From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-block@nongnu.org
Subject: [Qemu-devel] [PATCH v6 16/16] nbd: enable use of TLS with nbd-server-start command
Date: Wed, 10 Feb 2016 18:41:14 +0000 [thread overview]
Message-ID: <1455129674-17255-17-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1455129674-17255-1-git-send-email-berrange@redhat.com>
This modifies the nbd-server-start QMP command so that it
is possible to request use of TLS. This is done by adding
a new optional parameter "tls-creds" which provides the ID
of a previously created QCryptoTLSCreds object instance.
TLS is only supported when using an IPv4/IPv6 socket listener.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
blockdev-nbd.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++----------
hmp.c | 2 +-
qapi/block.json | 4 +-
qmp-commands.hx | 2 +-
4 files changed, 105 insertions(+), 25 deletions(-)
diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index f181840..12cae0e 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -20,42 +20,126 @@
#include "block/nbd.h"
#include "io/channel-socket.h"
-static QIOChannelSocket *server_ioc;
-static int server_watch = -1;
+typedef struct NBDServerData {
+ QIOChannelSocket *listen_ioc;
+ int watch;
+ QCryptoTLSCreds *tlscreds;
+} NBDServerData;
+
+static NBDServerData *nbd_server;
+
static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
gpointer opaque)
{
QIOChannelSocket *cioc;
+ if (!nbd_server) {
+ return FALSE;
+ }
+
cioc = qio_channel_socket_accept(QIO_CHANNEL_SOCKET(ioc),
NULL);
if (!cioc) {
return TRUE;
}
- nbd_client_new(NULL, cioc, NULL, NULL, nbd_client_put);
+ nbd_client_new(NULL, cioc,
+ nbd_server->tlscreds, NULL,
+ nbd_client_put);
object_unref(OBJECT(cioc));
return TRUE;
}
-void qmp_nbd_server_start(SocketAddress *addr, Error **errp)
+
+static void nbd_server_free(NBDServerData *server)
{
- if (server_ioc) {
- error_setg(errp, "NBD server already running");
+ if (!server) {
return;
}
- server_ioc = qio_channel_socket_new();
- if (qio_channel_socket_listen_sync(server_ioc, addr, errp) < 0) {
+ if (server->watch != -1) {
+ g_source_remove(server->watch);
+ }
+ object_unref(OBJECT(server->listen_ioc));
+ if (server->tlscreds) {
+ object_unref(OBJECT(server->tlscreds));
+ }
+
+ g_free(server);
+}
+
+static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp)
+{
+ Object *obj;
+ QCryptoTLSCreds *creds;
+
+ obj = object_resolve_path_component(
+ object_get_objects_root(), id);
+ if (!obj) {
+ error_setg(errp, "No TLS credentials with id '%s'",
+ id);
+ return NULL;
+ }
+ creds = (QCryptoTLSCreds *)
+ object_dynamic_cast(obj, TYPE_QCRYPTO_TLS_CREDS);
+ if (!creds) {
+ error_setg(errp, "Object with id '%s' is not TLS credentials",
+ id);
+ return NULL;
+ }
+
+ if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ error_setg(errp,
+ "Expecting TLS credentials with a server endpoint");
+ return NULL;
+ }
+ object_ref(obj);
+ return creds;
+}
+
+
+void qmp_nbd_server_start(SocketAddress *addr,
+ bool has_tls_creds, const char *tls_creds,
+ Error **errp)
+{
+ if (nbd_server) {
+ error_setg(errp, "NBD server already running");
return;
}
- server_watch = qio_channel_add_watch(QIO_CHANNEL(server_ioc),
- G_IO_IN,
- nbd_accept,
- NULL,
- NULL);
+ nbd_server = g_new0(NBDServerData, 1);
+ nbd_server->watch = -1;
+ nbd_server->listen_ioc = qio_channel_socket_new();
+ if (qio_channel_socket_listen_sync(
+ nbd_server->listen_ioc, addr, errp) < 0) {
+ goto error;
+ }
+
+ if (has_tls_creds) {
+ nbd_server->tlscreds = nbd_get_tls_creds(tls_creds, errp);
+ if (!nbd_server->tlscreds) {
+ goto error;
+ }
+
+ if (addr->type != SOCKET_ADDRESS_KIND_INET) {
+ error_setg(errp, "TLS is only supported with IPv4/IPv6");
+ goto error;
+ }
+ }
+
+ nbd_server->watch = qio_channel_add_watch(
+ QIO_CHANNEL(nbd_server->listen_ioc),
+ G_IO_IN,
+ nbd_accept,
+ NULL,
+ NULL);
+
+ return;
+
+ error:
+ nbd_server_free(nbd_server);
+ nbd_server = NULL;
}
void qmp_nbd_server_add(const char *device, bool has_writable, bool writable,
@@ -64,7 +148,7 @@ void qmp_nbd_server_add(const char *device, bool has_writable, bool writable,
