subject:"\[libvirt\] \[PATCH v3 2\/7\] conf\: Introduce migrate_tls_x509_cert

Re: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

2017-03-23 Thread Jiri Denemark

On Wed, Mar 22, 2017 at 14:52:28 -0400, John Ferlan wrote:
> 
> 
> On 03/22/2017 12:26 PM, Jiri Denemark wrote:
> > On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote:
> >> Add a new TLS X.509 certificate type - "migrate". This will handle the
> >> creation of a TLS certificate capability (and possibly repository) to
> >> be used for migrations. Similar to chardev's, credentials will be handled
> >> via a libvirt secrets; however, unlike chardev's enablement and usage
> >> will be via a CLI flag instead of a conf flag and a domain XML attribute.
> >> The migrations will also require the client-cert.pem and client-key.pem
> >> files to be present in the clients TLS directory.
> >>
> >> Signed-off-by: John Ferlan 
> >> ---
> >>  src/qemu/libvirtd_qemu.aug |  5 +
> >>  src/qemu/qemu.conf | 37 
> >> +
> >>  src/qemu/qemu_conf.c   |  6 ++
> >>  src/qemu/qemu_conf.h   |  4 
> >>  src/qemu/test_libvirtd_qemu.aug.in |  3 +++
> >>  5 files changed, 55 insertions(+)
> >>
> >> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> >> index 9925ac9..40bcec3 100644
> >> --- a/src/qemu/qemu.conf
> >> +++ b/src/qemu/qemu.conf
> > ...
> >> +# In order to override the default TLS certificate location for migration
> >> +# certificates, supply a valid path to the certificate directory. If the
> >> +# provided path does not exist then the default_tls_x509_cert_dir path
> >> +# will be used. Once/if a default certificate is enabled/defined, 
> >> migration
> >> +# will then be able to use the certificate via migration API flags.
> >> +#
> >> +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
> >> +
> >> +
> >> +# The default TLS configuration only uses certificates for the server
> >> +# allowing the client to verify the server's identity and establish
> >> +# an encrypted channel.
> >> +#
> >> +# It is possible to use x509 certificates for authentication too, by
> >> +# issuing a x509 certificate to every client who needs to connect.
> > 
> > s/a x509/an x509/
> > 
> >> +#
> >> +# Enabling this option will reject any client who does not have a
> >> +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem
> > 
> > "ca-cert.pem in migrate_tls_x509_cert_dir" or something like that.
> > Mentioning /etc/pki/libvirt-migrate might be quite confusing.
> 
> The is a cut-n-paste of the libvirt-vnc and libvirt-chardev - would you
> like to see those changed as well (in a separate patch).

Yeah, I think it would make sense to fix them too.

Jirka

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

2017-03-22 Thread John Ferlan



On 03/22/2017 12:26 PM, Jiri Denemark wrote:
> On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote:
>> Add a new TLS X.509 certificate type - "migrate". This will handle the
>> creation of a TLS certificate capability (and possibly repository) to
>> be used for migrations. Similar to chardev's, credentials will be handled
>> via a libvirt secrets; however, unlike chardev's enablement and usage
>> will be via a CLI flag instead of a conf flag and a domain XML attribute.
>> The migrations will also require the client-cert.pem and client-key.pem
>> files to be present in the clients TLS directory.
>>
>> Signed-off-by: John Ferlan 
>> ---
>>  src/qemu/libvirtd_qemu.aug |  5 +
>>  src/qemu/qemu.conf | 37 
>> +
>>  src/qemu/qemu_conf.c   |  6 ++
>>  src/qemu/qemu_conf.h   |  4 
>>  src/qemu/test_libvirtd_qemu.aug.in |  3 +++
>>  5 files changed, 55 insertions(+)
>>
>> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
>> index 9925ac9..40bcec3 100644
>> --- a/src/qemu/qemu.conf
>> +++ b/src/qemu/qemu.conf
> ...
>> +# In order to override the default TLS certificate location for migration
>> +# certificates, supply a valid path to the certificate directory. If the
>> +# provided path does not exist then the default_tls_x509_cert_dir path
>> +# will be used. Once/if a default certificate is enabled/defined, migration
>> +# will then be able to use the certificate via migration API flags.
>> +#
>> +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
>> +
>> +
>> +# The default TLS configuration only uses certificates for the server
>> +# allowing the client to verify the server's identity and establish
>> +# an encrypted channel.
>> +#
>> +# It is possible to use x509 certificates for authentication too, by
>> +# issuing a x509 certificate to every client who needs to connect.
> 
> s/a x509/an x509/
> 
>> +#
>> +# Enabling this option will reject any client who does not have a
>> +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem
> 
> "ca-cert.pem in migrate_tls_x509_cert_dir" or something like that.
> Mentioning /etc/pki/libvirt-migrate might be quite confusing.
> 

