Re: [libvirt] [PATCH 2/3] domain: Add optional 'tls' attribute for TCP chardev
On 10/24/2016 08:41 AM, Pavel Hrdina wrote: > Add an optional "tls='yes|no'" attribute for a TCP chardev. > > For QEMU, this will allow for disabling the host config setting of the > 'chardev_tls' for a domain chardev channel by setting the value to "no" or > to attempt to use a host TLS environment when setting the value to "yes" > when the host config 'chardev_tls' setting is disabled, but a TLS environment > is configured via either the host config 'chardev_tls_x509_cert_dir' or > 'default_tls_x509_cert_dir' > > Alter qemuDomainSupportTLSChardevTCP to augment the decision points for > choosing whether to try to use TLS. The above sentence will no longer apply > > Signed-off-by: John Ferlan > Signed-off-by: Pavel Hrdina > --- > docs/formatdomain.html.in | 28 + > docs/schemas/domaincommon.rng | 5 ++ > src/conf/domain_conf.c | 22 +++- > src/conf/domain_conf.h | 1 + > src/qemu/qemu_command.c| 2 +- > src/qemu/qemu_domain.c | 66 > ++ > src/qemu/qemu_domain.h | 8 +++ > src/qemu/qemu_hotplug.c| 12 +++- > src/qemu/qemu_process.c| 2 + > ...uxml2argv-serial-tcp-tlsx509-chardev-notls.args | 30 ++ > ...muxml2argv-serial-tcp-tlsx509-chardev-notls.xml | 50 > tests/qemuxml2argvtest.c | 3 + > ...xml2xmlout-serial-tcp-tlsx509-chardev-notls.xml | 1 + > tests/qemuxml2xmltest.c| 1 + > 14 files changed, 227 insertions(+), 4 deletions(-) > create mode 100644 > tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.args > create mode 100644 > tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.xml > create mode 12 > tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev-notls.xml > > diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in > index 9051178..0cd68a0 100644 > --- a/docs/formatdomain.html.in > +++ b/docs/formatdomain.html.in > @@ -6204,6 +6204,34 @@ qemu-kvm -net nic,model=? /dev/null > >... > > + > + Since 2.4.0, the optional attribute > + tls can be used to control whether a chardev > + TCP communication channel would utilize a hypervisor configured > + TLS X.509 certificate environment in order to encrypt the data > + channel. For the QEMU hypervisor, usage of a TLS environment can > + be controlled on the host by the chardev_tls and > + chardev_tls_x509_cert_dir or > + default_tls_x509_cert_dir settings in the file > + /etc/libvirt/qemu.conf. If chardev_tls is enabled, > + then unless the tls attribute is set to "no", libvirt > + will use the host configured TLS environment. > + If chardev_tls is disabled, but the tls > + attribute is set to "yes", then libvirt will attempt to use the > + host TLS environment if either the > chardev_tls_x509_cert_dir > + or default_tls_x509_cert_dir TLS directory structure > exists. > + > + > + ... > +> + > + ... > + > UDP network console > > > diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng > index 3106510..e6741bb 100644 > --- a/docs/schemas/domaincommon.rng > +++ b/docs/schemas/domaincommon.rng > @@ -3453,6 +3453,11 @@ > > > > + > + > + > + > + > > > > diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c > index 35cdbc3..6e814b3 100644 > --- a/src/conf/domain_conf.c > +++ b/src/conf/domain_conf.c > @@ -1997,6 +1997,8 @@ virDomainChrSourceDefCopy(virDomainChrSourceDefPtr dest, > > if (VIR_STRDUP(dest->data.tcp.service, src->data.tcp.service) < 0) > return -1; > + > +dest->data.tcp.haveTLS = src->data.tcp.haveTLS; > break; > > case VIR_DOMAIN_CHR_TYPE_UNIX: > @@ -10039,6 +10041,7 @@ > virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, > char *master = NULL; > char *slave = NULL; > char *append = NULL; > +char *haveTLS = NULL; > int remaining = 0; > > while (cur != NULL) { > @@ -10046,6 +10049,8 @@ > virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, > if (xmlStrEqual(cur->name, BAD_CAST "source")) { > if (!mode) > mode = virXMLPropString(cur, "mode"); > +if (!haveTLS) > +haveTLS = virXMLPropString(cur, "tls"); > > switch ((virDomainChrType) def->type) { >> + > +
