conf: Add new default TLS X.509 certificate default directory

Rather than specify perhaps multiple TLS X.509 certificate directories,
let's create a "default" directory which can then be used if the service
(e.g. for now vnc and spice) does not supply a default directory.

Since the default for vnc and spice may have existed before without being
supplied, the default check will first check if the service specific path
exists and if so, set the cfg entry to that; otherwise, the default will
be set to the (now) new defaultTLSx509certdir.

Additionally add a "default_tls_x509_verify" entry which can also be used
to force the peer verification option (for vnc it's a x509verify option).
Add/alter the macro for the option being found in the config file to accept
the default value.

Signed-off-by: John Ferlan <jferlan@redhat.com>
This commit is contained in:
John Ferlan 2016-06-14 14:14:31 -04:00
parent 66278d4bc3
commit c12cb5ed73
5 changed files with 88 additions and 26 deletions

View File

@ -27,6 +27,9 @@ module Libvirtd_qemu =
(* Config entry grouped by function - same order as example config *)
let default_tls_entry = str_entry "default_tls_x509_cert_dir"
| bool_entry "default_tls_x509_verify"
let vnc_entry = str_entry "vnc_listen"
| bool_entry "vnc_auto_unix_socket"
| bool_entry "vnc_tls"
@ -98,7 +101,8 @@ module Libvirtd_qemu =
let nvram_entry = str_array_entry "nvram"
(* Each entry in the config is one of the following ... *)
let entry = vnc_entry
let entry = default_tls_entry
| vnc_entry
| spice_entry
| nogfx_entry
| remote_display_entry

View File

@ -2,6 +2,32 @@
# All settings described here are optional - if omitted, sensible
# defaults are used.
# Use of TLS requires that x509 certificates be issued. The default is
# to keep them in /etc/pki/qemu. This directory must contain
#
# ca-cert.pem - the CA master certificate
# server-cert.pem - the server certificate signed with ca-cert.pem
# server-key.pem - the server private key
#
# and optionally may contain
#
# dh-params.pem - the DH params configuration file
#
#default_tls_x509_cert_dir = "/etc/pki/qemu"
# The default TLS configuration only uses certificates for the server
# allowing the client to verify the server's identity and establish
# an encrypted channel.
#
# It is possible to use x509 certificates for authentication too, by
# issuing a x509 certificate to every client who needs to connect.
#
# Enabling this option will reject any client who does not have a
# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
#
#default_tls_x509_verify = 1
# VNC is configured to listen on 127.0.0.1 by default.
# To make it listen on all public interfaces, uncomment
# this next option.
@ -32,15 +58,10 @@
#vnc_tls = 1
# Use of TLS requires that x509 certificates be issued. The
# default it to keep them in /etc/pki/libvirt-vnc. This directory
# must contain
#
# ca-cert.pem - the CA master certificate
# server-cert.pem - the server certificate signed with ca-cert.pem
# server-key.pem - the server private key
#
# This option allows the certificate directory to be changed
# In order to override the default TLS certificate location for
# vnc certificates, supply a valid path to the certificate directory.
# If the provided path does not exist then the default_tls_x509_cert_dir
# path will be used.
#
#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
@ -55,6 +76,9 @@
# Enabling this option will reject any client who does not have a
# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
#
# If this option is not supplied, it will be set to the value of
# "default_tls_x509_verify".
#
#vnc_tls_x509_verify = 1
@ -117,15 +141,10 @@
#spice_tls = 1
# Use of TLS requires that x509 certificates be issued. The
# default it to keep them in /etc/pki/libvirt-spice. This directory
# must contain
#
# ca-cert.pem - the CA master certificate
# server-cert.pem - the server certificate signed with ca-cert.pem
# server-key.pem - the server private key
#
# This option allows the certificate directory to be changed.
# In order to override the default TLS certificate location for
# spice certificates, supply a valid path to the certificate directory.
# If the provided path does not exist then the default_tls_x509_cert_dir
# path will be used.
#
#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"

