This modifies the nbd-server-start QMP command so that it is possible to request use of TLS. This is done by adding a new optional parameter "tls-creds" which provides the ID of a previously created QCryptoTLSCreds object instance.
TLS is only supported when using an IPv4/IPv6 socket listener. Signed-off-by: Daniel P. Berrange <berra...@redhat.com> --- blockdev-nbd.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++---------- hmp.c | 2 +- qapi/block.json | 4 +- qmp-commands.hx | 2 +- 4 files changed, 105 insertions(+), 25 deletions(-) diff --git a/blockdev-nbd.c b/blockdev-nbd.c index 6af1684..e287f05 100644 --- a/blockdev-nbd.c +++ b/blockdev-nbd.c @@ -19,42 +19,126 @@ #include "block/nbd.h" #include "io/channel-socket.h" -static QIOChannelSocket *server_ioc; -static int server_watch = -1; +typedef struct NBDServerData { + QIOChannelSocket *listen_ioc; + int watch; + QCryptoTLSCreds *tlscreds; +} NBDServerData; + +static NBDServerData *nbd_server; + static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition, gpointer opaque) { QIOChannelSocket *cioc; + if (!nbd_server) { + return FALSE; + } + cioc = qio_channel_socket_accept(QIO_CHANNEL_SOCKET(ioc), NULL); if (!cioc) { return TRUE; } - nbd_client_new(NULL, cioc, NULL, NULL, nbd_client_put); + nbd_client_new(NULL, cioc, + nbd_server->tlscreds, NULL, + nbd_client_put); object_unref(OBJECT(cioc)); return TRUE; } -void qmp_nbd_server_start(SocketAddress *addr, Error **errp) + +static void nbd_server_free(NBDServerData *server) { - if (server_ioc) { - error_setg(errp, "NBD server already running"); + if (!server) { return; } - server_ioc = qio_channel_socket_new(); - if (qio_channel_socket_listen_sync(server_ioc, addr, errp) < 0) { + if (server->watch != -1) { + g_source_remove(server->watch); + } + object_unref(OBJECT(server->listen_ioc)); + if (server->tlscreds) { + object_unref(OBJECT(server->tlscreds)); + } + + g_free(server); +} + +static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp) +{ + Object *obj; + QCryptoTLSCreds *creds; + + obj = object_resolve_path_component( + object_get_objects_root(), id); + if (!obj) { + error_setg(errp, "No TLS credentials with id '%s'", + id); + return NULL; + } + creds = (QCryptoTLSCreds *) + object_dynamic_cast(obj, TYPE_QCRYPTO_TLS_CREDS); + if (!creds) { + error_setg(errp, "Object with id '%s' is not TLS credentials", + id); + return NULL; + } + + if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { + error_setg(errp, + "Expecting TLS credentials with a server endpoint"); + return NULL; + } + object_ref(obj); + return creds; +} + + +void qmp_nbd_server_start(SocketAddress *addr, + bool has_tls_creds, const char *tls_creds, + Error **errp) +{ + if (nbd_server) { + error_setg(errp, "NBD server already running"); return; } - server_watch = qio_channel_add_watch(QIO_CHANNEL(server_ioc), - G_IO_IN, - nbd_accept, - NULL, - NULL); + nbd_server = g_new0(NBDServerData, 1); + nbd_server->watch = -1; + nbd_server->listen_ioc = qio_channel_socket_new(); + if (qio_channel_socket_listen_sync( + nbd_server->listen_ioc, addr, errp) < 0) { + goto error; + } + + if (has_tls_creds) { + nbd_server->tlscreds = nbd_get_tls_creds(tls_creds, errp); + if (!nbd_server->tlscreds) { + goto error; + } + + if (addr->type != SOCKET_ADDRESS_KIND_INET) { + error_setg(errp, "TLS is only supported with IPv4/IPv6"); + goto error; + } + } + + nbd_server->watch = qio_channel_add_watch( + QIO_CHANNEL(nbd_server->listen_ioc), + G_IO_IN, + nbd_accept, + NULL, + NULL); + + return; + + error: + nbd_server_free(nbd_server); + nbd_server = NULL; } /* @@ -89,7 +173,7 @@ void qmp_nbd_server_add(const char *device, bool has_writable, bool writable, NBDExport *exp; NBDCloseNotifier *n; - if (!server_ioc) { + if (!nbd_server) { error_setg(errp, "NBD server not running"); return; } @@ -139,12 +223,6 @@ void qmp_nbd_server_stop(Error **errp) nbd_close_notifier(&cn->n, nbd_export_get_blockdev(cn->exp)); } - if (server_watch != -1) { - g_source_remove(server_watch); - server_watch = -1; - } - if (server_ioc) { - object_unref(OBJECT(server_ioc)); - server_ioc = NULL; - } + nbd_server_free(nbd_server); + nbd_server = NULL; } diff --git a/hmp.c b/hmp.c index 95930b0..d43b38f 100644 --- a/hmp.c +++ b/hmp.c @@ -1792,7 +1792,7 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict) goto exit; } - qmp_nbd_server_start(addr, &local_err); + qmp_nbd_server_start(addr, false, NULL, &local_err); qapi_free_SocketAddress(addr); if (local_err != NULL) { goto exit; diff --git a/qapi/block.json b/qapi/block.json index 84022f1..876bac4 100644 --- a/qapi/block.json +++ b/qapi/block.json @@ -130,13 +130,15 @@ # QEMU instance could refer to them as "nbd:HOST:PORT:exportname=NAME". # # @addr: Address on which to listen. +# @tls-creds: (optional) ID of the TLS credentials object. Since 2.6 # # Returns: error if the server is already running. # # Since: 1.3.0 ## { 'command': 'nbd-server-start', - 'data': { 'addr': 'SocketAddress' } } + 'data': { 'addr': 'SocketAddress', + '*tls-creds': 'str'} } ## # @nbd-server-add: diff --git a/qmp-commands.hx b/qmp-commands.hx index db072a6..c54893c 100644 --- a/qmp-commands.hx +++ b/qmp-commands.hx @@ -3802,7 +3802,7 @@ EQMP { .name = "nbd-server-start", - .args_type = "addr:q", + .args_type = "addr:q,tls-creds:s?", .mhandler.cmd_new = qmp_marshal_nbd_server_start, }, { -- 2.5.0