NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

qemu: Check for existence of provided *_tls_x509_cert_dir

Browse Source 
https://bugzilla.redhat.com/show_bug.cgi?id=1458630

Introduce virQEMUDriverConfigTLSDirResetDefaults in order to check
if the defaultTLSx509certdir was changed, then change the default
for any other *TLSx509certdir that was not set to the default default.

Introduce virQEMUDriverConfigValidate to validate the existence of
any of the *_tls_x509_cert_dir values that were uncommented/set,
incuding the default.

Update the qemu.conf description for default to describe the consequences
if the default directory path does not exist.

Signed-off-by: John Ferlan <jferlan@redhat.com>
This commit is contained in:
John Ferlan 2017-06-29 08:27:55 -04:00
parent 8947504683
commit dc4c2f75ab
4 changed files with 119 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/qemu/qemu.conf
View File

@ -13,6 +13,14 @@
# #
# dh-params.pem - the DH params configuration file # dh-params.pem - the DH params configuration file
# #
# If the directory does not exist or contain the necessary files, QEMU
# domains will fail to start if they are configured to use TLS.
#
# In order to overwrite the default path alter the following. This path
# definition will be used as the default path for other *_tls_x509_cert_dir
# configuration settings if their default path does not exist or is not
# specifically set.
#
#default_tls_x509_cert_dir = "/etc/pki/qemu" #default_tls_x509_cert_dir = "/etc/pki/qemu"

105
src/qemu/qemu_conf.c
View File

@ -425,6 +425,43 @@ virQEMUDriverConfigHugeTLBFSInit(virHugeTLBFSPtr hugetlbfs,
} }
/**
* @cfg: Just read config TLS values
*
* If the default_tls_x509_cert_dir was uncommented or changed from
* the default value assigned to the *_tls_x509_cert_dir values when
* virQEMUDriverConfigNew was executed, we need to check if we need
* to update the other defaults.
*
* Returns 0 on success, -1 on failure
*/
static int
virQEMUDriverConfigTLSDirResetDefaults(virQEMUDriverConfigPtr cfg)
{
/* Not changed or set to the default default, nothing to do */
if (!cfg->checkdefaultTLSx509certdir ||
STREQ(cfg->defaultTLSx509certdir, SYSCONFDIR "/pki/qemu"))
return 0;
#define CHECK_RESET_CERT_DIR_DEFAULT(val) \
do { \
if (STREQ(cfg->val ## TLSx509certdir, SYSCONFDIR "/pki/qemu")) { \
VIR_FREE(cfg->val ## TLSx509certdir); \
if (VIR_STRDUP(cfg->val ## TLSx509certdir, \
cfg->defaultTLSx509certdir) < 0) \
return -1; \
} \
} while (0)
CHECK_RESET_CERT_DIR_DEFAULT(vnc);
CHECK_RESET_CERT_DIR_DEFAULT(spice);
CHECK_RESET_CERT_DIR_DEFAULT(chardev);
CHECK_RESET_CERT_DIR_DEFAULT(migrate);
return 0;
}
int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
const char *filename, const char *filename,
bool privileged) bool privileged)
@ -452,8 +489,9 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
if (!(conf = virConfReadFile(filename, 0))) if (!(conf = virConfReadFile(filename, 0)))
goto cleanup; goto cleanup;
if (virConfGetValueString(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir) < 0) if ((rv = virConfGetValueString(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir)) < 0)
goto cleanup; goto cleanup;
cfg->checkdefaultTLSx509certdir = (rv == 1);
if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0) if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0)
goto cleanup; goto cleanup;
if (virConfGetValueString(conf, "default_tls_x509_secret_uuid", if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
@ -549,6 +587,9 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
#undef GET_CONFIG_TLS_CERTINFO #undef GET_CONFIG_TLS_CERTINFO
if (virQEMUDriverConfigTLSDirResetDefaults(cfg) < 0)
goto cleanup;
if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSocketPortMin) < 0) if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSocketPortMin) < 0)
goto cleanup; goto cleanup;
if (cfg->webSocketPortMin < QEMU_WEBSOCKET_PORT_MIN) { if (cfg->webSocketPortMin < QEMU_WEBSOCKET_PORT_MIN) {
@ -873,6 +914,68 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
return ret; return ret;
} }
/**
* @cfg: Recently read config values
*
* Validate the recently read configuration values.
*
* Returns 0 on success, -1 on failure
*/
int
virQEMUDriverConfigValidate(virQEMUDriverConfigPtr cfg)
{
/* If the default entry was uncommented, then validate existence */
if (cfg->checkdefaultTLSx509certdir) {
if (!virFileExists(cfg->defaultTLSx509certdir)) {
virReportError(VIR_ERR_CONF_SYNTAX,
_("default_tls_x509_cert_dir directory '%s' "
"does not exist"),
cfg->defaultTLSx509certdir);
return -1;
}
}
/* For each of the others - if the value is not to the default default
* then check if the directory exists (this may duplicate the check done
* during virQEMUDriverConfigNew).
*/
if (STRNEQ(cfg->vncTLSx509certdir, SYSCONFDIR "/pki/qemu") &&
!virFileExists(cfg->vncTLSx509certdir)) {
virReportError(VIR_ERR_CONF_SYNTAX,
_("vnc_tls_x509_cert_dir directory '%s' does not exist"),
cfg->vncTLSx509certdir);
return -1;
}
if (STRNEQ(cfg->spiceTLSx509certdir, SYSCONFDIR "/pki/qemu") &&
!virFileExists(cfg->spiceTLSx509certdir)) {
virReportError(VIR_ERR_CONF_SYNTAX,
_("spice_tls_x509_cert_dir directory '%s' does not exist"),
cfg->spiceTLSx509certdir);
return -1;
}
if (STRNEQ(cfg->chardevTLSx509certdir, SYSCONFDIR "/pki/qemu") &&
!virFileExists(cfg->chardevTLSx509certdir)) {
virReportError(VIR_ERR_CONF_SYNTAX,
_("chardev_tls_x509_cert_dir directory '%s' does not exist"),
cfg->chardevTLSx509certdir);
return -1;
}
if (STRNEQ(cfg->migrateTLSx509certdir, SYSCONFDIR "/pki/qemu") &&
!virFileExists(cfg->migrateTLSx509certdir)) {
virReportError(VIR_ERR_CONF_SYNTAX,
_("migrate_tls_x509_cert_dir directory '%s' does not exist"),
cfg->migrateTLSx509certdir);
return -1;
}
return 0;
}
virQEMUDriverConfigPtr virQEMUDriverGetConfig(virQEMUDriverPtr driver) virQEMUDriverConfigPtr virQEMUDriverGetConfig(virQEMUDriverPtr driver)
{ {
virQEMUDriverConfigPtr conf; virQEMUDriverConfigPtr conf;

