Re: [Qemu-devel] [PATCH v7 1/2] block/vxhs.c: Add support for a new block device type called "vxhs"

["Daniel P. Berrange" <berrange@redhat.com>]

On Tue, Feb 07, 2017 at 08:18:13PM -0800, Ashish Mittal wrote:
> From: Ashish Mittal <ashish.mittal@veritas.com>
> 
> Source code for the qnio library that this code loads can be downloaded from:
> https://github.com/VeritasHyperScale/libqnio.git
> 
> Sample command line using JSON syntax:
> ./x86_64-softmmu/qemu-system-x86_64 -name instance-00000008 -S -vnc 0.0.0.0:0
> -k en-us -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
> -msg timestamp=on
> 'json:{"driver":"vxhs","vdisk-id":"c3e9095a-a5ee-4dce-afeb-2a59fb387410",
> "server":{"host":"172.172.17.4","port":"9999"}}'
> 
> Sample command line using URI syntax:
> qemu-img convert -f raw -O raw -n
> /var/lib/nova/instances/_base/0c5eacd5ebea5ed914b6a3e7b18f1ce734c386ad
> vxhs://192.168.0.1:9999/c6718f6b-0401-441d-a8c3-1f0064d75ee0
> 
> Signed-off-by: Ashish Mittal <ashish.mittal@veritas.com>
> ---
> TODO:
> (1) valgrind report to follow soon.
> (2) Security implementation for libqnio present in branch "securify".
>     QEMU patch will use this once it gets merged to libqnio master.
>     Please use master for building libqnio and testing with this patch.
> (3) Rename libqnio to libvxhs. Changes ready in branch "securify".

The securify branch is still lacking in some significant ways that
prevent effective use of TLS with QEMU. In particular the way it
is written to use certs from a hardcoded set of paths is not very
desirable. In addition the way it turns TLS on/off based on the
existance of a file file is disk is really bad. For something as
critical as TLS, we don't want it silently enabled/disabled as
a side-effect of external host OS state.

We need to be able to explicitly mandate TLS or plain text mode
from QEMU by calling a suitable API todo so. QEMU also needs to
be able to specify wher the certiticates are located, at the
time the connection is established, so that it can integrate with
the QEMU TLS credentials object system.

eg I'd expect configuration to look like (to be comparible with
use of NBD):

 $qemu-system-x86_64 \
   -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=client \
  'json:{"driver":"vxhs","vdisk-id":"c3e9095a-a5ee-4dce-afeb-2a59fb387410",
         "tls-creds": "tls0",
         "server":{"host":"172.172.17.4","port":"9999"}}'

The -object arg registers some TLS credentials with QEMU, at a given path.
QEMU validates existance of ca-cert.pem, ca-crl.pem, client-crt.pem &
client-key.pem files in the direct /etc/pki/qemu.

When QEMU talks to libqnio it will tell it to enable use of TLS and to use
the files

  /etc/pki/qemu/ca-cert.pem
  /etc/pki/qemu/ca-crl.pem
  /etc/pki/qemu/client-cert.pem
  /etc/pki/qemu/client-key.pem

for negotiating the session.

> diff --git a/qapi/block-core.json b/qapi/block-core.json
> index 932f5bb..f37df56 100644
> --- a/qapi/block-core.json
> +++ b/qapi/block-core.json

> @@ -2744,6 +2745,20 @@
>    'data': { '*offset': 'int', '*size': 'int' } }
>  
>  ##
> +# @BlockdevOptionsVxHS:
> +#
> +# Driver specific block device options for VxHS
> +#
> +# @vdisk-id:    UUID of VxHS volume
> +# @server:      vxhs server IP, port
> +#
> +# Since: 2.9
> +##
> +{ 'struct': 'BlockdevOptionsVxHS',
> +  'data': { 'vdisk-id': 'str',
> +            'server': 'InetSocketAddress' } }

This will need to gain a field

    'tls-creds': 'str'

NB, naming picked to be consistent with naming used for NBD.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|