External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-03 04:45:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

conf: Introduce chartcp_tls_x509_cert_dir

Browse Source 
Add a new TLS X.509 certificate type - "chardev". This will handle the
creation of a TLS certificate capability (and possibly repository) for
properly configured character device TCP backends.

Unlike the vnc and spice there is no "listen" or "passwd" associated. The
credentials eventually will be handled via a libvirt secret provided to
a specific backend.

Make use of the default verify option as well.

Signed-off-by: John Ferlan <jferlan@redhat.com>
This commit is contained in:
John Ferlan 2016-06-14 15:52:37 -04:00
parent c12cb5ed73
commit 3f60a9c32f
8 changed files with 143 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/qemu/libvirtd_qemu.aug
View File

@ -48,6 +48,10 @@ module Libvirtd_qemu =
| bool_entry "spice_sasl"
| str_entry "spice_sasl_dir"
let chardev_entry = bool_entry "chardev_tls"
| str_entry "chardev_tls_x509_cert_dir"
| bool_entry "chardev_tls_x509_verify"
let nogfx_entry = bool_entry "nographics_allow_host_audio"
let remote_display_entry = int_entry "remote_display_port_min"
@ -104,6 +108,7 @@ module Libvirtd_qemu =
let entry = default_tls_entry
| vnc_entry
| spice_entry
| chardev_entry
| nogfx_entry
| remote_display_entry
| security_entry

28
src/qemu/qemu.conf
View File

@ -185,6 +185,34 @@
#
#spice_sasl_dir = "/some/directory/sasl2"
# Enable use of TLS encryption on the chardev TCP transports.
#
# It is necessary to setup CA and issue a server certificate
# before enabling this.
#
#chardev_tls = 1
# In order to override the default TLS certificate location for character
# device TCP certificates, supply a valid path to the certificate directory.
# If the provided path does not exist then the default_tls_x509_cert_dir
# path will be used.
#
#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
# The default TLS configuration only uses certificates for the server
# allowing the client to verify the server's identity and establish
# an encrypted channel.
#
# It is possible to use x509 certificates for authentication too, by
# issuing a x509 certificate to every client who needs to connect.
#
# Enabling this option will reject any client who does not have a
# certificate signed by the CA in /etc/pki/libvirt-chardev/ca-cert.pem
#
#chardev_tls_x509_verify = 1
# By default, if no graphical front end is configured, libvirt will disable
# QEMU audio output since directly talking to alsa/pulseaudio may not work

11
src/qemu/qemu_conf.c
View File

@ -274,6 +274,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
SET_TLS_X509_CERT_DEFAULT(vnc);
SET_TLS_X509_CERT_DEFAULT(spice);
SET_TLS_X509_CERT_DEFAULT(chardev);
#undef SET_TLS_X509_CERT_DEFAULT
@ -375,6 +376,8 @@ static void virQEMUDriverConfigDispose(void *obj)
VIR_FREE(cfg->spicePassword);
VIR_FREE(cfg->spiceSASLdir);
VIR_FREE(cfg->chardevTLSx509certdir);
while (cfg->nhugetlbfs) {
cfg->nhugetlbfs--;
VIR_FREE(cfg->hugetlbfs[cfg->nhugetlbfs].mnt_dir);
@ -502,6 +505,14 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
if (virConfGetValueBool(conf, "spice_auto_unix_socket", &cfg->spiceAutoUnixSocket) < 0)
goto cleanup;
if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0)
goto cleanup;
if (virConfGetValueString(conf, "chardev_tls_x509_cert_dir", &cfg->chardevTLSx509certdir) < 0)
goto cleanup;
if ((rv = virConfGetValueBool(conf, "chardev_tls_x509_verify", &cfg->chardevTLSx509verify)) < 0)
goto cleanup;
if (rv == 0)
cfg->chardevTLSx509verify = cfg->defaultTLSx509verify;
if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSocketPortMin) < 0)
goto cleanup;

4
src/qemu/qemu_conf.h
View File

@ -129,6 +129,10 @@ struct _virQEMUDriverConfig {
char *spicePassword;
bool spiceAutoUnixSocket;
bool chardevTLS;
char *chardevTLSx509certdir;
bool chardevTLSx509verify;
unsigned int remotePortMin;
unsigned int remotePortMax;

3
src/qemu/test_libvirtd_qemu.aug.in
View File

@ -20,6 +20,9 @@ module Test_libvirtd_qemu =
{ "spice_password" = "XYZ12345" }
{ "spice_sasl" = "1" }
{ "spice_sasl_dir" = "/some/directory/sasl2" }
{ "chardev_tls" = "1" }
{ "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" }
{ "chardev_tls_x509_verify" = "1" }
{ "nographics_allow_host_audio" = "1" }
{ "remote_display_port_min" = "5900" }
{ "remote_display_port_max" = "65535" }

41
tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.xml Normal file
View File

@ -0,0 +1,41 @@
<domain type='qemu'>
<name>QEMUGuest1</name>
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219136</memory>
<currentMemory unit='KiB'>219136</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='i686' machine='pc'>hvm</type>
<boot dev='hd'/>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu</emulator>
<disk type='block' device='disk'>
<source dev='/dev/HostVG/QEMUGuest1'/>
<target dev='hda' bus='ide'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'/>
<controller type='ide' index='0'/>
<serial type='udp'>
<source mode='bind' host='127.0.0.1' service='1111'/>
<source mode='connect' host='127.0.0.1' service='2222'/>
<target port='0'/>
</serial>
<serial type='tcp'>
<source mode='connect' host='127.0.0.1' service='5555'/>
<protocol type='raw'/>
<target port='0'/>
</serial>
<console type='udp'>
<source mode='bind' host='127.0.0.1' service='1111'/>
<source mode='connect' host='127.0.0.1' service='2222'/>
<target type='serial' port='0'/>
</console>
<memballoon model='virtio'/>
</devices>
</domain>

50
tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev.xml Normal file
View File

@ -0,0 +1,50 @@
<domain type='qemu'>
<name>QEMUGuest1</name>
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219136</memory>
<currentMemory unit='KiB'>219136</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='i686' machine='pc'>hvm</type>
<boot dev='hd'/>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu</emulator>
<disk type='block' device='disk'>
<source dev='/dev/HostVG/QEMUGuest1'/>
<target dev='hda' bus='ide'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
<controller type='ide' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<serial type='udp'>
<source mode='bind' host='127.0.0.1' service='1111'/>
<source mode='connect' host='127.0.0.1' service='2222'/>
<target port='0'/>
</serial>
<serial type='tcp'>
<source mode='connect' host='127.0.0.1' service='5555'/>
<protocol type='raw'/>
<target port='0'/>
</serial>
<console type='udp'>
<source mode='bind' host='127.0.0.1' service='1111'/>
<source mode='connect' host='127.0.0.1' service='2222'/>
<target type='serial' port='0'/>
</console>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</memballoon>
</devices>
</domain>

1
tests/qemuxml2xmltest.c
View File

@ -532,6 +532,7 @@ mymain(void)
DO_TEST("serial-tcp", NONE);
DO_TEST("serial-udp", NONE);
DO_TEST("serial-tcp-telnet", NONE);
DO_TEST("serial-tcp-tlsx509-chardev", NONE);
DO_TEST("serial-many", NONE);
DO_TEST("serial-spiceport", NONE);
DO_TEST("serial-spiceport-nospice", NONE);