The is a cut-n-paste of the libvirt-vnc and libvirt-chardev - would you
like to see those changed as well (in a separate patch).

It now reads:

# Enabling this option will reject any client who does not have a
# ca-cert.pem certificate signed by the CA in migrate_tls_x509_cert_dir
# (or default_tls_x509_cert_dir).

John


 if certificates were any less confusing they may
actually be more widely used. It's really confusing that libvirtd
expects one set of names, while a different set of names is expected by
qemu - so while one could conceivably share "copied" .pem files one
could not share the libvirtd and qemu TLS directories unless both files
were present...

qemu expects in say /etc/pki/qemu:

ca-cert.pem
client-cert.pem
client-key.pem
server-cert.pem
server-key.pem

libvirtd expects:
/etc/pki/CA/cacert.pem
/etc/pki/libvirt/clientcert.pem
/etc/pki/libvirt/servercert.pem
/etc/pki/libvirt/private/clientkey.pem
/etc/pki/libvirt/private/serverkey.pem

>> +#
>> +#migrate_tls_x509_verify = 1
> ...
> 
> ACK with the comments fixed.
> 
> Jirka
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

2017-03-22 Thread Jiri Denemark

On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote:
> Add a new TLS X.509 certificate type - "migrate". This will handle the
> creation of a TLS certificate capability (and possibly repository) to
> be used for migrations. Similar to chardev's, credentials will be handled
> via a libvirt secrets; however, unlike chardev's enablement and usage
> will be via a CLI flag instead of a conf flag and a domain XML attribute.
> The migrations will also require the client-cert.pem and client-key.pem
> files to be present in the clients TLS directory.
> 
> Signed-off-by: John Ferlan 
> ---
>  src/qemu/libvirtd_qemu.aug |  5 +
>  src/qemu/qemu.conf | 37 +
>  src/qemu/qemu_conf.c   |  6 ++
>  src/qemu/qemu_conf.h   |  4 
>  src/qemu/test_libvirtd_qemu.aug.in |  3 +++
>  5 files changed, 55 insertions(+)
> 
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 9925ac9..40bcec3 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
...
> +# In order to override the default TLS certificate location for migration
> +# certificates, supply a valid path to the certificate directory. If the
> +# provided path does not exist then the default_tls_x509_cert_dir path
> +# will be used. Once/if a default certificate is enabled/defined, migration
> +# will then be able to use the certificate via migration API flags.
> +#
> +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
> +
> +
> +# The default TLS configuration only uses certificates for the server
> +# allowing the client to verify the server's identity and establish
> +# an encrypted channel.
> +#
> +# It is possible to use x509 certificates for authentication too, by
> +# issuing a x509 certificate to every client who needs to connect.

s/a x509/an x509/

> +#
> +# Enabling this option will reject any client who does not have a
> +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem

"ca-cert.pem in migrate_tls_x509_cert_dir" or something like that.
Mentioning /etc/pki/libvirt-migrate might be quite confusing.

> +#
> +#migrate_tls_x509_verify = 1
...

ACK with the comments fixed.

