Add an optional "tls='yes|no'" attribute for a TCP chardev.
For QEMU, this will allow for disabling the host config setting of the
'chardev_tls' for a domain chardev channel by setting the value to "no" or
to attempt to use a host TLS environment when setting the value to "yes"
when the host config 'chardev_tls' setting is disabled, but a TLS environment
is configured via either the host config 'chardev_tls_x509_cert_dir' or
'default_tls_x509_cert_dir'
Alter qemuDomainSupportTLSChardevTCP to augment the decision points for
choosing whether to try to use TLS.
Signed-off-by: John Ferlan
Signed-off-by: Pavel Hrdina
---
docs/formatdomain.html.in | 28 +
docs/schemas/domaincommon.rng | 5 ++
src/conf/domain_conf.c | 22 +++-
src/conf/domain_conf.h | 1 +
src/qemu/qemu_command.c| 2 +-
src/qemu/qemu_domain.c | 66 ++
src/qemu/qemu_domain.h | 8 +++
src/qemu/qemu_hotplug.c| 12 +++-
src/qemu/qemu_process.c| 2 +
...uxml2argv-serial-tcp-tlsx509-chardev-notls.args | 30 ++
...muxml2argv-serial-tcp-tlsx509-chardev-notls.xml | 50
tests/qemuxml2argvtest.c | 3 +
...xml2xmlout-serial-tcp-tlsx509-chardev-notls.xml | 1 +
tests/qemuxml2xmltest.c| 1 +
14 files changed, 227 insertions(+), 4 deletions(-)
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.args
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.xml
create mode 12
tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev-notls.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 9051178..0cd68a0 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6204,6 +6204,34 @@ qemu-kvm -net nic,model=? /dev/null
...
+
+ Since 2.4.0, the optional attribute
+ tls can be used to control whether a chardev
+ TCP communication channel would utilize a hypervisor configured
+ TLS X.509 certificate environment in order to encrypt the data
+ channel. For the QEMU hypervisor, usage of a TLS environment can
+ be controlled on the host by the chardev_tls and
+ chardev_tls_x509_cert_dir or
+ default_tls_x509_cert_dir settings in the file
+ /etc/libvirt/qemu.conf. If chardev_tls is enabled,
+ then unless the tls attribute is set to "no", libvirt
+ will use the host configured TLS environment.
+ If chardev_tls is disabled, but the tls
+ attribute is set to "yes", then libvirt will attempt to use the
+ host TLS environment if either the chardev_tls_x509_cert_dir
+ or default_tls_x509_cert_dir TLS directory structure exists.
+
+
+ ...
+
+
+
+
+
+
+
+ ...
+
UDP network console
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 3106510..e6741bb 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3453,6 +3453,11 @@
+
+
+
+
+
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 35cdbc3..6e814b3 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1997,6 +1997,8 @@ virDomainChrSourceDefCopy(virDomainChrSourceDefPtr dest,
if (VIR_STRDUP(dest->data.tcp.service, src->data.tcp.service) < 0)
return -1;
+
+dest->data.tcp.haveTLS = src->data.tcp.haveTLS;
break;
case VIR_DOMAIN_CHR_TYPE_UNIX:
@@ -10039,6 +10041,7 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr
def,
char *master = NULL;
char *slave = NULL;
char *append = NULL;
+char *haveTLS = NULL;
int remaining = 0;
while (cur != NULL) {
@@ -10046,6 +10049,8 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr
def,
if (xmlStrEqual(cur->name, BAD_CAST "source")) {
if (!mode)
mode = virXMLPropString(cur, "mode");
+if (!haveTLS)
+haveTLS = virXMLPropString(cur, "tls");
switch ((virDomainChrType) def->type) {
case VIR_DOMAIN_CHR_TYPE_FILE:
@@ -10222,6 +10227,15 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr
def,
def->data.tcp.listen = true;
}
+if (haveTLS &&
+(def->data.tcp.haveTLS =
+ virTristateBoolTypeFromString(haveTLS)) <= 0) {
+virReportError(VIR_ERR_XML_ERRO
