Re: [libvirt] [PATCH 11/12] qemu: domain: Prepare TLS data for the whole backing chain

2017-10-26 Thread John Ferlan 


On 10/20/2017 09:47 AM, Peter Krempa wrote:
> Iterate through the backing chain when setting up TLS for disks.
> ---
>  src/qemu/qemu_domain.c | 41 ++---
>  1 file changed, 22 insertions(+), 19 deletions(-)
> 

So (for now) a VxHS device could be at some depth within the backing
chain and we'd need to make sure we can use TLS for it, but not
necessarily use TLS for all levels - is that the basic premise? I don't
even want to think about having different target TLS types within the
chain - pffttt, splat goes the brain.


Reviewed-by: John Ferlan 

John

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 11/12] qemu: domain: Prepare TLS data for the whole backing chain

2017-10-20 Thread Peter Krempa 
Iterate through the backing chain when setting up TLS for disks.
---
 src/qemu/qemu_domain.c | 41 ++---
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index aebe24e7b..3560cdd29 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -7845,28 +7845,31 @@ int
 qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src,
virQEMUDriverConfigPtr cfg)
 {
+virStorageSourcePtr next;

-/* VxHS uses only client certificates and thus has no need for
- * the server-key.pem nor a secret that could be used to decrypt
- * the it, so no need to add a secinfo for a secret UUID. */
-if (src->type == VIR_STORAGE_TYPE_NETWORK &&
-src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS) {
-
-if (src->haveTLS == VIR_TRISTATE_BOOL_ABSENT) {
-if (cfg->vxhsTLS)
-src->haveTLS = VIR_TRISTATE_BOOL_YES;
-else
-src->haveTLS = VIR_TRISTATE_BOOL_NO;
-src->tlsFromConfig = true;
-}
+for (next = src; virStorageSourceIsBacking(next); next = 
next->backingStore) {
+/* VxHS uses only client certificates and thus has no need for
+ * the server-key.pem nor a secret that could be used to decrypt
+ * the it, so no need to add a secinfo for a secret UUID. */
+if (next->type == VIR_STORAGE_TYPE_NETWORK &&
+next->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS) {
+
+if (next->haveTLS == VIR_TRISTATE_BOOL_ABSENT) {
+if (cfg->vxhsTLS)
+next->haveTLS = VIR_TRISTATE_BOOL_YES;
+else
+next->haveTLS = VIR_TRISTATE_BOOL_NO;
+next->tlsFromConfig = true;
+}

-if (src->haveTLS == VIR_TRISTATE_BOOL_YES) {
-/* Grab the vxhsTLSx509certdir and set the verify/listen values.
- * NB: tlsAlias filled in during qemuDomainGetTLSObjects. */
-if (VIR_STRDUP(src->tlsCertdir, cfg->vxhsTLSx509certdir) < 0)
-return -1;
+if (next->haveTLS == VIR_TRISTATE_BOOL_YES) {
+/* Grab the vxhsTLSx509certdir and set the verify/listen 
values.
+ * NB: tlsAlias filled in during qemuDomainGetTLSObjects. */
+if (VIR_STRDUP(next->tlsCertdir, cfg->vxhsTLSx509certdir) < 0)
+return -1;

-src->tlsVerify = true;
+next->tlsVerify = true;
+}
 }
 }

-- 
2.14.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list