View File

@ -238,19 +238,44 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
if (virAsprintf(&cfg->autostartDir, "%s/qemu/autostart", cfg->configBaseDir) < 0)
goto error;
if (VIR_STRDUP(cfg->vncListen, "127.0.0.1") < 0)
/* Set the default directory to find TLS X.509 certificates.
* This will then be used as a fallback if the service specific
* directory doesn't exist (although we don't check if this exists).
*/
if (VIR_STRDUP(cfg->defaultTLSx509certdir,
SYSCONFDIR "/pki/qemu") < 0)
goto error;
if (VIR_STRDUP(cfg->vncTLSx509certdir, SYSCONFDIR "/pki/libvirt-vnc") < 0)
if (VIR_STRDUP(cfg->vncListen, "127.0.0.1") < 0)
goto error;
if (VIR_STRDUP(cfg->spiceListen, "127.0.0.1") < 0)
goto error;
if (VIR_STRDUP(cfg->spiceTLSx509certdir,
SYSCONFDIR "/pki/libvirt-spice") < 0)
goto error;
/*
* If a "SYSCONFDIR" + "pki/libvirt-<val>" exists, then assume someone
* has created a val specific area to place service specific certificates.
*
* If the service specific directory doesn't exist, 'assume' that the
* user has created and populated the "SYSCONFDIR" + "pki/libvirt-default".
*/
#define SET_TLS_X509_CERT_DEFAULT(val) \
do { \
if (virFileExists(SYSCONFDIR "/pki/libvirt-"#val)) { \
if (VIR_STRDUP(cfg->val ## TLSx509certdir, \
SYSCONFDIR "/pki/libvirt-"#val) < 0) \
goto error; \
} else { \
if (VIR_STRDUP(cfg->val ## TLSx509certdir, \
cfg->defaultTLSx509certdir) < 0) \
goto error; \
} \
} while (false);
SET_TLS_X509_CERT_DEFAULT(vnc);
SET_TLS_X509_CERT_DEFAULT(spice);
#undef SET_TLS_X509_CERT_DEFAULT
cfg->remotePortMin = QEMU_REMOTE_PORT_MIN;
cfg->remotePortMax = QEMU_REMOTE_PORT_MAX;
@ -338,6 +363,8 @@ static void virQEMUDriverConfigDispose(void *obj)
VIR_FREE(cfg->channelTargetDir);
VIR_FREE(cfg->nvramDir);
VIR_FREE(cfg->defaultTLSx509certdir);
VIR_FREE(cfg->vncTLSx509certdir);
VIR_FREE(cfg->vncListen);
VIR_FREE(cfg->vncPassword);
@ -392,6 +419,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
{
virConfPtr conf = NULL;
int ret = -1;
int rv;
size_t i, j;
char *stdioHandler = NULL;
char *user = NULL, *group = NULL;
@ -411,12 +439,18 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
if (!(conf = virConfReadFile(filename, 0)))
goto cleanup;
if (virConfGetValueString(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir) < 0)
goto cleanup;
if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0)
goto cleanup;
if (virConfGetValueBool(conf, "vnc_auto_unix_socket", &cfg->vncAutoUnixSocket) < 0)
goto cleanup;
if (virConfGetValueBool(conf, "vnc_tls", &cfg->vncTLS) < 0)
goto cleanup;
if (virConfGetValueBool(conf, "vnc_tls_x509_verify", &cfg->vncTLSx509verify) < 0)
if ((rv = virConfGetValueBool(conf, "vnc_tls_x509_verify", &cfg->vncTLSx509verify)) < 0)
goto cleanup;
if (rv == 0)
cfg->vncTLSx509verify = cfg->defaultTLSx509verify;
if (virConfGetValueString(conf, "vnc_tls_x509_cert_dir", &cfg->vncTLSx509certdir) < 0)
goto cleanup;
if (virConfGetValueString(conf, "vnc_listen", &cfg->vncListen) < 0)

View File

@ -109,6 +109,9 @@ struct _virQEMUDriverConfig {
char *channelTargetDir;
char *nvramDir;
char *defaultTLSx509certdir;
bool defaultTLSx509verify;
bool vncAutoUnixSocket;
bool vncTLS;
bool vncTLSx509verify;

View File

@ -2,6 +2,8 @@ module Test_libvirtd_qemu =
::CONFIG::
test Libvirtd_qemu.lns get conf =
{ "default_tls_x509_cert_dir" = "/etc/pki/qemu" }
{ "default_tls_x509_verify" = "1" }
{ "vnc_listen" = "0.0.0.0" }
{ "vnc_auto_unix_socket" = "1" }
{ "vnc_tls" = "1" }