qemu: conf: Add configuration of TLS environment for NBD transport of pull-backups

TLS is required to transport backed-up data securely when using pull-mode backups. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2025-01-21 22:03:49 +03:00 · 2020-06-26 16:37:16 +02:00 · 2020-06-26 16:37:16 +02:00 · d37a2cd5ed
commit d37a2cd5ed
parent fffc147ba2
6 changed files with 71 additions and 0 deletions
--- a/docs/formatbackup.rst
+++ b/docs/formatbackup.rst
@ -42,6 +42,10 @@ were supplied). The following child elements and attributes are supported:
   necessary to set up an NBD server that exposes the content of each disk at
   the time the backup is started.

+   Note that for the QEMU hypervisor the TLS environment in controlled using
+   ``backup_tls_x509_cert_dir``, ``backup_tls_x509_verify``, and
+   ``backup_tls_x509_secret_uuid`` properties in ``/etc/libvirt/qemu.conf``.
+
 ``disks``
   An optional listing of instructions for disks participating in the backup (if
   omitted, all disks participate and libvirt attempts to generate filenames by
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@ -59,6 +59,10 @@ module Libvirtd_qemu =
                 | bool_entry "migrate_tls_x509_verify"
                 | str_entry "migrate_tls_x509_secret_uuid"

+   let backup_entry = str_entry "backup_tls_x509_cert_dir"
+                 | bool_entry "backup_tls_x509_verify"
+                 | str_entry "backup_tls_x509_secret_uuid"
+
   let vxhs_entry = bool_entry "vxhs_tls"
                 | str_entry "vxhs_tls_x509_cert_dir"
                 | str_entry "vxhs_tls_x509_secret_uuid"
@ -146,6 +150,7 @@ module Libvirtd_qemu =
             | spice_entry
             | chardev_entry
             | migrate_entry
+             | backup_entry
             | nogfx_entry
             | remote_display_entry
             | security_entry
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@ -395,6 +395,43 @@
 #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"


+# In order to override the default TLS certificate location for backup NBD
+# server certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist, libvirtd will fail to start. If the path is
+# not provided, but TLS-encrypted backup is requested, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the backup_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#backup_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
 # By default, if no graphical front end is configured, libvirt will disable
 # QEMU audio output since directly talking to alsa/pulseaudio may not work
 # with various security settings. If you know what you're doing, enable
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@ -347,6 +347,9 @@ static void virQEMUDriverConfigDispose(void *obj)
    VIR_FREE(cfg->migrateTLSx509certdir);
    VIR_FREE(cfg->migrateTLSx509secretUUID);

+    VIR_FREE(cfg->backupTLSx509certdir);
+    VIR_FREE(cfg->backupTLSx509secretUUID);
+
    while (cfg->nhugetlbfs) {
        cfg->nhugetlbfs--;
        VIR_FREE(cfg->hugetlbfs[cfg->nhugetlbfs].mnt_dir);
@ -511,6 +514,9 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,
    GET_CONFIG_TLS_CERTINFO_COMMON(migrate);
    GET_CONFIG_TLS_CERTINFO_SERVER(migrate);

+    GET_CONFIG_TLS_CERTINFO_COMMON(backup);
+    GET_CONFIG_TLS_CERTINFO_SERVER(backup);
+
    GET_CONFIG_TLS_CERTINFO_COMMON(vxhs);

    GET_CONFIG_TLS_CERTINFO_COMMON(nbd);
@ -1154,6 +1160,14 @@ virQEMUDriverConfigValidate(virQEMUDriverConfigPtr cfg)
        return -1;
    }

+    if (cfg->backupTLSx509certdir &&
+        !virFileExists(cfg->backupTLSx509certdir)) {
+        virReportError(VIR_ERR_CONF_SYNTAX,
+                       _("backup_tls_x509_cert_dir directory '%s' does not exist"),
+                       cfg->backupTLSx509certdir);
+        return -1;
+    }
+
    if (cfg->vxhsTLSx509certdir &&
        !virFileExists(cfg->vxhsTLSx509certdir)) {
        virReportError(VIR_ERR_CONF_SYNTAX,
@ -1189,6 +1203,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
    SET_TLS_SECRET_UUID_DEFAULT(vnc);
    SET_TLS_SECRET_UUID_DEFAULT(chardev);
    SET_TLS_SECRET_UUID_DEFAULT(migrate);
+    SET_TLS_SECRET_UUID_DEFAULT(backup);
    SET_TLS_SECRET_UUID_DEFAULT(vxhs);
    SET_TLS_SECRET_UUID_DEFAULT(nbd);

@ -1216,6 +1231,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
    SET_TLS_X509_CERT_DEFAULT(spice);
    SET_TLS_X509_CERT_DEFAULT(chardev);
    SET_TLS_X509_CERT_DEFAULT(migrate);
+    SET_TLS_X509_CERT_DEFAULT(backup);
    SET_TLS_X509_CERT_DEFAULT(vxhs);
    SET_TLS_X509_CERT_DEFAULT(nbd);

@ -1230,6 +1246,7 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
    SET_TLS_VERIFY_DEFAULT(vnc);
    SET_TLS_VERIFY_DEFAULT(chardev);
    SET_TLS_VERIFY_DEFAULT(migrate);
+    SET_TLS_VERIFY_DEFAULT(backup);

 #undef SET_TLS_VERIFY_DEFAULT

--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@ -144,6 +144,11 @@ struct _virQEMUDriverConfig {
    bool migrateTLSx509verifyPresent;
    char *migrateTLSx509secretUUID;

+    char *backupTLSx509certdir;
+    bool backupTLSx509verify;
+    bool backupTLSx509verifyPresent;
+    char *backupTLSx509secretUUID;
+
    bool vxhsTLS;
    char *vxhsTLSx509certdir;
    char *vxhsTLSx509secretUUID;
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@ -35,6 +35,9 @@ module Test_libvirtd_qemu =
 { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
 { "migrate_tls_x509_verify" = "1" }
 { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" }
+{ "backup_tls_x509_verify" = "1" }
+{ "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "nographics_allow_host_audio" = "1" }
 { "remote_display_port_min" = "5900" }
 { "remote_display_port_max" = "65535" }