On Tue, May 14, 2024 at 04:28:28PM +0100, Richard W.M. Jones wrote:
> If TLS is required (--tls=require), when either --run or --print-uri
> is used, include extra query parameters ?tls-certificates=... or
> ?tls-psk-key=... in the URI.
>
> These are simply copied from the corresponding --tls-certificates or
> --tls-psk parameter on the nbdkit command line without any other
> modification (we don't make it an absolute path as it's not needed).
>
> This will probably only work for libnbd-based clients.
>
> This commit as it stands doesn't actually work well for PSK, unless
> the username in the PSK file happens to coincide with the local login
> name.
>
> Example:
>
> $ nbdkit null \
> --tls=require --tls-certificates=tests/pki --tls-verify-peer \
> --print-uri \
> --run 'echo uri="$uri" ; nbdinfo "$uri"'
> nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki
> Shell-quoted URI:
> "nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki"
> Command to query the NBD endpoint:
> nbdinfo
> "nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki"
> uri=nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki
> protocol: newstyle-fixed with TLS, using structured packets
> export="":
> export-size: 0
> content: empty
> uri:
> nbds+unix:///?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki
> contexts:
> base:allocation
> is_rotational: false
> is_read_only: false
> can_block_status_payload: false
> can_cache: true
> can_df: true
> can_fast_zero: true
> can_flush: true
> can_fua: true
> can_multi_conn: true
> can_trim: true
> can_zero: true
> ---
> server/uri.c | 22 ++++++++++++++++++++++
> 1 file changed, 22 insertions(+)
>
> diff --git a/server/uri.c b/server/uri.c
> index 0810ee4c06..441034261a 100644
> --- a/server/uri.c
> +++ b/server/uri.c
> @@ -52,6 +52,7 @@ make_uri (void)
> char *r = NULL;
> const bool tls_required = tls == 2;
> const char *scheme;
> + bool query_appended;
>
> switch (service_mode) {
> case SERVICE_MODE_SOCKET_ACTIVATION:
> @@ -97,6 +98,7 @@ make_uri (void)
> }
> fprintf (fp, "?socket=");
> uri_quote (unixsocket, fp);
> + query_appended = true;
> break;
> case SERVICE_MODE_VSOCK:
> /* 1 = VMADDR_CID_LOCAL */
> @@ -109,6 +111,7 @@ make_uri (void)
> putc ('/', fp);
> uri_quote (export_name, fp);
> }
> + query_appended = false;
> break;
> case SERVICE_MODE_TCPIP:
> fputs ("localhost", fp);
> @@ -120,6 +123,7 @@ make_uri (void)
> putc ('/', fp);
> uri_quote (export_name, fp);
> }
> + query_appended = false;
> break;
>
> case SERVICE_MODE_SOCKET_ACTIVATION:
> @@ -130,6 +134,24 @@ make_uri (void)
> abort ();
> }
>
> + /* For TLS, append tls-certificates or tls-psk-file. Note that
> + * tls-certificates requires libnbd >= 1.10 (Sep 2021) and it fails
> + * strangely with older versions (RHEL 8 is too old). Hopefully
> + * this will resolve itself over time as people upgrade libnbd.
> + * qemu probably ignores these parameters.
> + */
Yes, you can't pass TLS certs via an NBD URI to QEMU. They
need to be loaded with QEMU's '-object id=$ID,....' argument
and then referenced from the nbd blockdev with 'tls-creds=$ID'
I don't believe QEMU complains about unknown URI query
parameters, though I might make the argument that it should
complain about anything unknown as an aid to dianose user
errors. I'm not planning any such change myself though.
> + if (tls_required && (tls_certificates_dir || tls_psk)) {
> + putc (query_appended ? '&' : '?', fp);
> + if (tls_certificates_dir) {
> + fputs ("tls-certificates=", fp);
> + uri_quote (tls_certificates_dir, fp);
> + }
> + else if (tls_psk) {
> + fputs ("tls-psk-file=", fp);
> + uri_quote (tls_psk, fp);
> + }
> + }
> +
> if (close_memstream (fp) == EOF) {
> perror ("uri: close_memstream");
> exit (EXIT_FAILURE);
> --
> 2.44.0
> _______________________________________________
> Libguestfs mailing list -- guestfs@lists.libguestfs.org
> To unsubscribe send an email to guestfs-le...@lists.libguestfs.org
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
_______________________________________________
Libguestfs mailing list -- guestfs@lists.libguestfs.org
To unsubscribe send an email to guestfs-le...@lists.libguestfs.org
