[PATCH 22/24] qemu: conf: Add configuration of TLS environment for NBD transport of pull-backups

Peter Krempa pkrempa at redhat.com
Thu Jul 2 14:40:08 UTC 2020 

TLS is required to transport backed-up data securely when using
pull-mode backups.

Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
 docs/formatbackup.rst              |  4 ++++
 src/qemu/libvirtd_qemu.aug         |  5 ++++
 src/qemu/qemu.conf                 | 37 ++++++++++++++++++++++++++++++
 src/qemu/qemu_conf.c               | 17 ++++++++++++++
 src/qemu/qemu_conf.h               |  5 ++++
 src/qemu/test_libvirtd_qemu.aug.in |  3 +++
 6 files changed, 71 insertions(+)

diff --git a/docs/formatbackup.rst b/docs/formatbackup.rst
index e5b6fc6eb0..142b8250d2 100644
--- a/docs/formatbackup.rst
+++ b/docs/formatbackup.rst
@@ -42,6 +42,10 @@ were supplied). The following child elements and attributes are supported:
    necessary to set up an NBD server that exposes the content of each disk at
    the time the backup is started.

+   Note that for the QEMU hypervisor the TLS environment in controlled using
+   ``backup_tls_x509_cert_dir``, ``backup_tls_x509_verify``, and
+   ``backup_tls_x509_secret_uuid`` properties in ``/etc/libvirt/qemu.conf``.
+
 ``disks``
    An optional listing of instructions for disks participating in the backup (if
    omitted, all disks participate and libvirt attempts to generate filenames by
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index c19a086c38..abbac549f2 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -59,6 +59,10 @@ module Libvirtd_qemu =
                  | bool_entry "migrate_tls_x509_verify"
                  | str_entry "migrate_tls_x509_secret_uuid"

+   let backup_entry = str_entry "backup_tls_x509_cert_dir"
+                 | bool_entry "backup_tls_x509_verify"
+                 | str_entry "backup_tls_x509_secret_uuid"
+
    let vxhs_entry = bool_entry "vxhs_tls"
                  | str_entry "vxhs_tls_x509_cert_dir"
                  | str_entry "vxhs_tls_x509_secret_uuid"
@@ -146,6 +150,7 @@ module Libvirtd_qemu =
              | spice_entry
              | chardev_entry
              | migrate_entry
+             | backup_entry
              | nogfx_entry
              | remote_display_entry
              | security_entry
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index ab403c21ac..a96bedb114 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -395,6 +395,43 @@
 #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"


+# In order to override the default TLS certificate location for backup NBD
+# server certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist, libvirtd will fail to start. If the path is
+# not provided, but TLS-encrypted backup is requested, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the backup_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#backup_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
 # By default, if no graphical front end is configured, libvirt will disable
 # QEMU audio output since directly talking to alsa/pulseaudio may not work
 # with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 6e673e8f62..30d7c61cf9 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -347,6 +347,9 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->migrateTLSx509certdir);
     VIR_FREE(cfg->migrateTLSx509secretUUID);

+    VIR_FREE(cfg->backupTLSx509certdir);
+    VIR_FREE(cfg->backupTLSx509secretUUID);
+
     while (cfg->nhugetlbfs) {
         cfg->nhugetlbfs--;
         VIR_FREE(cfg->hugetlbfs[cfg->nhugetlbfs].mnt_dir);
@@ -511,6 +514,9 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,
     GET_CONFIG_TLS_CERTINFO_COMMON(migrate);
     GET_CONFIG_TLS_CERTINFO_SERVER(migrate);

+    GET_CONFIG_TLS_CERTINFO_COMMON(backup);
+    GET_CONFIG_TLS_CERTINFO_SERVER(backup);
+
     GET_CONFIG_TLS_CERTINFO_COMMON(vxhs);

     GET_CONFIG_TLS_CERTINFO_COMMON(nbd);
@@ -1154,6 +1160,14 @@ virQEMUDriverConfigValidate(virQEMUDriverConfigPtr cfg)
         return -1;
     }

+    if (cfg->backupTLSx509certdir &&
+        !virFileExists(cfg->backupTLSx509certdir)) {
+        virReportError(VIR_ERR_CONF_SYNTAX,
+                       _("backup_tls_x509_cert_dir directory '%s' does not exist"),
+                       cfg->backupTLSx509certdir);
+        return -1;
+    }
+
     if (cfg->vxhsTLSx509certdir &&
         !virFileExists(cfg->vxhsTLSx509certdir)) {
         virReportError(VIR_ERR_CONF_SYNTAX,
@@ -1189,6 +1203,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
     SET_TLS_SECRET_UUID_DEFAULT(vnc);
     SET_TLS_SECRET_UUID_DEFAULT(chardev);
     SET_TLS_SECRET_UUID_DEFAULT(migrate);
+    SET_TLS_SECRET_UUID_DEFAULT(backup);
     SET_TLS_SECRET_UUID_DEFAULT(vxhs);
     SET_TLS_SECRET_UUID_DEFAULT(nbd);

@@ -1216,6 +1231,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
     SET_TLS_X509_CERT_DEFAULT(spice);
     SET_TLS_X509_CERT_DEFAULT(chardev);
     SET_TLS_X509_CERT_DEFAULT(migrate);
+    SET_TLS_X509_CERT_DEFAULT(backup);
     SET_TLS_X509_CERT_DEFAULT(vxhs);
     SET_TLS_X509_CERT_DEFAULT(nbd);

@@ -1230,6 +1246,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
     SET_TLS_VERIFY_DEFAULT(vnc);
     SET_TLS_VERIFY_DEFAULT(chardev);
     SET_TLS_VERIFY_DEFAULT(migrate);
+    SET_TLS_VERIFY_DEFAULT(backup);

 #undef SET_TLS_VERIFY_DEFAULT

diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 6193a7111c..687829123c 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -144,6 +144,11 @@ struct _virQEMUDriverConfig {
     bool migrateTLSx509verifyPresent;
     char *migrateTLSx509secretUUID;

+    char *backupTLSx509certdir;
+    bool backupTLSx509verify;
+    bool backupTLSx509verifyPresent;
+    char *backupTLSx509secretUUID;
+
     bool vxhsTLS;
     char *vxhsTLSx509certdir;
     char *vxhsTLSx509secretUUID;
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index db125bf352..6a54e2322a 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -35,6 +35,9 @@ module Test_libvirtd_qemu =
 { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
 { "migrate_tls_x509_verify" = "1" }
 { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" }
+{ "backup_tls_x509_verify" = "1" }
+{ "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "nographics_allow_host_audio" = "1" }
 { "remote_display_port_min" = "5900" }
 { "remote_display_port_max" = "65535" }
-- 
2.26.2

More information about the libvir-list mailing list