libvirt/tests/qemuxml2argvmock.c

302 lines
6.7 KiB
C
Raw Normal View History

/*
* Copyright (C) 2014-2016 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#define LIBVIRT_VIRIDENTITYPRIV_H_ALLOW
#include "internal.h"
qemu: Utilize qemu secret objects for RBD auth/secret https://bugzilla.redhat.com/show_bug.cgi?id=1182074 If they're available and we need to pass secrets to qemu, then use the qemu domain secret object in order to pass the secrets for RBD volumes instead of passing the base64 encoded secret on the command line. The goal is to make AES secrets the default and have no user interaction required in order to allow using the AES mechanism. If the mechanism is not available, then fall back to the current plain mechanism using a base64 encoded secret. New APIs: qemu_domain.c: qemuDomainGetSecretAESAlias: Generate/return the secret object alias for an AES Secret Info type. This will be called from qemuDomainSecretAESSetup. qemuDomainSecretAESSetup: (private) This API handles the details of the generation of the AES secret and saves the pieces that need to be passed to qemu in order for the secret to be decrypted. The encrypted secret based upon the domain master key, an initialization vector (16 byte random value), and the stored secret. Finally, the requirement from qemu is the IV and encrypted secret are to be base64 encoded. qemu_command.c: qemuBuildSecretInfoProps: (private) Generate/return a JSON properties object for the AES secret to be used by both the command building and eventually the hotplug code in order to add the secret object. Code was designed so that in the future perhaps hotplug could use it if it made sense. qemuBuildObjectSecretCommandLine (private) Generate and add to the command line the -object secret for the secret. This will be required for the subsequent RBD reference to the object. qemuBuildDiskSecinfoCommandLine (private) Handle adding the AES secret object. Adjustments: qemu_domain.c: The qemuDomainSecretSetup was altered to call either the AES or Plain Setup functions based upon whether AES secrets are possible (we have the encryption API) or not, we have secrets, and of course if the protocol source is RBD. qemu_command.c: Adjust the qemuBuildRBDSecinfoURI API's in order to generate the specific command options for an AES secret, such as: -object secret,id=$alias,keyid=$masterKey,data=$base64encodedencrypted, format=base64 -drive file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\ mon_host=mon1.example.org\:6321,password-secret=$alias,... where the 'id=' value is the secret object alias generated by concatenating the disk alias and "-aesKey0". The 'keyid= $masterKey' is the master key shared with qemu, and the -drive syntax will reference that alias as the 'password-secret'. For the -drive syntax, the 'id=myname' is kept to define the username, while the 'key=$base64 encoded secret' is removed. While according to the syntax described for qemu commit '60390a21' or as seen in the email archive: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg04083.html it is possible to pass a plaintext password via a file, the qemu commit 'ac1d8878' describes the more feature rich 'keyid=' option based upon the shared masterKey. Add tests for checking/comparing output. NB: For hotplug, since the hotplug code doesn't add command line arguments, passing the encoded secret directly to the monitor will suffice.
2016-04-11 15:26:14 +00:00
#include "viralloc.h"
#include "vircommand.h"
#include "viridentitypriv.h"
#include "virmock.h"
#include "virnetdev.h"
#include "virnetdevbandwidth.h"
#include "virnetdevip.h"
#include "virnetdevtap.h"
#include "virnetdevopenvswitch.h"
#include "virnuma.h"
#include "virscsivhost.h"
#include "virtpm.h"
#include "virutil.h"
#include "qemu/qemu_interface.h"
#include "qemu/qemu_command.h"
#include <unistd.h>
#include <fcntl.h>
#define VIR_FROM_THIS VIR_FROM_NONE
long virGetSystemPageSize(void)
{
return 4096;
}
GDateTime *g_date_time_new_now_utc(void)
{
return g_date_time_new_from_unix_utc(1234567890);
}
GDateTime *g_date_time_new_now_local(void)
{
return g_date_time_new_from_unix_local(1234567890);
}
bool
virNumaIsAvailable(void)
{
return true;
}
int
virNumaGetMaxNode(void)
{
return 7;
}
/* We shouldn't need to mock virNumaNodeIsAvailable() and *definitely* not
* virNumaNodesetIsAvailable(), but it seems to be the only way to get
* mocking to work with Clang on FreeBSD, so keep these duplicates around
* until we figure out a cleaner solution */
bool
virNumaNodeIsAvailable(int node)
{
return node >= 0 && node <= virNumaGetMaxNode();
}
bool
virNumaNodesetIsAvailable(virBitmap *nodeset)
{
ssize_t bit = -1;
if (!nodeset)
return true;
while ((bit = virBitmapNextSetBit(nodeset, bit)) >= 0) {
if (virNumaNodeIsAvailable(bit))
continue;
virReportError(VIR_ERR_INTERNAL_ERROR,
"Mock: no numa node set is available at bit %zd", bit);
return false;
}
return true;
}
char *
virTPMCreateCancelPath(const char *devpath)
{
(void)devpath;
return g_strdup("/sys/class/misc/tpm0/device/cancel");
}
/**
* Large values for memory would fail on 32 bit systems, despite having
* variables that support it.
