From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Max Reitz <mreitz@redhat.com>
Subject: [Qemu-devel] [PATCH v5 16/16] nbd: enable use of TLS with nbd-server-start command
Date: Thu, 4 Feb 2016 13:50:22 +0000 [thread overview]
Message-ID: <1454593822-7321-17-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1454593822-7321-1-git-send-email-berrange@redhat.com>
This modifies the nbd-server-start QMP command so that it
is possible to request use of TLS. This is done by adding
a new optional parameter "tls-creds" which provides the ID
of a previously created QCryptoTLSCreds object instance.
TLS is only supported when using an IPv4/IPv6 socket listener.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
blockdev-nbd.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++----------
hmp.c | 2 +-
qapi/block.json | 4 +-
qmp-commands.hx | 2 +-
4 files changed, 105 insertions(+), 25 deletions(-)
diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index cdfbe35..f467bdb 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -19,42 +19,126 @@
#include "block/nbd.h"
#include "io/channel-socket.h"
-static QIOChannelSocket *server_ioc;
-static int server_watch = -1;
+typedef struct NBDServerData {
+ QIOChannelSocket *listen_ioc;
+ int watch;
+ QCryptoTLSCreds *tlscreds;
+} NBDServerData;
+
+static NBDServerData *nbd_server;
+
static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
gpointer opaque)
{
QIOChannelSocket *cioc;
+ if (!nbd_server) {
+ return FALSE;
+ }
+
cioc = qio_channel_socket_accept(QIO_CHANNEL_SOCKET(ioc),
NULL);
if (!cioc) {
return TRUE;
}
- nbd_client_new(NULL, cioc, NULL, NULL, nbd_client_put);
+ nbd_client_new(NULL, cioc,
+ nbd_server->tlscreds, NULL,
+ nbd_client_put);
object_unref(OBJECT(cioc));
return TRUE;
}
-void qmp_nbd_server_start(SocketAddress *addr, Error **errp)
+
+static void nbd_server_free(NBDServerData *server)
{
- if (server_ioc) {
- error_setg(errp, "NBD server already running");
+ if (!server) {
return;
}
- server_ioc = qio_channel_socket_new();
- if (qio_channel_socket_listen_sync(server_ioc, addr, errp) < 0) {
+ if (server->watch != -1) {
+ g_source_remove(server->watch);
+ }
+ object_unref(OBJECT(server->listen_ioc));
+ if (server->tlscreds) {
+ object_unref(OBJECT(server->tlscreds));
+ }
+
+ g_free(server);
+}
+
+static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp)
+{
+ Object *obj;
+ QCryptoTLSCreds *creds;
+
+ obj = object_resolve_path_component(
+ object_get_objects_root(), id);
+ if (!obj) {
+ error_setg(errp, "No TLS credentials with id '%s'",
+ id);
+ return NULL;
+ }
+ creds = (QCryptoTLSCreds *)
+ object_dynamic_cast(obj, TYPE_QCRYPTO_TLS_CREDS);
+ if (!creds) {
+ error_setg(errp, "Object with id '%s' is not TLS credentials",
+ id);
+ return NULL;
+ }
+
+ if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ error_setg(errp,
+ "Expecting TLS credentials with a server endpoint");
+ return NULL;
+ }
+ object_ref(obj);
+ return creds;
+}
+
+
+void qmp_nbd_server_start(SocketAddress *addr,
+ bool has_tls_creds, const char *tls_creds,
+ Error **errp)
+{
+ if (nbd_server) {
+ error_setg(errp, "NBD server already running");
return;
}
- server_watch = qio_channel_add_watch(QIO_CHANNEL(server_ioc),
- G_IO_IN,
- nbd_accept,
- NULL,
- NULL);
+ nbd_server = g_new0(NBDServerData, 1);
+ nbd_server->watch = -1;
+ nbd_server->listen_ioc = qio_channel_socket_new();
+ if (qio_channel_socket_listen_sync(
+ nbd_server->listen_ioc, addr, errp) < 0) {
+ goto error;
+ }
+
+ if (has_tls_creds) {
+ nbd_server->tlscreds = nbd_get_tls_creds(tls_creds, errp);
+ if (!nbd_server->tlscreds) {
+ goto error;
+ }
+
+ if (addr->type != SOCKET_ADDRESS_KIND_INET) {
+ error_setg(errp, "TLS is only supported with IPv4/IPv6");
+ goto error;
+ }
+ }
+
+ nbd_server->watch = qio_channel_add_watch(
+ QIO_CHANNEL(nbd_server->listen_ioc),
+ G_IO_IN,
+ nbd_accept,
+ NULL,
+ NULL);
+
+ return;
+
+ error:
+ nbd_server_free(nbd_server);
+ nbd_server = NULL;
}
