External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-11 07:17:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
Libvirt provides a portable, long term stable C API for managing the virtualization technologies provided by many operating systems. It includes support for QEMU, KVM, Xen, LXC, bhyve, Virtuozzo, VMware vCenter and ESX, VMware Desktop, Hyper-V, VirtualBox and the POWER Hypervisor.
22,750 Commits 67 Branches 630 Tags 885 MiB
C 94.8%
Python 2%
Meson 0.9%
Shell 0.8%
Dockerfile 0.6%
Other 0.8%
a1344f70a1
Go to file
John Ferlan a1344f70a1 qemu: Utilize qemu secret objects for RBD auth/secret 
https://bugzilla.redhat.com/show_bug.cgi?id=1182074

If they're available and we need to pass secrets to qemu, then use the
qemu domain secret object in order to pass the secrets for RBD volumes
instead of passing the base64 encoded secret on the command line.

The goal is to make AES secrets the default and have no user interaction
required in order to allow using the AES mechanism. If the mechanism
is not available, then fall back to the current plain mechanism using
a base64 encoded secret.

New APIs:

qemu_domain.c:
  qemuDomainGetSecretAESAlias:
    Generate/return the secret object alias for an AES Secret Info type.
    This will be called from qemuDomainSecretAESSetup.

  qemuDomainSecretAESSetup: (private)
    This API handles the details of the generation of the AES secret
    and saves the pieces that need to be passed to qemu in order for
    the secret to be decrypted. The encrypted secret based upon the
    domain master key, an initialization vector (16 byte random value),
    and the stored secret. Finally, the requirement from qemu is the IV
    and encrypted secret are to be base64 encoded.

qemu_command.c:
  qemuBuildSecretInfoProps: (private)
    Generate/return a JSON properties object for the AES secret to
    be used by both the command building and eventually the hotplug
    code in order to add the secret object. Code was designed so that
    in the future perhaps hotplug could use it if it made sense.

  qemuBuildObjectSecretCommandLine (private)
    Generate and add to the command line the -object secret for the
    secret. This will be required for the subsequent RBD reference
    to the object.

  qemuBuildDiskSecinfoCommandLine (private)
    Handle adding the AES secret object.

Adjustments:

qemu_domain.c:
  The qemuDomainSecretSetup was altered to call either the AES or Plain
  Setup functions based upon whether AES secrets are possible (we have
  the encryption API) or not, we have secrets, and of course if the
  protocol source is RBD.

qemu_command.c:
  Adjust the qemuBuildRBDSecinfoURI API's in order to generate the
  specific command options for an AES secret, such as:

    -object secret,id=$alias,keyid=$masterKey,data=$base64encodedencrypted,
            format=base64
    -drive file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
           mon_host=mon1.example.org\:6321,password-secret=$alias,...

  where the 'id=' value is the secret object alias generated by
  concatenating the disk alias and "-aesKey0". The 'keyid= $masterKey'
  is the master key shared with qemu, and the -drive syntax will
  reference that alias as the 'password-secret'. For the -drive
  syntax, the 'id=myname' is kept to define the username, while the
  'key=$base64 encoded secret' is removed.

  While according to the syntax described for qemu commit '60390a21'
  or as seen in the email archive:

    https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg04083.html

  it is possible to pass a plaintext password via a file, the qemu
  commit 'ac1d8878' describes the more feature rich 'keyid=' option
  based upon the shared masterKey.

Add tests for checking/comparing output.

