Re: [libvirt] [PATCH v9 2/5] conf: Introduce {default|chardev}_tls_x509_secret_uuid

2016-10-17 Thread John Ferlan 


On 10/17/2016 06:52 AM, Pavel Hrdina wrote:
> On Fri, Oct 14, 2016 at 04:23:05PM -0400, John Ferlan wrote:
>> Add a new qemu.conf variables to store the UUID for the secret that could
>> be used to present credentials to access the TLS chardev.  Since this will
>> be a server level and it's possible to use some sort of default, introduce
>> both the default and chardev logic at the same time making the setting of
>> the chardev check for it's own value, then if not present checking whether
>> the default value had been set.
>>
>> Signed-off-by: John Ferlan 
>> ---
>>  src/qemu/libvirtd_qemu.aug |  2 ++
>>  src/qemu/qemu.conf | 24 
>>  src/qemu/qemu_conf.c   | 14 ++
>>  src/qemu/qemu_conf.h   |  2 ++
>>  src/qemu/test_libvirtd_qemu.aug.in |  2 ++
>>  5 files changed, 44 insertions(+)
>>
>> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
>> index 988201e..73ebeda 100644
>> --- a/src/qemu/libvirtd_qemu.aug
>> +++ b/src/qemu/libvirtd_qemu.aug
>> @@ -29,6 +29,7 @@ module Libvirtd_qemu =
>> (* Config entry grouped by function - same order as example config *)
>> let default_tls_entry = str_entry "default_tls_x509_cert_dir"
>>   | bool_entry "default_tls_x509_verify"
>> + | str_entry "default_tls_x509_secret_uuid"
>>  
>> let vnc_entry = str_entry "vnc_listen"
>>   | bool_entry "vnc_auto_unix_socket"
>> @@ -51,6 +52,7 @@ module Libvirtd_qemu =
>> let chardev_entry = bool_entry "chardev_tls"
>>   | str_entry "chardev_tls_x509_cert_dir"
>>   | bool_entry "chardev_tls_x509_verify"
>> + | str_entry "chardev_tls_x509_secret_uuid"
>>  
>> let nogfx_entry = bool_entry "nographics_allow_host_audio"
>>  
>> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
>> index e4c2aae..493c171 100644
>> --- a/src/qemu/qemu.conf
>> +++ b/src/qemu/qemu.conf
>> @@ -28,6 +28,20 @@
>>  #
>>  #default_tls_x509_verify = 1
>>  
>> +#
>> +# Libvirt assumes the server-key.pem file is unencrypted by default.
>> +# To use an encrypted server-key.pem file, the password to decrypt the
> 
> You've forgot to remove the extra "the".
> 

Weird - I konw I made the change... where'd it go...


>> +# the PEM file is required. This can be provided by creating a secret
>> +# object in libvirt and then to uncomment this setting to set the UUID
>> +# of the secret.
>> +#
>> +# NB This default all-zeros UUID will not work. Replace it with the
>> +# output from the UUID for the TLS secret from a 'virsh secret-list'
>> +# command and then uncomment the entry
>> +#
>> +#default_tls_x509_secret_uuid = "----"
>> +
>> +
>>  # VNC is configured to listen on 127.0.0.1 by default.
>>  # To make it listen on all public interfaces, uncomment
>>  # this next option.
>> @@ -214,6 +228,16 @@
>>  #chardev_tls_x509_verify = 1
>>  
>>  
>> +# Uncomment and use the following option to override the default secret
>> +# uuid provided in the default_tls_x509_secret_uuid parameter.
> 
> s/uuid/UUID/
> 
> ACK
> 

change - thanks

John

[...]

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v9 2/5] conf: Introduce {default|chardev}_tls_x509_secret_uuid

