qemu: conf: Add configuration of TLS key encryption for 'vxhs' and 'nbd' disks

Until now libvirt didn't allow using encrypted TLS key for disk clients.

Add fields for configuring the secret and propagate defaults.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
Peter Krempa 2020-06-29 17:12:03 +02:00
parent 7fa772bfd7
commit 470d322e0c
5 changed files with 34 additions and 4 deletions

View File

@ -61,9 +61,11 @@ module Libvirtd_qemu =
let vxhs_entry = bool_entry "vxhs_tls" let vxhs_entry = bool_entry "vxhs_tls"
| str_entry "vxhs_tls_x509_cert_dir" | str_entry "vxhs_tls_x509_cert_dir"
| str_entry "vxhs_tls_x509_secret_uuid"
let nbd_entry = bool_entry "nbd_tls" let nbd_entry = bool_entry "nbd_tls"
| str_entry "nbd_tls_x509_cert_dir" | str_entry "nbd_tls_x509_cert_dir"
| str_entry "nbd_tls_x509_secret_uuid"
let nogfx_entry = bool_entry "nographics_allow_host_audio" let nogfx_entry = bool_entry "nographics_allow_host_audio"

View File

@ -303,6 +303,15 @@
#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs" #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
# Uncomment and use the following option to override the default secret
# UUID provided in the default_tls_x509_secret_uuid parameter.
#
# NB This default all-zeros UUID will not work. Replace it with the
# output from the UUID for the TLS secret from a 'virsh secret-list'
# command and then uncomment the entry
#
#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
# Enable use of TLS encryption for all NBD disk devices that don't # Enable use of TLS encryption for all NBD disk devices that don't
# specifically disable it. # specifically disable it.
@ -337,6 +346,16 @@
#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd" #nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
# Uncomment and use the following option to override the default secret
# UUID provided in the default_tls_x509_secret_uuid parameter.
#
# NB This default all-zeros UUID will not work. Replace it with the
# output from the UUID for the TLS secret from a 'virsh secret-list'
# command and then uncomment the entry
#
#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
# In order to override the default TLS certificate location for migration # In order to override the default TLS certificate location for migration
# certificates, supply a valid path to the certificate directory. If the # certificates, supply a valid path to the certificate directory. If the
# provided path does not exist, libvirtd will fail to start. If the path is # provided path does not exist, libvirtd will fail to start. If the path is

View File

@ -339,7 +339,10 @@ static void virQEMUDriverConfigDispose(void *obj)
VIR_FREE(cfg->chardevTLSx509secretUUID); VIR_FREE(cfg->chardevTLSx509secretUUID);
VIR_FREE(cfg->vxhsTLSx509certdir); VIR_FREE(cfg->vxhsTLSx509certdir);
VIR_FREE(cfg->vxhsTLSx509secretUUID);
VIR_FREE(cfg->nbdTLSx509certdir); VIR_FREE(cfg->nbdTLSx509certdir);
VIR_FREE(cfg->nbdTLSx509secretUUID);
VIR_FREE(cfg->migrateTLSx509certdir); VIR_FREE(cfg->migrateTLSx509certdir);
VIR_FREE(cfg->migrateTLSx509secretUUID); VIR_FREE(cfg->migrateTLSx509secretUUID);
@ -477,12 +480,8 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,
if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0) if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0)
return -1; return -1;
if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir", &cfg->vxhsTLSx509certdir) < 0)
return -1;
if (virConfGetValueBool(conf, "nbd_tls", &cfg->nbdTLS) < 0) if (virConfGetValueBool(conf, "nbd_tls", &cfg->nbdTLS) < 0)
return -1; return -1;
if (virConfGetValueString(conf, "nbd_tls_x509_cert_dir", &cfg->nbdTLSx509certdir) < 0)
return -1;
if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0) if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0)
return -1; return -1;
@ -512,6 +511,10 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,
GET_CONFIG_TLS_CERTINFO_COMMON(migrate); GET_CONFIG_TLS_CERTINFO_COMMON(migrate);
GET_CONFIG_TLS_CERTINFO_SERVER(migrate); GET_CONFIG_TLS_CERTINFO_SERVER(migrate);
GET_CONFIG_TLS_CERTINFO_COMMON(vxhs);
GET_CONFIG_TLS_CERTINFO_COMMON(nbd);
#undef GET_CONFIG_TLS_CERTINFO_COMMON #undef GET_CONFIG_TLS_CERTINFO_COMMON
#undef GET_CONFIG_TLS_CERTINFO_SERVER #undef GET_CONFIG_TLS_CERTINFO_SERVER
return 0; return 0;
@ -1186,6 +1189,8 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
SET_TLS_SECRET_UUID_DEFAULT(vnc); SET_TLS_SECRET_UUID_DEFAULT(vnc);
SET_TLS_SECRET_UUID_DEFAULT(chardev); SET_TLS_SECRET_UUID_DEFAULT(chardev);
SET_TLS_SECRET_UUID_DEFAULT(migrate); SET_TLS_SECRET_UUID_DEFAULT(migrate);
SET_TLS_SECRET_UUID_DEFAULT(vxhs);
SET_TLS_SECRET_UUID_DEFAULT(nbd);
#undef SET_TLS_SECRET_UUID_DEFAULT #undef SET_TLS_SECRET_UUID_DEFAULT

View File

@ -146,9 +146,11 @@ struct _virQEMUDriverConfig {
bool vxhsTLS; bool vxhsTLS;
char *vxhsTLSx509certdir; char *vxhsTLSx509certdir;
char *vxhsTLSx509secretUUID;
bool nbdTLS; bool nbdTLS;
char *nbdTLSx509certdir; char *nbdTLSx509certdir;
char *nbdTLSx509secretUUID;
unsigned int remotePortMin; unsigned int remotePortMin;
unsigned int remotePortMax; unsigned int remotePortMax;

View File

@ -28,8 +28,10 @@ module Test_libvirtd_qemu =
{ "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } { "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "vxhs_tls" = "1" } { "vxhs_tls" = "1" }
{ "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" } { "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
{ "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "nbd_tls" = "1" } { "nbd_tls" = "1" }
{ "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" } { "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" }
{ "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" } { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
{ "migrate_tls_x509_verify" = "1" } { "migrate_tls_x509_verify" = "1" }
{ "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }