On Fri, Oct 14, 2016 at 04:23:05PM -0400, John Ferlan wrote:
> Add a new qemu.conf variables to store the UUID for the secret that could
> be used to present credentials to access the TLS chardev. Since this will
> be a server level and it's possible to use some sort of default, introduce
> both the default and chardev logic at the same time making the setting of
> the chardev check for it's own value, then if not present checking whether
> the default value had been set.
>
> Signed-off-by: John Ferlan
> ---
> src/qemu/libvirtd_qemu.aug | 2 ++
> src/qemu/qemu.conf | 24
> src/qemu/qemu_conf.c | 14 ++
> src/qemu/qemu_conf.h | 2 ++
> src/qemu/test_libvirtd_qemu.aug.in | 2 ++
> 5 files changed, 44 insertions(+)
>
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index 988201e..73ebeda 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -29,6 +29,7 @@ module Libvirtd_qemu =
> (* Config entry grouped by function - same order as example config *)
> let default_tls_entry = str_entry "default_tls_x509_cert_dir"
> | bool_entry "default_tls_x509_verify"
> + | str_entry "default_tls_x509_secret_uuid"
>
> let vnc_entry = str_entry "vnc_listen"
> | bool_entry "vnc_auto_unix_socket"
> @@ -51,6 +52,7 @@ module Libvirtd_qemu =
> let chardev_entry = bool_entry "chardev_tls"
> | str_entry "chardev_tls_x509_cert_dir"
> | bool_entry "chardev_tls_x509_verify"
> + | str_entry "chardev_tls_x509_secret_uuid"
>
> let nogfx_entry = bool_entry "nographics_allow_host_audio"
>
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index e4c2aae..493c171 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -28,6 +28,20 @@
> #
> #default_tls_x509_verify = 1
>
> +#
> +# Libvirt assumes the server-key.pem file is unencrypted by default.
> +# To use an encrypted server-key.pem file, the password to decrypt the
You've forgot to remove the extra "the".
> +# the PEM file is required. This can be provided by creating a secret
> +# object in libvirt and then to uncomment this setting to set the UUID
> +# of the secret.
> +#
> +# NB This default all-zeros UUID will not work. Replace it with the
> +# output from the UUID for the TLS secret from a 'virsh secret-list'
> +# command and then uncomment the entry
> +#
> +#default_tls_x509_secret_uuid = "----"
> +
> +
> # VNC is configured to listen on 127.0.0.1 by default.
> # To make it listen on all public interfaces, uncomment
> # this next option.
> @@ -214,6 +228,16 @@
> #chardev_tls_x509_verify = 1
>
>
> +# Uncomment and use the following option to override the default secret
> +# uuid provided in the default_tls_x509_secret_uuid parameter.
s/uuid/UUID/
ACK
> +#
> +# NB This default all-zeros UUID will not work. Replace it with the
> +# output from the UUID for the TLS secret from a 'virsh secret-list'
> +# command and then uncomment the entry
> +#
> +#chardev_tls_x509_secret_uuid = "----"
> +
> +
> # By default, if no graphical front end is configured, libvirt will disable
> # QEMU audio output since directly talking to alsa/pulseaudio may not work
> # with various security settings. If you know what you're doing, enable
> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index 635fa27..109668b 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -365,6 +365,7 @@ static void virQEMUDriverConfigDispose(void *obj)
> VIR_FREE(cfg->nvramDir);
>
> VIR_FREE(cfg->defaultTLSx509certdir);
> +VIR_FREE(cfg->defaultTLSx509secretUUID);
>
> VIR_FREE(cfg->vncTLSx509certdir);
> VIR_FREE(cfg->vncListen);
> @@ -377,6 +378,7 @@ static void virQEMUDriverConfigDispose(void *obj)
> VIR_FREE(cfg->spiceSASLdir);
>
> VIR_FREE(cfg->chardevTLSx509certdir);
> +VIR_FREE(cfg->chardevTLSx509secretUUID);
>
> while (cfg->nhugetlbfs) {
> cfg->nhugetlbfs--;
> @@ -446,6 +448,10 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr
> cfg,
> goto cleanup;
> if (virConfGetValueBool(conf, "default_tls_x509_verify",
> >defaultTLSx509verify) < 0)
> goto cleanup;
> +if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
> + >defaultTLSx509secretUUID) < 0)
> +goto cleanup;
> +
> if (virConfGetValueBool(conf, "vnc_auto_unix_socket",
> >vncAutoUnixSocket) < 0)
> goto cleanup;
> if (virConfGetValueBool(conf, "vnc_tls", >vncTLS) < 0)
> @@ -513,6 +519,14 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr
> cfg,
> goto cleanup;
> if (rv == 0)
> cfg->chardevTLSx509verify = cfg->defaultTLSx509verify;
> +if (virConfGetValueString(conf,