From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>
Subject: [Qemu-devel] [PATCH v2 14/15] nbd: enable use of TLS with qemu-nbd server
Date: Mon, 11 Jan 2016 15:00:58 +0000 [thread overview]
Message-ID: <1452524459-4132-15-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1452524459-4132-1-git-send-email-berrange@redhat.com>
This modifies the qemu-nbd program so that it is possible to
request the use of TLS with the server. It simply adds a new
command line option --tls-creds which is used to provide the
ID of a QCryptoTLSCreds object previously created via the
--object command line option.
For example
qemu-nbd --object tls-creds-x509,id=tls0,endpoint=server,\
dir=/home/berrange/security/qemutls \
--tls-creds tls0 \
--exportname default
Note that it is mandatory to supply the --exportname argument
when requesting TLS, since it requires use of the new style
NBD protocol where the client requests a volume name explicitly.
TLS is only supported when using an IPv4/IPv6 socket listener.
It is not possible to use with UNIX sockets, which includes
when connecting the NBD server to a host device.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
qemu-nbd.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
qemu-nbd.texi | 4 ++++
2 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 53b22d7..b85a4c8 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -45,6 +45,7 @@
#define QEMU_NBD_OPT_DISCARD 3
#define QEMU_NBD_OPT_DETECT_ZEROES 4
#define QEMU_NBD_OPT_OBJECT 5
+#define QEMU_NBD_OPT_TLSCREDS 6
static NBDExport *exp;
static bool newproto;
@@ -57,6 +58,7 @@ static int shared = 1;
static int nb_fds;
static QIOChannelSocket *server_ioc;
static int server_watch = -1;
+static QCryptoTLSCreds *tlscreds;
static void usage(const char *name)
{
@@ -344,7 +346,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition cond, gpointer opaque)
}
if (nbd_client_new(newproto ? NULL : exp, cioc,
- NULL, NULL, nbd_client_closed)) {
+ tlscreds, NULL, nbd_client_closed)) {
nb_fds++;
nbd_update_server_watch();
}
@@ -426,6 +428,37 @@ static int object_create(void *opaque, QemuOpts *opts, Error **errp)
return 0;
}
+
+static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp)
+{
+ Object *obj;
+ QCryptoTLSCreds *creds;
+
+ obj = object_resolve_path_component(
+ object_get_objects_root(), id);
+ if (!obj) {
+ error_setg(errp, "No TLS credentials with id '%s'",
+ id);
+ return NULL;
+ }
+ creds = (QCryptoTLSCreds *)
+ object_dynamic_cast(obj, TYPE_QCRYPTO_TLS_CREDS);
+ if (!creds) {
+ error_setg(errp, "Object with id '%s' is not TLS credentials",
+ id);
+ return NULL;
+ }
+
+ if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ error_setg(errp,
+ "Expecting TLS credentials with a server endpoint");
+ return NULL;
+ }
+ object_ref(obj);
+ return creds;
+}
+
+
int main(int argc, char **argv)
{
BlockBackend *blk;
@@ -465,6 +498,7 @@ int main(int argc, char **argv)
{ "verbose", 0, NULL, 'v' },
{ "object", 1, NULL, QEMU_NBD_OPT_OBJECT },
{ "exportname", 1, NULL, 'x' },
+ { "tls-creds", 1, NULL, QEMU_NBD_OPT_TLSCREDS },
{ NULL, 0, NULL, 0 }
};
int ch;
@@ -483,6 +517,7 @@ int main(int argc, char **argv)
QDict *options = NULL;
QemuOpts *opts;
const char *exportname = NULL;
+ const char *tlscredsid = NULL;
/* The client thread uses SIGTERM to interrupt the server. A signal
* handler ensures that "qemu-nbd -v -c" exits with a nice status code.
@@ -639,6 +674,9 @@ int main(int argc, char **argv)
exit(1);
}
break;
+ case QEMU_NBD_OPT_TLSCREDS:
+ tlscredsid = optarg;
+ break;
case '?':
errx(EXIT_FAILURE, "Try `%s --help' for more information.",
argv[0]);
@@ -657,6 +695,23 @@ int main(int argc, char **argv)
exit(1);
}
+ if (tlscredsid) {
+ if (!exportname) {
+ errx(EXIT_FAILURE, "Export name is required when using TLS");
+ }
+ if (sockpath) {
+ errx(EXIT_FAILURE, "TLS is only supported with IPv4/IPv6");
+ }
+ if (device) {
+ errx(EXIT_FAILURE, "TLS is not supported with a host device");
+ }
+ tlscreds = nbd_get_tls_creds(tlscredsid, &local_err);
+ if (local_err) {
+ errx(EXIT_FAILURE, "Failed to get TLS creds %s",
+ error_get_pretty(local_err));
+ }
+ }
+
if (disconnect) {
int nbdfd = open(argv[optind], O_RDWR);
if (nbdfd < 0) {
diff --git a/qemu-nbd.texi b/qemu-nbd.texi
index 22d6b5a..34e59a1 100644
--- a/qemu-nbd.texi
+++ b/qemu-nbd.texi
@@ -66,6 +66,10 @@ Export QEMU disk image using NBD protocol.
@item -x NAME, --exportname=NAME
set the NDB volume export name. This switches the server to use
the new style NBD protocol negotiation
+@item --tls-creds=ID
+ enable mandatory TLS encryption for the server by setting the ID
+ of the TLS credentials object previously created with the --object
+ option.
@item -v, --verbose
display extra debugging information
@item -h, --help
--
2.5.0
next prev parent reply other threads:[~2016-01-11 15:01 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-11 15:00 [Qemu-devel] [PATCH v2 00/15] Implement TLS support to QEMU NBD server & client Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 01/15] qom: add helpers for UserCreatable object types Daniel P. Berrange
2016-01-13 10:35 ` Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 02/15] qemu-nbd: add support for --object command line arg Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 03/15] nbd: convert block client to use I/O channels for connection setup Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 04/15] nbd: convert qemu-nbd server " Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 05/15] nbd: convert blockdev NBD " Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 06/15] nbd: convert to using I/O channels for actual socket I/O Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 07/15] nbd: invert client logic for negotiating protocol version Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 08/15] nbd: make server compliant with fixed newstyle spec Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 09/15] nbd: make client request fixed new style if advertized Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 10/15] nbd: allow setting of an export name for qemu-nbd server Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 11/15] nbd: pick first exported volume if no export name is requested Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 12/15] nbd: implement TLS support in the protocol negotiation Daniel P. Berrange
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 13/15] nbd: enable use of TLS with NBD block driver Daniel P. Berrange
2016-01-11 15:00 ` Daniel P. Berrange [this message]
2016-01-11 15:00 ` [Qemu-devel] [PATCH v2 15/15] nbd: enable use of TLS with nbd-server-start command Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1452524459-4132-15-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).