*/
unsigned long long
virMemoryMaxValue(bool capped G_GNUC_UNUSED)
{
return LLONG_MAX;
}
int
virSCSIVHostOpenVhostSCSI(int *vhostfd)
{
*vhostfd = STDERR_FILENO + 1;
return 0;
}
int
virNetDevTapCreate(char **ifname,
const char *tunpath G_GNUC_UNUSED,
int *tapfd,
size_t tapfdSize,
unsigned int flags G_GNUC_UNUSED)
{
size_t i;
for (i = 0; i < tapfdSize; i++)
tapfd[i] = STDERR_FILENO + 1 + i;
qemu: support unmanaged target tap dev for <interface type='ethernet'> If managed='no', then the tap device must already exist, and setting of MAC address and online status (IFF_UP) is skipped. NB: we still set IFF_VNET_HDR and IFF_MULTI_QUEUE as appropriate, because those bits must be properly set in the TUNSETIFF we use to set the tap device name of the handle we've opened - if IFF_VNET_HDR has not been set and we set it the request will be honored even when running libvirtd unprivileged; if IFF_MULTI_QUEUE is requested to be different than how it was created, that will result in an error from the kernel. This means that you don't need to pay attention to IFF_VNET_HDR when creating the tap devices, but you *do* need to set IFF_MULTI_QUEUE if you're going to use multiple queues for your tap device. NB2: /dev/vhost-net normally has permissions 600, so it can't be opened by an unprivileged process. This would normally cause a warning message when using a virtio net device from an unprivileged libvirtd. I've found that setting the permissions for /dev/vhost-net permits unprivileged libvirtd to use vhost-net for virtio devices, but have no idea what sort of security implications that has. I haven't changed libvrit's code to avoid *attempting* to open /dev/vhost-net - if you are concerned about the security of opening up permissions of /dev/vhost-net (probably a good idea at least until we ask someone who knows about the code) then add <driver name='qemu'/> to the interface definition and you'll avoid the warning message. Note that virNetDevTapCreate() is the correct function to call in the case of an existing device, because the same ioctl() that creates a new tap device will also open an existing tap device. Resolves: https://bugzilla.redhat.com/1723367 (partially) Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-08-26 04:24:34 +00:00
if (STREQ_NULLABLE(*ifname, "mytap0")) {
return 0;
} else {
VIR_FREE(*ifname);
*ifname = g_strdup("vnet0");
return 0;
qemu: support unmanaged target tap dev for <interface type='ethernet'> If managed='no', then the tap device must already exist, and setting of MAC address and online status (IFF_UP) is skipped. NB: we still set IFF_VNET_HDR and IFF_MULTI_QUEUE as appropriate, because those bits must be properly set in the TUNSETIFF we use to set the tap device name of the handle we've opened - if IFF_VNET_HDR has not been set and we set it the request will be honored even when running libvirtd unprivileged; if IFF_MULTI_QUEUE is requested to be different than how it was created, that will result in an error from the kernel. This means that you don't need to pay attention to IFF_VNET_HDR when creating the tap devices, but you *do* need to set IFF_MULTI_QUEUE if you're going to use multiple queues for your tap device. NB2: /dev/vhost-net normally has permissions 600, so it can't be opened by an unprivileged process. This would normally cause a warning message when using a virtio net device from an unprivileged libvirtd. I've found that setting the permissions for /dev/vhost-net permits unprivileged libvirtd to use vhost-net for virtio devices, but have no idea what sort of security implications that has. I haven't changed libvrit's code to avoid *attempting* to open /dev/vhost-net - if you are concerned about the security of opening up permissions of /dev/vhost-net (probably a good idea at least until we ask someone who knows about the code) then add <driver name='qemu'/> to the interface definition and you'll avoid the warning message. Note that virNetDevTapCreate() is the correct function to call in the case of an existing device, because the same ioctl() that creates a new tap device will also open an existing tap device. Resolves: https://bugzilla.redhat.com/1723367 (partially) Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-08-26 04:24:34 +00:00
}
}
int
virNetDevSetMAC(const char *ifname G_GNUC_UNUSED,
const virMacAddr *macaddr G_GNUC_UNUSED)
{
return 0;
}
qemu: support unmanaged target tap dev for <interface type='ethernet'> If managed='no', then the tap device must already exist, and setting of MAC address and online status (IFF_UP) is skipped. NB: we still set IFF_VNET_HDR and IFF_MULTI_QUEUE as appropriate, because those bits must be properly set in the TUNSETIFF we use to set the tap device name of the handle we've opened - if IFF_VNET_HDR has not been set and we set it the request will be honored even when running libvirtd unprivileged; if IFF_MULTI_QUEUE is requested to be different than how it was created, that will result in an error from the kernel. This means that you don't need to pay attention to IFF_VNET_HDR when creating the tap devices, but you *do* need to set IFF_MULTI_QUEUE if you're going to use multiple queues for your tap device. NB2: /dev/vhost-net normally has permissions 600, so it can't be opened by an unprivileged process. This would normally cause a warning message when using a virtio net device from an unprivileged libvirtd. I've found that setting the permissions for /dev/vhost-net permits unprivileged libvirtd to use vhost-net for virtio devices, but have no idea what sort of security implications that has. I haven't changed libvrit's code to avoid *attempting* to open /dev/vhost-net - if you are concerned about the security of opening up permissions of /dev/vhost-net (probably a good idea at least until we ask someone who knows about the code) then add <driver name='qemu'/> to the interface definition and you'll avoid the warning message. Note that virNetDevTapCreate() is the correct function to call in the case of an existing device, because the same ioctl() that creates a new tap device will also open an existing tap device. Resolves: https://bugzilla.redhat.com/1723367 (partially) Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-08-26 04:24:34 +00:00
int
virNetDevExists(const char *ifname)
{
return STREQ(ifname, "mytap0");
qemu: support unmanaged target tap dev for <interface type='ethernet'> If managed='no', then the tap device must already exist, and setting of MAC address and online status (IFF_UP) is skipped. NB: we still set IFF_VNET_HDR and IFF_MULTI_QUEUE as appropriate, because those bits must be properly set in the TUNSETIFF we use to set the tap device name of the handle we've opened - if IFF_VNET_HDR has not been set and we set it the request will be honored even when running libvirtd unprivileged; if IFF_MULTI_QUEUE is requested to be different than how it was created, that will result in an error from the kernel. This means that you don't need to pay attention to IFF_VNET_HDR when creating the tap devices, but you *do* need to set IFF_MULTI_QUEUE if you're going to use multiple queues for your tap device. NB2: /dev/vhost-net normally has permissions 600, so it can't be opened by an unprivileged process. This would normally cause a warning message when using a virtio net device from an unprivileged libvirtd. I've found that setting the permissions for /dev/vhost-net permits unprivileged libvirtd to use vhost-net for virtio devices, but have no idea what sort of security implications that has. I haven't changed libvrit's code to avoid *attempting* to open /dev/vhost-net - if you are concerned about the security of opening up permissions of /dev/vhost-net (probably a good idea at least until we ask someone who knows about the code) then add <driver name='qemu'/> to the interface definition and you'll avoid the warning message. Note that virNetDevTapCreate() is the correct function to call in the case of an existing device, because the same ioctl() that creates a new tap device will also open an existing tap device. Resolves: https://bugzilla.redhat.com/1723367 (partially) Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-08-26 04:24:34 +00:00
}
int virNetDevIPAddrAdd(const char *ifname G_GNUC_UNUSED,
virSocketAddr *addr G_GNUC_UNUSED,
virSocketAddr *peer G_GNUC_UNUSED,
unsigned int prefix G_GNUC_UNUSED)
{
return 0;
}
int
virNetDevSetOnline(const char *ifname G_GNUC_UNUSED,
bool online G_GNUC_UNUSED)
{
return 0;
}
int
virNetDevRunEthernetScript(const char *ifname G_GNUC_UNUSED,
const char *script G_GNUC_UNUSED)
{
return 0;
}
char *
virHostGetDRMRenderNode(void)
{
return g_strdup("/dev/dri/foo");
}
static void (*real_virCommandPassFD)(virCommand *cmd, int fd, unsigned int flags);
static const int testCommandPassSafeFDs[] = { 1730, 1731, 1732 };
void
virCommandPassFD(virCommand *cmd,
int fd,
unsigned int flags)
{
size_t i;
for (i = 0; i < G_N_ELEMENTS(testCommandPassSafeFDs); i++) {
if (testCommandPassSafeFDs[i] == fd) {
if (!real_virCommandPassFD)
VIR_MOCK_REAL_INIT(virCommandPassFD);
real_virCommandPassFD(cmd, fd, flags);
return;
}
}
}
