Re: [libvirt] [PATCH v9 5/5] qemu: Add the ability to hotplug a secret object for TCP chardev TLS
On Fri, Oct 14, 2016 at 04:23:08PM -0400, John Ferlan wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1300776 > > Complete the implementation of support for TLS encryption on > chardev TCP transports by adding the hotplug ability of a secret > to generate the passwordid for the TLS object > > Likewise, add the ability to hot unplug that secret object as well > > Signed-off-by: John Ferlan> --- > src/qemu/qemu_driver.c | 2 +- > src/qemu/qemu_hotplug.c | 62 > + > src/qemu/qemu_hotplug.h | 3 ++- > tests/qemuhotplugtest.c | 2 +- > 4 files changed, 61 insertions(+), 8 deletions(-) > > diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c > index 8789c9d..5a1cf7b 100644 > --- a/src/qemu/qemu_driver.c > +++ b/src/qemu/qemu_driver.c > @@ -7567,7 +7567,7 @@ qemuDomainAttachDeviceLive(virDomainObjPtr vm, > break; > > case VIR_DOMAIN_DEVICE_CHR: > -ret = qemuDomainAttachChrDevice(driver, vm, > +ret = qemuDomainAttachChrDevice(conn, driver, vm, > dev->data.chr); > if (!ret) { > alias = dev->data.chr->info.alias; > diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c > index aad7fa1..69d562f 100644 > --- a/src/qemu/qemu_hotplug.c > +++ b/src/qemu/qemu_hotplug.c > @@ -1690,7 +1690,8 @@ qemuDomainAttachChrDeviceAssignAddr(virDomainDefPtr def, > return ret; > } > > -int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, > +int qemuDomainAttachChrDevice(virConnectPtr conn, > + virQEMUDriverPtr driver, >virDomainObjPtr vm, >virDomainChrDefPtr chr) > { > @@ -1704,8 +1705,11 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, > char *charAlias = NULL; > bool chardevAttached = false; > bool tlsobjAdded = false; > +bool secobjAdded = false; > virJSONValuePtr tlsProps = NULL; > char *tlsAlias = NULL; > +virJSONValuePtr secProps = NULL; > +char *secAlias = NULL; > bool need_release = false; > > if (chr->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CHANNEL && > @@ -1729,12 +1733,30 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, > if (qemuDomainChrPreInsert(vmdef, chr) < 0) > goto cleanup; > > +if (qemuDomainSecretChardevPrepare(conn, driver, priv, chr) < 0) > +goto cleanup; > + > if (cfg->chardevTLS && > dev->data.tcp.haveTLS != VIR_TRISTATE_BOOL_NO) { > +qemuDomainChardevPrivatePtr chardevPriv = > +QEMU_DOMAIN_CHARDEV_PRIVATE(chr); > +qemuDomainSecretInfoPtr secinfo = chardevPriv->secinfo; > + > +/* Add a secret object in order to access the TLS environment. > + * The secinfo will only be created for serial TCP device. */ > +if (secinfo) { > +if (qemuBuildSecretInfoProps(secinfo, ) < 0) > +goto cleanup; > + > +if (!(secAlias = qemuDomainGetSecretAESAlias(chr->info.alias, > + false))) > +goto cleanup; > +} > + > if (qemuBuildTLSx509BackendProps(cfg->chardevTLSx509certdir, > dev->data.tcp.listen, > cfg->chardevTLSx509verify, > - NULL, > + secAlias, > priv->qemuCaps, > ) < 0) > goto cleanup; > @@ -1745,6 +1767,15 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, > } > > qemuDomainObjEnterMonitor(driver, vm); > +if (secAlias) { > +rc = qemuMonitorAddObject(priv->mon, "secret", > + secAlias, secProps); > +secProps = NULL; > +if (rc < 0) > +goto exit_monitor; > +secobjAdded = true; > +} > + > if (tlsAlias) { > rc = qemuMonitorAddObject(priv->mon, "tls-creds-x509", >tlsAlias, tlsProps); > @@ -1775,6 +1806,8 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, > qemuDomainReleaseDeviceAddress(vm, >info, NULL); > VIR_FREE(tlsAlias); > virJSONValueFree(tlsProps); > +VIR_FREE(secAlias); > +virJSONValueFree(secProps); > VIR_FREE(charAlias); > VIR_FREE(devstr); > virObjectUnref(cfg); > @@ -1782,6 +1815,8 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, > > exit_monitor: > orig_err = virSaveLastError(); > +if (secobjAdded) > +ignore_value(qemuMonitorDelObject(priv->mon, secAlias)); > if (tlsobjAdded) > ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias)); > /* detach associated chardev on error */ > @@ -4387,6 +4422,7 @@ int