Jirka

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

2017-03-17 Thread John Ferlan

Add a new TLS X.509 certificate type - "migrate". This will handle the
creation of a TLS certificate capability (and possibly repository) to
be used for migrations. Similar to chardev's, credentials will be handled
via a libvirt secrets; however, unlike chardev's enablement and usage
will be via a CLI flag instead of a conf flag and a domain XML attribute.
The migrations will also require the client-cert.pem and client-key.pem
files to be present in the clients TLS directory.

Signed-off-by: John Ferlan 
---
 src/qemu/libvirtd_qemu.aug |  5 +
 src/qemu/qemu.conf | 37 +
 src/qemu/qemu_conf.c   |  6 ++
 src/qemu/qemu_conf.h   |  4 
 src/qemu/test_libvirtd_qemu.aug.in |  3 +++
 5 files changed, 55 insertions(+)

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 82bae9e..e1983d1 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -54,6 +54,10 @@ module Libvirtd_qemu =
  | bool_entry "chardev_tls_x509_verify"
  | str_entry "chardev_tls_x509_secret_uuid"
 
+   let migrate_entry = str_entry "migrate_tls_x509_cert_dir"
+ | bool_entry "migrate_tls_x509_verify"
+ | str_entry "migrate_tls_x509_secret_uuid"
+
let nogfx_entry = bool_entry "nographics_allow_host_audio"
 
let remote_display_entry = int_entry "remote_display_port_min"
@@ -116,6 +120,7 @@ module Libvirtd_qemu =
  | vnc_entry
  | spice_entry
  | chardev_entry
+ | migrate_entry
  | nogfx_entry
  | remote_display_entry
  | security_entry
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 9925ac9..40bcec3 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -13,6 +13,11 @@
 #
 #  dh-params.pem - the DH params configuration file
 #
+# When using TLS for migrations, the directory must also contain
+#
+#  client-cert.pem - the client certificate signed with the ca-cert.pem
+#  client-key.pem - the client private key
+#
 #default_tls_x509_cert_dir = "/etc/pki/qemu"
 
 
@@ -238,6 +243,38 @@
 #chardev_tls_x509_secret_uuid = "----"
 
 
+# In order to override the default TLS certificate location for migration
+# certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist then the default_tls_x509_cert_dir path
+# will be used. Once/if a default certificate is enabled/defined, migration
+# will then be able to use the certificate via migration API flags.
+#
+#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing a x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem
+#
+#migrate_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#migrate_tls_x509_secret_uuid = "----"
+
+
 # By default, if no graphical front end is configured, libvirt will disable
 # QEMU audio output since directly talking to alsa/pulseaudio may not work
 # with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 9db2bc3..4c271cd 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -280,6 +280,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool 
privileged)
 SET_TLS_X509_CERT_DEFAULT(vnc);
 SET_TLS_X509_CERT_DEFAULT(spice);
 SET_TLS_X509_CERT_DEFAULT(chardev);
+SET_TLS_X509_CERT_DEFAULT(migrate);
 
 #undef SET_TLS_X509_CERT_DEFAULT
 
@@ -395,6 +396,9 @@ static void virQEMUDriverConfigDispose(void *obj)
 VIR_FREE(cfg->chardevTLSx509certdir);
 VIR_FREE(cfg->chardevTLSx509secretUUID);
 
+VIR_FREE(cfg->migrateTLSx509certdir);
+VIR_FREE(cfg->migrateTLSx509secretUUID);
+
 while (cfg->nhugetlbfs) {
 cfg->nhugetlbfs--;
 VIR_FREE(cfg->hugetlbfs[cfg->nhugetlbfs].mnt_dir);
@@ -556,6 +560,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
 goto cleanup;
 GET_CONFIG_TLS_CERTINFO(chardev);
 
+GET_CONFIG_TLS_CERTINFO(migrate);
+
 #undef GET_CONFIG_TLS_CERTINFO
 
 if (virConfGetValueUInt(conf, "remote_websocket_port_min", 
>webSocketPortMin) < 0)
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index e585f81..1407eef

Re: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

Re: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

Re: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

[libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

4 matches

Site Navigation

Mail list logo

Footer information