mirror of
https://github.com/qemu/qemu.git
synced 2024-11-28 06:13:46 +08:00
nbd patches for 2019-03-08
- support TLS client authorization in NBD servers - iotest 223 race fix -----BEGIN PGP SIGNATURE----- iQEcBAABCAAGBQJcgqh3AAoJEKeha0olJ0Nq/bgH/1TXo49gC9SMNcBBHd5vqc6/ J+eXYQihmGLy7pNkfCBTB0QZz9d7V4tN/N1PAuIfzsHxcQJeyUBwcY7jin2SiTTM lfR9NWDY43OE+8tcPSXODyo3mge8g3d1X3vw8/QMX95TDrKQ8SMwAllegCFBKPZs T0+Jyfd8oA0NcQz4EPPUL5f2ptLo2slye2ZjbMBn/1WFrYkL+joUYJgyakYcZnY/ mcvmXF2JLG2fPzFoU1yvF+oZn6J2fx5pw92P+SZ7lA+qRzlWfvrVyK9sNqCS+K5m qdfMeeL/SyUPsUvlcbDH7iSjxWkR/h7MtXRq83FHzupasMeXiQ9ieb3MFAtHnGM= =5pyZ -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2019-03-08' into staging nbd patches for 2019-03-08 - support TLS client authorization in NBD servers - iotest 223 race fix # gpg: Signature made Fri 08 Mar 2019 17:37:59 GMT # gpg: using RSA key A7A16B4A2527436A # gpg: Good signature from "Eric Blake <eblake@redhat.com>" [full] # gpg: aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>" [full] # gpg: aka "[jpeg image of size 6874]" [full] # Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A * remotes/ericb/tags/pull-nbd-2019-03-08: iotests: Wait for qemu to end in 223 nbd: fix outdated qapi docs syntax for tls-creds nbd: allow authorization with nbd-server-start QMP command qemu-nbd: add support for authorization of TLS clients Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
commit
e2a18635a4
@ -23,6 +23,7 @@
|
||||
typedef struct NBDServerData {
|
||||
QIONetListener *listener;
|
||||
QCryptoTLSCreds *tlscreds;
|
||||
char *tlsauthz;
|
||||
} NBDServerData;
|
||||
|
||||
static NBDServerData *nbd_server;
|
||||
@ -36,7 +37,7 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
|
||||
gpointer opaque)
|
||||
{
|
||||
qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
|
||||
nbd_client_new(cioc, nbd_server->tlscreds, NULL,
|
||||
nbd_client_new(cioc, nbd_server->tlscreds, nbd_server->tlsauthz,
|
||||
nbd_blockdev_client_closed);
|
||||
}
|
||||
|
||||
@ -52,6 +53,7 @@ static void nbd_server_free(NBDServerData *server)
|
||||
if (server->tlscreds) {
|
||||
object_unref(OBJECT(server->tlscreds));
|
||||
}
|
||||
g_free(server->tlsauthz);
|
||||
|
||||
g_free(server);
|
||||
}
|
||||
@ -87,7 +89,7 @@ static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp)
|
||||
|
||||
|
||||
void nbd_server_start(SocketAddress *addr, const char *tls_creds,
|
||||
Error **errp)
|
||||
const char *tls_authz, Error **errp)
|
||||
{
|
||||
if (nbd_server) {
|
||||
error_setg(errp, "NBD server already running");
|
||||
@ -117,6 +119,8 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds,
|
||||
}
|
||||
}
|
||||
|
||||
nbd_server->tlsauthz = g_strdup(tls_authz);
|
||||
|
||||
qio_net_listener_set_client_func(nbd_server->listener,
|
||||
nbd_accept,
|
||||
NULL,
|
||||
@ -131,11 +135,12 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds,
|
||||
|
||||
void qmp_nbd_server_start(SocketAddressLegacy *addr,
|
||||
bool has_tls_creds, const char *tls_creds,
|
||||
bool has_tls_authz, const char *tls_authz,
|
||||
Error **errp)
|
||||
{
|
||||
SocketAddress *addr_flat = socket_address_flatten(addr);
|
||||
|
||||
nbd_server_start(addr_flat, tls_creds, errp);
|
||||
nbd_server_start(addr_flat, tls_creds, tls_authz, errp);
|
||||
qapi_free_SocketAddress(addr_flat);
|
||||
}
|
||||
|
||||
|
2
hmp.c
2
hmp.c
@ -2373,7 +2373,7 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict)
|
||||
goto exit;
|
||||
}
|
||||
|
||||
nbd_server_start(addr, NULL, &local_err);
|
||||
nbd_server_start(addr, NULL, NULL, &local_err);
|
||||
qapi_free_SocketAddress(addr);
|
||||
if (local_err != NULL) {
|
||||
goto exit;
|
||||
|
@ -326,13 +326,13 @@ void nbd_export_close_all(void);
|
||||
|
||||
void nbd_client_new(QIOChannelSocket *sioc,
|
||||
QCryptoTLSCreds *tlscreds,
|
||||
const char *tlsaclname,
|
||||
const char *tlsauthz,
|
||||
void (*close_fn)(NBDClient *, bool));
|
||||
void nbd_client_get(NBDClient *client);
|
||||
void nbd_client_put(NBDClient *client);
|
||||
|
||||
void nbd_server_start(SocketAddress *addr, const char *tls_creds,
|
||||
Error **errp);
|
||||
const char *tls_authz, Error **errp);
|
||||
|
||||
/* nbd_read
|
||||
* Reads @size bytes from @ioc. Returns 0 on success.