[libvirt] [PATCH v9 5/5] qemu: Add the ability to hotplug a secret object for TCP chardev TLS
https://bugzilla.redhat.com/show_bug.cgi?id=1300776 Complete the implementation of support for TLS encryption on chardev TCP transports by adding the hotplug ability of a secret to generate the passwordid for the TLS object Likewise, add the ability to hot unplug that secret object as well Signed-off-by: John Ferlan--- src/qemu/qemu_driver.c | 2 +- src/qemu/qemu_hotplug.c | 62 + src/qemu/qemu_hotplug.h | 3 ++- tests/qemuhotplugtest.c | 2 +- 4 files changed, 61 insertions(+), 8 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 8789c9d..5a1cf7b 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -7567,7 +7567,7 @@ qemuDomainAttachDeviceLive(virDomainObjPtr vm, break; case VIR_DOMAIN_DEVICE_CHR: -ret = qemuDomainAttachChrDevice(driver, vm, +ret = qemuDomainAttachChrDevice(conn, driver, vm, dev->data.chr); if (!ret) { alias = dev->data.chr->info.alias; diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index aad7fa1..69d562f 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1690,7 +1690,8 @@ qemuDomainAttachChrDeviceAssignAddr(virDomainDefPtr def, return ret; } -int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, +int qemuDomainAttachChrDevice(virConnectPtr conn, + virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainChrDefPtr chr) { @@ -1704,8 +1705,11 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, char *charAlias = NULL; bool chardevAttached = false; bool tlsobjAdded = false; +bool secobjAdded = false; virJSONValuePtr tlsProps = NULL; char *tlsAlias = NULL; +virJSONValuePtr secProps = NULL; +char *secAlias = NULL; bool need_release = false; if (chr->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CHANNEL && @@ -1729,12 +1733,30 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, if (qemuDomainChrPreInsert(vmdef, chr) < 0) goto cleanup; +if (qemuDomainSecretChardevPrepare(conn, driver, priv, chr) < 0) +goto cleanup; + if (cfg->chardevTLS && dev->data.tcp.haveTLS != VIR_TRISTATE_BOOL_NO) { +qemuDomainChardevPrivatePtr chardevPriv = +QEMU_DOMAIN_CHARDEV_PRIVATE(chr); +qemuDomainSecretInfoPtr secinfo = chardevPriv->secinfo; + +/* Add a secret object in order to access the TLS environment. + * The secinfo will only be created for serial TCP device. */ +if (secinfo) { +if (qemuBuildSecretInfoProps(secinfo, ) < 0) +goto cleanup; + +if (!(secAlias = qemuDomainGetSecretAESAlias(chr->info.alias, + false))) +goto cleanup; +} + if (qemuBuildTLSx509BackendProps(cfg->chardevTLSx509certdir, dev->data.tcp.listen, cfg->chardevTLSx509verify, - NULL, + secAlias, priv->qemuCaps, ) < 0) goto cleanup; @@ -1745,6 +1767,15 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, } qemuDomainObjEnterMonitor(driver, vm); +if (secAlias) { +rc = qemuMonitorAddObject(priv->mon, "secret", + secAlias, secProps); +secProps = NULL; +if (rc < 0) +goto exit_monitor; +secobjAdded = true; +} + if (tlsAlias) { rc = qemuMonitorAddObject(priv->mon, "tls-creds-x509", tlsAlias, tlsProps); @@ -1775,6 +1806,8 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, qemuDomainReleaseDeviceAddress(vm, >info, NULL); VIR_FREE(tlsAlias); virJSONValueFree(tlsProps); +VIR_FREE(secAlias); +virJSONValueFree(secProps); VIR_FREE(charAlias); VIR_FREE(devstr); virObjectUnref(cfg); @@ -1782,6 +1815,8 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, exit_monitor: orig_err = virSaveLastError(); +if (secobjAdded) +ignore_value(qemuMonitorDelObject(priv->mon, secAlias)); if (tlsobjAdded) ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias)); /* detach associated chardev on error */ @@ -4387,6 +4422,7 @@ int qemuDomainDetachChrDevice(virQEMUDriverPtr driver, virDomainDefPtr vmdef = vm->def; virDomainChrDefPtr tmpChr; char *objAlias = NULL; +char *secAlias = NULL; char *devstr = NULL; if (!(tmpChr = virDomainChrFind(vmdef, chr))) { @@ -4400,9 +4436,21 @@ int qemuDomainDetachChrDevice(virQEMUDriverPtr driver,