From: "Daniel P. Berrange" <berrange@redhat.com>
To: ashish mittal <ashmit602@gmail.com>
Cc: Jeff Cody <jcody@redhat.com>,
Stefan Hajnoczi <stefanha@gmail.com>,
Ketan Nilangekar <Ketan.Nilangekar@veritas.com>,
qemu-devel <qemu-devel@nongnu.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Kevin Wolf <kwolf@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
Fam Zheng <famz@redhat.com>,
Ashish Mittal <Ashish.Mittal@veritas.com>,
John Ferlan <jferlan@redhat.com>,
Buddhi Madhav <Buddhi.Madhav@veritas.com>,
Suraj Singh <Suraj.Singh@veritas.com>,
Nitin Jerath <Nitin.Jerath@veritas.com>,
Peter Maydell <peter.maydell@linaro.org>,
Abhijit Dey <Abhijit.Dey@veritas.com>,
"Venkatesha M.G." <Venkatesha.Mg@veritas.com>,
Rakesh Ranjan <Rakesh.Ranjan@veritas.com>
Subject: Re: [Qemu-devel] [PATCH v8 1/2] block/vxhs.c: Add support for a new block device type called "vxhs"
Date: Mon, 6 Mar 2017 09:23:05 +0000 [thread overview]
Message-ID: <20170306092305.GA9866@redhat.com> (raw)
In-Reply-To: <CAAo6VWNRhK6zvc+CferSd9wYQZNNoXDqCEW_G62crqsamyEC9Q@mail.gmail.com>
On Sun, Mar 05, 2017 at 04:26:05PM -0800, ashish mittal wrote:
> On Wed, Mar 1, 2017 at 1:18 AM, Daniel P. Berrange <berrange@redhat.com> wrote:
> >
> > Yes, that's how other parts of QEMU deal with SSL
> >
> > NB, QEMU needs to pass 3 paths to libqnoio - the client cert, the
> > client key, and the certificate authority certlist
> >
>
> I see that the QEMU TLS code internally does expect to find cacert,
> and errors out if this is missing. I did have to create one and place
> it in the dir path where we are keeping the client key,cert files. The
> code diff below requires all the three files.
Yes, the client cert/key have to be paired with the correct CA cert. We cannot
assume that the default CA cert bundle contains the right CA, for use with the
cert/key. The default CA bundle contains all the public commercial CAs, and in
general a QEMU deployment will never use any of those - the site will use a
private internal only CA. While you could add the private CA to the global CA
bundle, that is not desirable from a security POV, as it opens the deployment
to risk from a rogue CA.
> > The include/crypto/tlscredsx509.h file has constants defined for the
> > standard filenames - eg you would concatenate the directory with
> > the constants QCRYPTO_TLS_CREDS_X509_CLIENT_KEY.
> >
> > This gives the filenames you can then pass to libqnio
> >
>
> I am using function qcrypto_tls_creds_get_path() to achieve the same.
> Hope this is OK.
Yep, that's fine.
> Example CLI accepting the new TLS credentials:
>
> [amittal2@camshaft qemu] 2017-03-05 15:54:55$ ./qemu-io --trace
> enable=vxhs* --object
> tls-creds-x509,id=tls0,dir=/etc/pki/qemu/vxhs,endpoint=client -c 'read
> 66000 128k' 'json:{"server.host": "127.0.0.1", "server.port": "9999",
> "vdisk-id": "/test.raw", "driver": "vxhs", "tls-creds":"tls0"}'
> 15116@1488758101.084355:vxhs_open_vdiskid Opening vdisk-id /test.raw
> 15116@1488758101.084396:vxhs_get_creds cacert
> /etc/pki/qemu/vxhs/ca-cert.pem, client_key
> /etc/pki/qemu/vxhs/client-key.pem, client_cert
> /etc/pki/qemu/vxhs/client-cert.pem <===== !!!! NOTE !!!!
> 15116@1488758101.084402:vxhs_open_hostinfo Adding host 127.0.0.1:9999
> to BDRVVXHSState
> 15116@1488758101.092060:vxhs_get_vdisk_stat vDisk /test.raw stat ioctl
> returned size 1048576
> read 131072/131072 bytes at offset 66000
> 128 KiB, 1 ops; 0.0006 sec (188.537 MiB/sec and 1508.2956 ops/sec)
> 15116@1488758101.094643:vxhs_close Closing vdisk /test.raw
> [amittal2@camshaft qemu] 2017-03-05 15:55:01$
That looks ok.