2016-10-17 Thread Pavel Hrdina 
On Fri, Oct 14, 2016 at 04:23:05PM -0400, John Ferlan wrote:
> Add a new qemu.conf variables to store the UUID for the secret that could
> be used to present credentials to access the TLS chardev.  Since this will
> be a server level and it's possible to use some sort of default, introduce
> both the default and chardev logic at the same time making the setting of
> the chardev check for it's own value, then if not present checking whether
> the default value had been set.
> 
> Signed-off-by: John Ferlan 
> ---
>  src/qemu/libvirtd_qemu.aug |  2 ++
>  src/qemu/qemu.conf | 24 
>  src/qemu/qemu_conf.c   | 14 ++
>  src/qemu/qemu_conf.h   |  2 ++
>  src/qemu/test_libvirtd_qemu.aug.in |  2 ++
>  5 files changed, 44 insertions(+)
> 
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index 988201e..73ebeda 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -29,6 +29,7 @@ module Libvirtd_qemu =
> (* Config entry grouped by function - same order as example config *)
> let default_tls_entry = str_entry "default_tls_x509_cert_dir"
>   | bool_entry "default_tls_x509_verify"
> + | str_entry "default_tls_x509_secret_uuid"
>  
> let vnc_entry = str_entry "vnc_listen"
>   | bool_entry "vnc_auto_unix_socket"
> @@ -51,6 +52,7 @@ module Libvirtd_qemu =
> let chardev_entry = bool_entry "chardev_tls"
>   | str_entry "chardev_tls_x509_cert_dir"
>   | bool_entry "chardev_tls_x509_verify"
> + | str_entry "chardev_tls_x509_secret_uuid"
>  
> let nogfx_entry = bool_entry "nographics_allow_host_audio"
>  
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index e4c2aae..493c171 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -28,6 +28,20 @@
>  #
>  #default_tls_x509_verify = 1
>  
> +#
> +# Libvirt assumes the server-key.pem file is unencrypted by default.
> +# To use an encrypted server-key.pem file, the password to decrypt the

You've forgot to remove the extra "the".

> +# the PEM file is required. This can be provided by creating a secret
> +# object in libvirt and then to uncomment this setting to set the UUID
> +# of the secret.
> +#
> +# NB This default all-zeros UUID will not work. Replace it with the
> +# output from the UUID for the TLS secret from a 'virsh secret-list'
> +# command and then uncomment the entry
> +#
> +#default_tls_x509_secret_uuid = "----"
> +
> +
>  # VNC is configured to listen on 127.0.0.1 by default.
>  # To make it listen on all public interfaces, uncomment
>  # this next option.
> @@ -214,6 +228,16 @@
>  #chardev_tls_x509_verify = 1
>  
>  
> +# Uncomment and use the following option to override the default secret
> +# uuid provided in the default_tls_x509_secret_uuid parameter.

s/uuid/UUID/

ACK

> +#
> +# NB This default all-zeros UUID will not work. Replace it with the
> +# output from the UUID for the TLS secret from a 'virsh secret-list'
> +# command and then uncomment the entry
> +#
> +#chardev_tls_x509_secret_uuid = "----"
> +
> +
>  # By default, if no graphical front end is configured, libvirt will disable
>  # QEMU audio output since directly talking to alsa/pulseaudio may not work
>  # with various security settings. If you know what you're doing, enable
> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index 635fa27..109668b 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -365,6 +365,7 @@ static void virQEMUDriverConfigDispose(void *obj)
>  VIR_FREE(cfg->nvramDir);
>  
>  VIR_FREE(cfg->defaultTLSx509certdir);
> +VIR_FREE(cfg->defaultTLSx509secretUUID);
>  
>  VIR_FREE(cfg->vncTLSx509certdir);
>  VIR_FREE(cfg->vncListen);
> @@ -377,6 +378,7 @@ static void virQEMUDriverConfigDispose(void *obj)
>  VIR_FREE(cfg->spiceSASLdir);
>  
>  VIR_FREE(cfg->chardevTLSx509certdir);
> +VIR_FREE(cfg->chardevTLSx509secretUUID);
>  
>  while (cfg->nhugetlbfs) {
>  cfg->nhugetlbfs--;
> @@ -446,6 +448,10 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr 
> cfg,
>  goto cleanup;
>  if (virConfGetValueBool(conf, "default_tls_x509_verify", 
> >defaultTLSx509verify) < 0)
>  goto cleanup;
> +if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
> +  >defaultTLSx509secretUUID) < 0)
> +goto cleanup;
> +
>  if (virConfGetValueBool(conf, "vnc_auto_unix_socket", 
> >vncAutoUnixSocket) < 0)
>  goto cleanup;
>  if (virConfGetValueBool(conf, "vnc_tls", >vncTLS) < 0)
> @@ -513,6 +519,14 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr 
> cfg,
>  goto cleanup;
>  if (rv == 0)
>  cfg->chardevTLSx509verify = cfg->defaultTLSx509verify;
> +if (virConfGetValueString(conf,