NB: For hotplug, since the hotplug code doesn't add command line
    arguments, passing the encoded secret directly to the monitor
    will suffice.
2016-05-20 11:09:05 -04:00
.gnulib@6cc32c63e8 maint: update to latest gnulib 2016-01-04 13:56:35 -07:00
build-aux bracket-spacing: Add syntax-check for unnecessary curly brackets 2014-11-14 17:13:36 +01:00
daemon More usage of virGetLastErrorMessage 2016-05-19 15:17:03 -04:00
docs docs: fix <spice><gl enable> since version 2016-05-20 09:14:02 +02:00
examples More usage of virGetLastErrorMessage 2016-05-19 15:17:03 -04:00
gnulib maint: update to latest gnulib 2016-01-04 13:56:35 -07:00
include/libvirt perf: add support to perf event for MBM 2016-05-19 15:57:57 +02:00
m4 uml: only build on Linux 2016-05-10 07:42:35 +03:00
po secret: util: Refactor virSecretGetSecretString 2016-05-16 12:58:48 +02:00
src qemu: Utilize qemu secret objects for RBD auth/secret 2016-05-20 11:09:05 -04:00
tests qemu: Utilize qemu secret objects for RBD auth/secret 2016-05-20 11:09:05 -04:00
tools virt-admin: Introduce commands srv-clients-info and srv-clients-set 2016-05-19 12:31:53 +02:00
.ctags
.dir-locals.el
.gitignore virtestmock: Print invalid file accesses into a file 2016-05-14 09:46:23 +02:00
.gitmodules
.mailmap maint: update .mailmap for recent contributions 2015-03-20 06:17:55 -06:00
AUTHORS.in Change maintainers list 2016-02-12 13:10:05 +03:00
autobuild.sh Disable libvirtd by default when building on Win32 2014-04-29 11:30:32 +01:00
autogen.sh maint: improve usage of autogen's --no-git 2015-02-06 11:35:29 -07:00
bootstrap maint: update to latest gnulib 2016-01-04 13:56:35 -07:00
bootstrap.conf bootstrap: Don't require python-config 2015-08-06 14:35:14 +02:00
cfg.mk tests: Introduce global mock library 2016-05-14 09:30:25 +02:00
ChangeLog-old Fix typos in src/* 2014-04-21 16:49:08 -06:00
config-post.h nss: Implement _nss_libvirt_gethostbyname3_r 2016-03-18 17:29:53 +01:00
configure.ac util: Introduce encryption APIs 2016-05-20 11:09:01 -04:00
COPYING
COPYING.LESSER maint: Remove control characters from LGPL license file 2015-09-25 09:16:24 +02:00
HACKING virtestmock: Print invalid file accesses into a file 2016-05-14 09:46:23 +02:00
libvirt-admin.pc.in Add libvirt-admin library 2015-06-16 13:46:20 +02:00
libvirt-lxc.pc.in Add pkg-config files for libvirt-qemu & libvirt-lxc 2014-06-23 16:17:27 +01:00
libvirt-qemu.pc.in Add pkg-config files for libvirt-qemu & libvirt-lxc 2014-06-23 16:17:27 +01:00
libvirt.pc.in Add pkg-config files for libvirt-qemu & libvirt-lxc 2014-06-23 16:17:27 +01:00
libvirt.spec.in spec: Remove %defattr usage 2016-05-17 11:34:47 -04:00
Makefile.am tests: Introduce check-file-access.pl 2016-05-14 09:46:44 +02:00
Makefile.nonreentrant
mingw-libvirt.spec.in parallels: substitute parallels with vz spec file and Makefile 2015-06-17 15:07:55 +03:00
README
README-hacking docs: update README-hacking 2014-05-06 16:20:24 -06:00
run.in Add PKG_CONFIG_PATH to run.in script. 2014-06-26 14:32:35 +01:00
TODO

README 

         LibVirt : simple API for virtualization

  Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). It is free software
available under the GNU Lesser General Public License. Virtualization of
the Linux Operating System means the ability to run multiple instances of
Operating Systems concurrently on a single hardware system where the basic
resources are driven by a Linux instance. The library aim at providing
long term stable C API initially for the Xen paravirtualization but
should be able to integrate other virtualization mechanisms if needed.

Daniel Veillard <veillard@redhat.com>