> @@ -315,33 +374,39 @@ static int vxhs_open(BlockDriverState *bs, QDict *options,
> if (strlen(server_host_opt) > MAXHOSTNAMELEN) {
> error_setg(&local_err, "server.host cannot be more than %d characters",
> MAXHOSTNAMELEN);
> - qdict_del(backing_options, str);
> ret = -EINVAL;
> goto out;
> }
>
> - s->vdisk_hostinfo.host = g_strdup(server_host_opt);
> + /* check if we got tls-creds via the --object argument */
> + s->tlscredsid = g_strdup(qemu_opt_get(opts, "tls-creds"));
> + if (s->tlscredsid) {
> + vxhs_get_tls_creds(s->tlscredsid, &cacert, &client_key,
> + &client_cert, &local_err);
> + if (local_err != NULL) {
> + ret = -EINVAL;
> + goto out;
> + }
> + trace_vxhs_get_creds(cacert, client_key, client_cert);
> + }
>
> + s->vdisk_hostinfo.host = g_strdup(server_host_opt);
> s->vdisk_hostinfo.port = g_ascii_strtoll(qemu_opt_get(tcp_opts,
> VXHS_OPT_PORT),
> NULL, 0);
>
> trace_vxhs_open_hostinfo(s->vdisk_hostinfo.host,
> - s->vdisk_hostinfo.port);
> -
> - /* free the 'server.' entries allocated by previous call to
> - * qdict_extract_subqdict()
> - */
> - qdict_del(backing_options, str);
> + s->vdisk_hostinfo.port);
>
> of_vsa_addr = g_strdup_printf("of://%s:%d",
> - s->vdisk_hostinfo.host,
> - s->vdisk_hostinfo.port);
> + s->vdisk_hostinfo.host,
> + s->vdisk_hostinfo.port);
>
> /*
> * Open qnio channel to storage agent if not opened before.
> */
> - dev_handlep = iio_open(of_vsa_addr, s->vdisk_guid, 0);
> + dev_handlep = iio_open(of_vsa_addr, s->vdisk_guid, 0,
> + client_key, client_cert);
You need to pass ca_cert into this method too.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
next prev parent reply other threads:[~2017-03-06 9:23 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-16 22:24 [Qemu-devel] [PATCH v8 1/2] block/vxhs.c: Add support for a new block device type called "vxhs" ashish mittal
2017-02-17 21:42 ` Jeff Cody
2017-02-18 0:30 ` Ketan Nilangekar
2017-02-20 9:50 ` Daniel P. Berrange
2017-02-20 11:02 ` Stefan Hajnoczi
2017-02-20 11:34 ` ashish mittal
2017-02-21 10:59 ` Stefan Hajnoczi
2017-02-21 11:33 ` Daniel P. Berrange
2017-02-22 14:09 ` Stefan Hajnoczi
2017-02-22 14:22 ` Daniel P. Berrange
2017-02-22 14:44 ` Jeff Cody
2017-02-24 4:19 ` ashish mittal
2017-02-24 9:19 ` Daniel P. Berrange
2017-02-24 23:30 ` ashish mittal
2017-02-27 9:22 ` Daniel P. Berrange
2017-02-28 22:51 ` ashish mittal
2017-03-01 9:18 ` Daniel P. Berrange
2017-03-06 0:26 ` ashish mittal
2017-03-06 9:23 ` Daniel P. Berrange [this message]
2017-03-08 1:27 ` ashish mittal
2017-03-08 9:13 ` Daniel P. Berrange
2017-03-08 13:04 ` Ketan Nilangekar
2017-03-08 17:59 ` ashish mittal
2017-03-08 18:11 ` Daniel P. Berrange
2017-03-11 3:04 ` ashish mittal
2017-03-13 9:56 ` Daniel P. Berrange
2017-03-13 9:57 ` Daniel P. Berrange
2017-03-17 0:29 ` ashish mittal
2017-03-18 1:44 ` ashish mittal
2017-03-20 12:55 ` Daniel P. Berrange
2017-03-23 0:03 ` ashish mittal
2017-03-27 3:07 ` ashish mittal
2017-02-21 17:21 ` Ketan Nilangekar
2017-02-21 17:39 ` Daniel P. Berrange
2017-02-21 18:06 ` Jeff Cody
2017-02-21 18:56 ` Daniel P. Berrange
2017-02-21 19:25 ` Jeff Cody
2017-02-22 10:12 ` Daniel P. Berrange
2017-02-22 14:25 ` Stefan Hajnoczi
2017-02-20 9:44 ` Daniel P. Berrange
-- strict thread matches above, loose matches on Subject: below --
2017-02-09 5:23 Ashish Mittal
2017-02-09 6:29 ` Jeff Cody
2017-02-09 9:24 ` ashish mittal
2017-02-09 14:32 ` Jeff Cody
2017-02-09 16:14 ` ashish mittal
2017-02-09 16:50 ` Jeff Cody
2017-02-09 18:08 ` ashish mittal
2017-02-09 18:45 ` ashish mittal
2017-02-10 0:27 ` ashish mittal
2017-02-10 2:18 ` Jeff Cody
2017-02-14 20:51 ` Jeff Cody
2017-02-14 22:34 ` ashish mittal
2017-02-15 3:02 ` ashish mittal
2017-02-15 3:54 ` Jeff Cody
2017-02-15 20:34 ` ashish mittal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170306092305.GA9866@redhat.com \
--to=berrange@redhat.com \
--cc=Abhijit.Dey@veritas.com \
--cc=Ashish.Mittal@veritas.com \
--cc=Buddhi.Madhav@veritas.com \
--cc=Ketan.Nilangekar@veritas.com \
--cc=Nitin.Jerath@veritas.com \
--cc=Rakesh.Ranjan@veritas.com \
--cc=Suraj.Singh@veritas.com \
--cc=Venkatesha.Mg@veritas.com \
--cc=armbru@redhat.com \
--cc=ashmit602@gmail.com \
--cc=famz@redhat.com \
--cc=jcody@redhat.com \
--cc=jferlan@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).