qemu: Utilize qemu secret objects for RBD auth/secret https://bugzilla.redhat.com/show_bug.cgi?id=1182074 If they're available and we need to pass secrets to qemu, then use the qemu domain secret object in order to pass the secrets for RBD volumes instead of passing the base64 encoded secret on the command line. The goal is to make AES secrets the default and have no user interaction required in order to allow using the AES mechanism. If the mechanism is not available, then fall back to the current plain mechanism using a base64 encoded secret. New APIs: qemu_domain.c: qemuDomainGetSecretAESAlias: Generate/return the secret object alias for an AES Secret Info type. This will be called from qemuDomainSecretAESSetup. qemuDomainSecretAESSetup: (private) This API handles the details of the generation of the AES secret and saves the pieces that need to be passed to qemu in order for the secret to be decrypted. The encrypted secret based upon the domain master key, an initialization vector (16 byte random value), and the stored secret. Finally, the requirement from qemu is the IV and encrypted secret are to be base64 encoded. qemu_command.c: qemuBuildSecretInfoProps: (private) Generate/return a JSON properties object for the AES secret to be used by both the command building and eventually the hotplug code in order to add the secret object. Code was designed so that in the future perhaps hotplug could use it if it made sense. qemuBuildObjectSecretCommandLine (private) Generate and add to the command line the -object secret for the secret. This will be required for the subsequent RBD reference to the object. qemuBuildDiskSecinfoCommandLine (private) Handle adding the AES secret object. Adjustments: qemu_domain.c: The qemuDomainSecretSetup was altered to call either the AES or Plain Setup functions based upon whether AES secrets are possible (we have the encryption API) or not, we have secrets, and of course if the protocol source is RBD. qemu_command.c: Adjust the qemuBuildRBDSecinfoURI API's in order to generate the specific command options for an AES secret, such as: -object secret,id=$alias,keyid=$masterKey,data=$base64encodedencrypted, format=base64 -drive file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\ mon_host=mon1.example.org\:6321,password-secret=$alias,... where the 'id=' value is the secret object alias generated by concatenating the disk alias and "-aesKey0". The 'keyid= $masterKey' is the master key shared with qemu, and the -drive syntax will reference that alias as the 'password-secret'. For the -drive syntax, the 'id=myname' is kept to define the username, while the 'key=$base64 encoded secret' is removed. While according to the syntax described for qemu commit '60390a21' or as seen in the email archive: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg04083.html it is possible to pass a plaintext password via a file, the qemu commit 'ac1d8878' describes the more feature rich 'keyid=' option based upon the shared masterKey. Add tests for checking/comparing output. NB: For hotplug, since the hotplug code doesn't add command line arguments, passing the encoded secret directly to the monitor will suffice.
2016-04-11 15:26:14 +00:00
int
virNetDevOpenvswitchGetVhostuserIfname(const char *path G_GNUC_UNUSED,
bool server G_GNUC_UNUSED,
char **ifname)
{
*ifname = g_strdup("vhost-user0");
return 1;
}
int
qemuInterfaceOpenVhostNet(virDomainObj *vm G_GNUC_UNUSED,
virDomainNetDef *net)
{
qemuDomainNetworkPrivate *netpriv = QEMU_DOMAIN_NETWORK_PRIVATE(net);
size_t vhostfdSize = net->driver.virtio.queues;
size_t i;
if (!vhostfdSize)
vhostfdSize = 1;
if (!virDomainNetIsVirtioModel(net))
return 0;
for (i = 0; i < vhostfdSize; i++) {
g_autofree char *name = g_strdup_printf("vhostfd-%s%zu", net->info.alias, i);
int fd = STDERR_FILENO + 42 + i;
netpriv->vhostfds = g_slist_prepend(netpriv->vhostfds, qemuFDPassDirectNew(name, &fd));
}
netpriv->vhostfds = g_slist_reverse(netpriv->vhostfds);
return 0;
}
int
qemuOpenChrChardevUNIXSocket(const virDomainChrSourceDef *dev G_GNUC_UNUSED)
{
/* We need to return an FD number for a UNIX listener socket,
* which will be given to QEMU via a CLI arg. We need a fixed
* number to get stable tests. This is obviously not a real
* FD number, so when virCommand closes the FD in the parent
* it will get EINVAL, but that's (hopefully) not going to
* be a problem....
*/
if (fcntl(1729, F_GETFD) != -1)
abort();
return 1729;
}
int
qemuBuildTPMOpenBackendFDs(const char *tpmdev G_GNUC_UNUSED,
int *tpmfd,
int *cancelfd)
{
if (fcntl(1730, F_GETFD) != -1 ||
fcntl(1731, F_GETFD) != -1)
abort();
*tpmfd = 1730;
*cancelfd = 1731;
return 0;
}
int
virNetDevBandwidthSetRootQDisc(const char *ifname G_GNUC_UNUSED,
const char *qdisc G_GNUC_UNUSED)
{
return 0;
}
int
qemuInterfaceVDPAConnect(virDomainNetDef *net G_GNUC_UNUSED)
{
if (fcntl(1732, F_GETFD) != -1)
abort();
return 1732;
}
char *
virIdentityEnsureSystemToken(void)
{
return g_strdup("3de80bcbf22d4833897f1638e01be9b2");
}