Re: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir
On Wed, Mar 22, 2017 at 14:52:28 -0400, John Ferlan wrote: > > > On 03/22/2017 12:26 PM, Jiri Denemark wrote: > > On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote: > >> Add a new TLS X.509 certificate type - "migrate". This will handle the > >> creation of a TLS certificate capability (and possibly repository) to > >> be used for migrations. Similar to chardev's, credentials will be handled > >> via a libvirt secrets; however, unlike chardev's enablement and usage > >> will be via a CLI flag instead of a conf flag and a domain XML attribute. > >> The migrations will also require the client-cert.pem and client-key.pem > >> files to be present in the clients TLS directory. > >> > >> Signed-off-by: John Ferlan> >> --- > >> src/qemu/libvirtd_qemu.aug | 5 + > >> src/qemu/qemu.conf | 37 > >> + > >> src/qemu/qemu_conf.c | 6 ++ > >> src/qemu/qemu_conf.h | 4 > >> src/qemu/test_libvirtd_qemu.aug.in | 3 +++ > >> 5 files changed, 55 insertions(+) > >> > >> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > >> index 9925ac9..40bcec3 100644 > >> --- a/src/qemu/qemu.conf > >> +++ b/src/qemu/qemu.conf > > ... > >> +# In order to override the default TLS certificate location for migration > >> +# certificates, supply a valid path to the certificate directory. If the > >> +# provided path does not exist then the default_tls_x509_cert_dir path > >> +# will be used. Once/if a default certificate is enabled/defined, > >> migration > >> +# will then be able to use the certificate via migration API flags. > >> +# > >> +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" > >> + > >> + > >> +# The default TLS configuration only uses certificates for the server > >> +# allowing the client to verify the server's identity and establish > >> +# an encrypted channel. > >> +# > >> +# It is possible to use x509 certificates for authentication too, by > >> +# issuing a x509 certificate to every client who needs to connect. > > > > s/a x509/an x509/ > > > >> +# > >> +# Enabling this option will reject any client who does not have a > >> +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem > > > > "ca-cert.pem in migrate_tls_x509_cert_dir" or something like that. > > Mentioning /etc/pki/libvirt-migrate might be quite confusing. > > The is a cut-n-paste of the libvirt-vnc and libvirt-chardev - would you > like to see those changed as well (in a separate patch). Yeah, I think it would make sense to fix them too. Jirka -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir
On 03/22/2017 12:26 PM, Jiri Denemark wrote: > On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote: >> Add a new TLS X.509 certificate type - "migrate". This will handle the >> creation of a TLS certificate capability (and possibly repository) to >> be used for migrations. Similar to chardev's, credentials will be handled >> via a libvirt secrets; however, unlike chardev's enablement and usage >> will be via a CLI flag instead of a conf flag and a domain XML attribute. >> The migrations will also require the client-cert.pem and client-key.pem >> files to be present in the clients TLS directory. >> >> Signed-off-by: John Ferlan>> --- >> src/qemu/libvirtd_qemu.aug | 5 + >> src/qemu/qemu.conf | 37 >> + >> src/qemu/qemu_conf.c | 6 ++ >> src/qemu/qemu_conf.h | 4 >> src/qemu/test_libvirtd_qemu.aug.in | 3 +++ >> 5 files changed, 55 insertions(+) >> >> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf >> index 9925ac9..40bcec3 100644 >> --- a/src/qemu/qemu.conf >> +++ b/src/qemu/qemu.conf > ... >> +# In order to override the default TLS certificate location for migration >> +# certificates, supply a valid path to the certificate directory. If the >> +# provided path does not exist then the default_tls_x509_cert_dir path >> +# will be used. Once/if a default certificate is enabled/defined, migration >> +# will then be able to use the certificate via migration API flags. >> +# >> +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" >> + >> + >> +# The default TLS configuration only uses certificates for the server >> +# allowing the client to verify the server's identity and establish >> +# an encrypted channel. >> +# >> +# It is possible to use x509 certificates for authentication too, by >> +# issuing a x509 certificate to every client who needs to connect. > > s/a x509/an x509/ > >> +# >> +# Enabling this option will reject any client who does not have a >> +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem > > "ca-cert.pem in migrate_tls_x509_cert_dir" or something like that. > Mentioning /etc/pki/libvirt-migrate might be quite confusing. > The is a cut-n-paste of the libvirt-vnc and libvirt-chardev - would you like to see those changed as well (in a separate patch). It now reads: # Enabling this option will reject any client who does not have a # ca-cert.pem certificate signed by the CA in migrate_tls_x509_cert_dir # (or default_tls_x509_cert_dir). John if certificates were any less confusing they may actually be more widely used. It's really confusing that libvirtd expects one set of names, while a different set of names is expected by qemu - so while one could conceivably share "copied" .pem files one could not share the libvirtd and qemu TLS directories unless both files were present... qemu expects in say /etc/pki/qemu: ca-cert.pem client-cert.pem client-key.pem server-cert.pem server-key.pem libvirtd expects: /etc/pki/CA/cacert.pem /etc/pki/libvirt/clientcert.pem /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/clientkey.pem /etc/pki/libvirt/private/serverkey.pem >> +# >> +#migrate_tls_x509_verify = 1 > ... > > ACK with the comments fixed. > > Jirka > -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir
On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote: > Add a new TLS X.509 certificate type - "migrate". This will handle the > creation of a TLS certificate capability (and possibly repository) to > be used for migrations. Similar to chardev's, credentials will be handled > via a libvirt secrets; however, unlike chardev's enablement and usage > will be via a CLI flag instead of a conf flag and a domain XML attribute. > The migrations will also require the client-cert.pem and client-key.pem > files to be present in the clients TLS directory. > > Signed-off-by: John Ferlan> --- > src/qemu/libvirtd_qemu.aug | 5 + > src/qemu/qemu.conf | 37 + > src/qemu/qemu_conf.c | 6 ++ > src/qemu/qemu_conf.h | 4 > src/qemu/test_libvirtd_qemu.aug.in | 3 +++ > 5 files changed, 55 insertions(+) > > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > index 9925ac9..40bcec3 100644 > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf ... > +# In order to override the default TLS certificate location for migration > +# certificates, supply a valid path to the certificate directory. If the > +# provided path does not exist then the default_tls_x509_cert_dir path > +# will be used. Once/if a default certificate is enabled/defined, migration > +# will then be able to use the certificate via migration API flags. > +# > +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" > + > + > +# The default TLS configuration only uses certificates for the server > +# allowing the client to verify the server's identity and establish > +# an encrypted channel. > +# > +# It is possible to use x509 certificates for authentication too, by > +# issuing a x509 certificate to every client who needs to connect. s/a x509/an x509/ > +# > +# Enabling this option will reject any client who does not have a > +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem "ca-cert.pem in migrate_tls_x509_cert_dir" or something like that. Mentioning /etc/pki/libvirt-migrate might be quite confusing. > +# > +#migrate_tls_x509_verify = 1 ... ACK with the comments fixed. Jirka -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir
Add a new TLS X.509 certificate type - "migrate". This will handle the creation of a TLS certificate capability (and possibly repository) to be used for migrations. Similar to chardev's, credentials will be handled via a libvirt secrets; however, unlike chardev's enablement and usage will be via a CLI flag instead of a conf flag and a domain XML attribute. The migrations will also require the client-cert.pem and client-key.pem files to be present in the clients TLS directory. Signed-off-by: John Ferlan--- src/qemu/libvirtd_qemu.aug | 5 + src/qemu/qemu.conf | 37 + src/qemu/qemu_conf.c | 6 ++ src/qemu/qemu_conf.h | 4 src/qemu/test_libvirtd_qemu.aug.in | 3 +++ 5 files changed, 55 insertions(+) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index 82bae9e..e1983d1 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -54,6 +54,10 @@ module Libvirtd_qemu = | bool_entry "chardev_tls_x509_verify" | str_entry "chardev_tls_x509_secret_uuid" + let migrate_entry = str_entry "migrate_tls_x509_cert_dir" + | bool_entry "migrate_tls_x509_verify" + | str_entry "migrate_tls_x509_secret_uuid" + let nogfx_entry = bool_entry "nographics_allow_host_audio" let remote_display_entry = int_entry "remote_display_port_min" @@ -116,6 +120,7 @@ module Libvirtd_qemu = | vnc_entry | spice_entry | chardev_entry + | migrate_entry | nogfx_entry | remote_display_entry | security_entry diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 9925ac9..40bcec3 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -13,6 +13,11 @@ # # dh-params.pem - the DH params configuration file # +# When using TLS for migrations, the directory must also contain +# +# client-cert.pem - the client certificate signed with the ca-cert.pem +# client-key.pem - the client private key +# #default_tls_x509_cert_dir = "/etc/pki/qemu" @@ -238,6 +243,38 @@ #chardev_tls_x509_secret_uuid = "----" +# In order to override the default TLS certificate location for migration +# certificates, supply a valid path to the certificate directory. If the +# provided path does not exist then the default_tls_x509_cert_dir path +# will be used. Once/if a default certificate is enabled/defined, migration +# will then be able to use the certificate via migration API flags. +# +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing a x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client who does not have a +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem +# +#migrate_tls_x509_verify = 1 + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +#migrate_tls_x509_secret_uuid = "----" + + # By default, if no graphical front end is configured, libvirt will disable # QEMU audio output since directly talking to alsa/pulseaudio may not work # with various security settings. If you know what you're doing, enable diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 9db2bc3..4c271cd 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -280,6 +280,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged) SET_TLS_X509_CERT_DEFAULT(vnc); SET_TLS_X509_CERT_DEFAULT(spice); SET_TLS_X509_CERT_DEFAULT(chardev); +SET_TLS_X509_CERT_DEFAULT(migrate); #undef SET_TLS_X509_CERT_DEFAULT @@ -395,6 +396,9 @@ static void virQEMUDriverConfigDispose(void *obj) VIR_FREE(cfg->chardevTLSx509certdir); VIR_FREE(cfg->chardevTLSx509secretUUID); +VIR_FREE(cfg->migrateTLSx509certdir); +VIR_FREE(cfg->migrateTLSx509secretUUID); + while (cfg->nhugetlbfs) { cfg->nhugetlbfs--; VIR_FREE(cfg->hugetlbfs[cfg->nhugetlbfs].mnt_dir); @@ -556,6 +560,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, goto cleanup; GET_CONFIG_TLS_CERTINFO(chardev); +GET_CONFIG_TLS_CERTINFO(migrate); + #undef GET_CONFIG_TLS_CERTINFO if (virConfGetValueUInt(conf, "remote_websocket_port_min", >webSocketPortMin) < 0) diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index e585f81..1407eef