4
src/qemu/qemu_conf.h
View File

@ -113,6 +113,7 @@ struct _virQEMUDriverConfig {
char *nvramDir; char *nvramDir;
char *defaultTLSx509certdir; char *defaultTLSx509certdir;
bool checkdefaultTLSx509certdir;
bool defaultTLSx509verify; bool defaultTLSx509verify;
char *defaultTLSx509secretUUID; char *defaultTLSx509secretUUID;
@ -302,6 +303,9 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
const char *filename, const char *filename,
bool privileged); bool privileged);
int
virQEMUDriverConfigValidate(virQEMUDriverConfigPtr cfg);
virQEMUDriverConfigPtr virQEMUDriverGetConfig(virQEMUDriverPtr driver); virQEMUDriverConfigPtr virQEMUDriverGetConfig(virQEMUDriverPtr driver);
bool virQEMUDriverIsPrivileged(virQEMUDriverPtr driver); bool virQEMUDriverIsPrivileged(virQEMUDriverPtr driver);

3
src/qemu/qemu_driver.c
View File

@ -667,6 +667,9 @@ qemuStateInitialize(bool privileged,
goto error; goto error;
VIR_FREE(driverConf); VIR_FREE(driverConf);
if (virQEMUDriverConfigValidate(cfg) < 0)
goto error;
if (virFileMakePath(cfg->stateDir) < 0) { if (virFileMakePath(cfg->stateDir) < 0) {
virReportSystemError(errno, _("Failed to create state dir %s"), virReportSystemError(errno, _("Failed to create state dir %s"),
cfg->stateDir); cfg->stateDir);