void qmp_nbd_server_add(const char *device, bool has_writable, bool writable,
@@ -63,7 +147,7 @@ void qmp_nbd_server_add(const char *device, bool has_writable, bool writable,
BlockBackend *blk;
NBDExport *exp;
- if (!server_ioc) {
+ if (!nbd_server) {
error_setg(errp, "NBD server not running");
return;
}
@@ -109,12 +193,6 @@ void qmp_nbd_server_stop(Error **errp)
{
nbd_export_close_all();
- if (server_watch != -1) {
- g_source_remove(server_watch);
- server_watch = -1;
- }
- if (server_ioc) {
- object_unref(OBJECT(server_ioc));
- server_ioc = NULL;
- }
+ nbd_server_free(nbd_server);
+ nbd_server = NULL;
}
diff --git a/hmp.c b/hmp.c
index 3b4d6a2..64791f0 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1790,7 +1790,7 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict)
goto exit;
}
- qmp_nbd_server_start(addr, &local_err);
+ qmp_nbd_server_start(addr, false, NULL, &local_err);
qapi_free_SocketAddress(addr);
if (local_err != NULL) {
goto exit;
diff --git a/qapi/block.json b/qapi/block.json
index ed61f82..58e6b30 100644
--- a/qapi/block.json
+++ b/qapi/block.json
@@ -146,13 +146,15 @@
# QEMU instance could refer to them as "nbd:HOST:PORT:exportname=NAME".
#
# @addr: Address on which to listen.
+# @tls-creds: (optional) ID of the TLS credentials object. Since 2.6
#
# Returns: error if the server is already running.
#
# Since: 1.3.0
##
{ 'command': 'nbd-server-start',
- 'data': { 'addr': 'SocketAddress' } }
+ 'data': { 'addr': 'SocketAddress',
+ '*tls-creds': 'str'} }
##
# @nbd-server-add:
diff --git a/qmp-commands.hx b/qmp-commands.hx
index db072a6..c54893c 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -3802,7 +3802,7 @@ EQMP
{
.name = "nbd-server-start",
- .args_type = "addr:q",
+ .args_type = "addr:q,tls-creds:s?",
.mhandler.cmd_new = qmp_marshal_nbd_server_start,
},
{
--
2.5.0
next prev parent reply other threads:[~2016-02-04 13:51 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-04 13:50 [Qemu-devel] [PATCH v5 00/16] Implement TLS support to QEMU NBD server & client Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 01/16] qom: add helpers for UserCreatable object types Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 02/16] qemu-nbd: add support for --object command line arg Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 03/16] nbd: convert block client to use I/O channels for connection setup Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 04/16] nbd: convert qemu-nbd server " Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 05/16] nbd: convert blockdev NBD " Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 06/16] nbd: convert to using I/O channels for actual socket I/O Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 07/16] nbd: invert client logic for negotiating protocol version Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 08/16] nbd: make server compliant with fixed newstyle spec Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 09/16] nbd: make client request fixed new style if advertized Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 10/16] nbd: allow setting of an export name for qemu-nbd server Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 11/16] nbd: always query export list in fixed new style protocol Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 12/16] nbd: use "" as a default export name if none provided Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 13/16] nbd: implement TLS support in the protocol negotiation Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 14/16] nbd: enable use of TLS with NBD block driver Daniel P. Berrange
2016-02-04 13:50 ` [Qemu-devel] [PATCH v5 15/16] nbd: enable use of TLS with qemu-nbd server Daniel P. Berrange
2016-02-04 13:50 ` Daniel P. Berrange [this message]
2016-02-04 16:25 ` [Qemu-devel] [PATCH v5 16/16] nbd: enable use of TLS with nbd-server-start command Eric Blake
2016-02-04 16:30 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454593822-7321-17-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.