insertions(+), 23 deletions(-)
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
https://bugzilla.redhat.com/show_bug.cgi?id=1182074
If they're available and we need to pass secrets to qemu, then use the
qemu domain secret object in order to pass the secrets for iSCSI and
RBD volumes instead of passing plaintext or base64 encoded secrets on
the command line.
New APIs:
qemu
Similar to the qemuDomainSecretDiskPrepare, generate the secret
for the Hostdev's prior to call qemuProcessLaunch which calls
qemuBuildCommandLine. Additionally, since the secret is not longer
added as part of building the command, the hotplug code will need
to make the call to add the secret in th
Rather than take username and password as parameters, now take
a qemuDomainSecretInfoPtr and decode within the function.
NB: Having secinfo implies having the username for a plain type
from a successful virSecretGetSecretString
Signed-off-by: John Ferlan
---
src/qemu/qemu_command.c | 40 +++
Adjust error path logic to make it clearer how to undo the failed add.
Signed-off-by: John Ferlan
---
src/qemu/qemu_hotplug.c | 52 ++---
1 file changed, 32 insertions(+), 20 deletions(-)
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
Adjust error path logic to make it clearer how to undo the failed add.
Signed-off-by: John Ferlan
---
src/qemu/qemu_hotplug.c | 35 +++
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 11efd7b.
Rather than needing to pass the conn parameter to various command
line building API's, add qemuDomainSecretPrepare just prior to the
qemuProcessLaunch which calls qemuBuilCommandLine. The function
must be called after qemuProcessPrepareHost since it's expected
to eventually need the domain masterKe
If we failed to build the aliases or attach the chardev, then the props
would be leaked - fix that.
Signed-off-by: John Ferlan
---
src/qemu/qemu_hotplug.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index c206369..c05f88c 100644
--- a/
Introduce a new private structure to hold qemu domain auth/secret data.
This will be stored in the qemuDomainDiskPrivate as a means to store the
auth and fetched secret data rather than generating during building of
the command line.
The initial changes will handle the current username and secret
v1: http://www.redhat.com/archives/libvir-list/2016-April/msg00596.html
Differences since v1:
- Add qemuBuildiSCSICommandLine (and BuildDiskiSCSI && BuildHostdeviSCSI)
These will do the magic necessary in order to support IV secret objects
for the impending iSCSI -drive argument. This API
On Fri, Apr 15, 2016 at 05:37:17PM -0400, Cole Robinson wrote:
min_guarantee isn't implemented for qemu, and an explicit check was
added in june 2014 to reject the VM at qemu startup time. It's a weird
place to do XML validation, so move it to the post parse area where
we have similar checks.
While working on the tests for the secret initialization vector, I found
that the existing iSCSI tests were lacking in how they defined the IQN.
Many had IQN's of just 'iqn.1992-01.com.example' for one disk while using
'iqn.1992-01.com.example/1' for the second disk (same for hostdevs - guess
how t
> Also, I do not believe /dev/urandom is FIPS compliant. Finally, the refill
> policy is different, so it is not really true the algorithm is the same.
>
> All in all, other than a seed value it really doesn't make any sense. Of
> course, none of this matters on newer Intel hardware ;)
Right, b
17 matches
Mail list logo