[libvirt] [PATCH 2/3] domain: Add optional 'tls' attribute for TCP chardev
Add an optional "tls='yes|no'" attribute for a TCP chardev. For QEMU, this will allow for disabling the host config setting of the 'chardev_tls' for a domain chardev channel by setting the value to "no" or to attempt to use a host TLS environment when setting the value to "yes" when the host config 'chardev_tls' setting is disabled, but a TLS environment is configured via either the host config 'chardev_tls_x509_cert_dir' or 'default_tls_x509_cert_dir' Alter qemuDomainSupportTLSChardevTCP to augment the decision points for choosing whether to try to use TLS. Signed-off-by: John Ferlan Signed-off-by: Pavel Hrdina --- docs/formatdomain.html.in | 28 + docs/schemas/domaincommon.rng | 5 ++ src/conf/domain_conf.c | 22 +++- src/conf/domain_conf.h | 1 + src/qemu/qemu_command.c| 2 +- src/qemu/qemu_domain.c | 66 ++ src/qemu/qemu_domain.h | 8 +++ src/qemu/qemu_hotplug.c| 12 +++- src/qemu/qemu_process.c| 2 + ...uxml2argv-serial-tcp-tlsx509-chardev-notls.args | 30 ++ ...muxml2argv-serial-tcp-tlsx509-chardev-notls.xml | 50 tests/qemuxml2argvtest.c | 3 + ...xml2xmlout-serial-tcp-tlsx509-chardev-notls.xml | 1 + tests/qemuxml2xmltest.c| 1 + 14 files changed, 227 insertions(+), 4 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.xml create mode 12 tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev-notls.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 9051178..0cd68a0 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -6204,6 +6204,34 @@ qemu-kvm -net nic,model=? /dev/null ... + + Since 2.4.0, the optional attribute + tls can be used to control whether a chardev + TCP communication channel would utilize a hypervisor configured + TLS X.509 certificate environment in order to encrypt the data + channel. For the QEMU hypervisor, usage of a TLS environment can + be controlled on the host by the chardev_tls and + chardev_tls_x509_cert_dir or + default_tls_x509_cert_dir settings in the file + /etc/libvirt/qemu.conf. If chardev_tls is enabled, + then unless the tls attribute is set to "no", libvirt + will use the host configured TLS environment. + If chardev_tls is disabled, but the tls + attribute is set to "yes", then libvirt will attempt to use the + host TLS environment if either the chardev_tls_x509_cert_dir + or default_tls_x509_cert_dir TLS directory structure exists. + + + ... ++ + ... + UDP network console diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 3106510..e6741bb 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -3453,6 +3453,11 @@ + + + + + diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 35cdbc3..6e814b3 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -1997,6 +1997,8 @@ virDomainChrSourceDefCopy(virDomainChrSourceDefPtr dest, if (VIR_STRDUP(dest->data.tcp.service, src->data.tcp.service) < 0) return -1; + +dest->data.tcp.haveTLS = src->data.tcp.haveTLS; break; case VIR_DOMAIN_CHR_TYPE_UNIX: @@ -10039,6 +10041,7 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, char *master = NULL; char *slave = NULL; char *append = NULL; +char *haveTLS = NULL; int remaining = 0; while (cur != NULL) { @@ -10046,6 +10049,8 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, if (xmlStrEqual(cur->name, BAD_CAST "source")) { if (!mode) mode = virXMLPropString(cur, "mode"); +if (!haveTLS) +haveTLS = virXMLPropString(cur, "tls"); switch ((virDomainChrType) def->type) { case VIR_DOMAIN_CHR_TYPE_FILE: @@ -10222,6 +10227,15 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, def->data.tcp.listen = true; } +if (haveTLS && +(def->data.tcp.haveTLS = + virTristateBoolTypeFromString(haveTLS)) <= 0) { +virReportError(VIR_ERR_XML_ERRO+ + ++ +