BlockBackend *blk;
NBDExport *exp;
- if (!server_ioc) {
+ if (!nbd_server) {
error_setg(errp, "NBD server not running");
return;
}
@@ -110,12 +194,6 @@ void qmp_nbd_server_stop(Error **errp)
{
nbd_export_close_all();
- if (server_watch != -1) {
- g_source_remove(server_watch);
- server_watch = -1;
- }
- if (server_ioc) {
- object_unref(OBJECT(server_ioc));
- server_ioc = NULL;
- }
+ nbd_server_free(nbd_server);
+ nbd_server = NULL;
}
diff --git a/hmp.c b/hmp.c
index 41fb9ca..996cb91 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1793,7 +1793,7 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict)
goto exit;
}
- qmp_nbd_server_start(addr, &local_err);
+ qmp_nbd_server_start(addr, false, NULL, &local_err);
qapi_free_SocketAddress(addr);
if (local_err != NULL) {
goto exit;
diff --git a/qapi/block.json b/qapi/block.json
index ed61f82..58e6b30 100644
--- a/qapi/block.json
+++ b/qapi/block.json
@@ -146,13 +146,15 @@
# QEMU instance could refer to them as "nbd:HOST:PORT:exportname=NAME".
#
# @addr: Address on which to listen.
+# @tls-creds: (optional) ID of the TLS credentials object. Since 2.6
#
# Returns: error if the server is already running.
#
# Since: 1.3.0
##
{ 'command': 'nbd-server-start',
- 'data': { 'addr': 'SocketAddress' } }
+ 'data': { 'addr': 'SocketAddress',
+ '*tls-creds': 'str'} }
##
# @nbd-server-add:
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 020e5ee..9fb0d78 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -3825,7 +3825,7 @@ EQMP
{
.name = "nbd-server-start",
- .args_type = "addr:q",
+ .args_type = "addr:q,tls-creds:s?",
.mhandler.cmd_new = qmp_marshal_nbd_server_start,
},
{
--
2.5.0
next prev parent reply other threads:[~2016-02-10 18:41 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-10 18:40 [Qemu-devel] [PATCH v6 00/16] Implement TLS support to QEMU NBD server & client Daniel P. Berrange
2016-02-10 18:40 ` [Qemu-devel] [PATCH v6 01/16] qom: add helpers for UserCreatable object types Daniel P. Berrange
2016-02-11 23:13 ` Eric Blake
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 02/16] qemu-nbd: add support for --object command line arg Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 03/16] nbd: convert block client to use I/O channels for connection setup Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 04/16] nbd: convert qemu-nbd server " Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 05/16] nbd: convert blockdev NBD " Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 06/16] nbd: convert to using I/O channels for actual socket I/O Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 07/16] nbd: invert client logic for negotiating protocol version Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 08/16] nbd: make server compliant with fixed newstyle spec Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 09/16] nbd: make client request fixed new style if advertized Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 10/16] nbd: allow setting of an export name for qemu-nbd server Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 11/16] nbd: always query export list in fixed new style protocol Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 12/16] nbd: use "" as a default export name if none provided Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 13/16] nbd: implement TLS support in the protocol negotiation Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 14/16] nbd: enable use of TLS with NBD block driver Daniel P. Berrange
2016-02-10 18:41 ` [Qemu-devel] [PATCH v6 15/16] nbd: enable use of TLS with qemu-nbd server Daniel P. Berrange
2016-02-10 18:41 ` Daniel P. Berrange [this message]
2016-02-12 13:28 ` [Qemu-devel] [PATCH v6 00/16] Implement TLS support to QEMU NBD server & client Kashyap Chamarthy
2016-02-12 15:00 ` Daniel P. Berrange
2016-02-12 16:03 ` Kashyap Chamarthy
2016-02-12 18:14 ` Kashyap Chamarthy
2016-02-16 16:18 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1455129674-17255-17-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).