|
||||
|
10
nbd/server.c
10
nbd/server.c
@ -111,7 +111,7 @@ struct NBDClient {
|
||||
|
||||
NBDExport *exp;
|
||||
QCryptoTLSCreds *tlscreds;
|
||||
char *tlsaclname;
|
||||
char *tlsauthz;
|
||||
QIOChannelSocket *sioc; /* The underlying data channel */
|
||||
QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */
|
||||
|
||||
@ -686,7 +686,7 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDClient *client,
|
||||
|
||||
tioc = qio_channel_tls_new_server(ioc,
|
||||
client->tlscreds,
|
||||
client->tlsaclname,
|
||||
client->tlsauthz,
|
||||
errp);
|
||||
if (!tioc) {
|
||||
return NULL;
|
||||
@ -1348,7 +1348,7 @@ void nbd_client_put(NBDClient *client)
|
||||
if (client->tlscreds) {
|
||||
object_unref(OBJECT(client->tlscreds));
|
||||
}
|
||||
g_free(client->tlsaclname);
|
||||
g_free(client->tlsauthz);
|
||||
if (client->exp) {
|
||||
QTAILQ_REMOVE(&client->exp->clients, client, next);
|
||||
nbd_export_put(client->exp);
|
||||
@ -2425,7 +2425,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
|
||||
*/
|
||||
void nbd_client_new(QIOChannelSocket *sioc,
|
||||
QCryptoTLSCreds *tlscreds,
|
||||
const char *tlsaclname,
|
||||
const char *tlsauthz,
|
||||
void (*close_fn)(NBDClient *, bool))
|
||||
{
|
||||
NBDClient *client;
|
||||
@ -2437,7 +2437,7 @@ void nbd_client_new(QIOChannelSocket *sioc,
|
||||
if (tlscreds) {
|
||||
object_ref(OBJECT(client->tlscreds));
|
||||
}
|
||||
client->tlsaclname = g_strdup(tlsaclname);
|
||||
client->tlsauthz = g_strdup(tlsauthz);
|
||||
client->sioc = sioc;
|
||||
object_ref(OBJECT(client->sioc));
|
||||
client->ioc = QIO_CHANNEL(sioc);
|
||||
|
@ -224,7 +224,12 @@
|
||||
# QEMU instance could refer to them as "nbd:HOST:PORT:exportname=NAME".
|
||||
#
|
||||
# @addr: Address on which to listen.
|
||||
# @tls-creds: (optional) ID of the TLS credentials object. Since 2.6
|
||||
# @tls-creds: ID of the TLS credentials object (since 2.6).
|
||||
# @tls-authz: ID of the QAuthZ authorization object used to validate
|
||||
# the client's x509 distinguished name. This object is
|
||||
# is only resolved at time of use, so can be deleted and
|
||||
# recreated on the fly while the NBD server is active.
|
||||
# If missing, it will default to denying access (since 4.0).
|
||||
#
|
||||
# Returns: error if the server is already running.
|
||||
#
|
||||
@ -232,7 +237,8 @@
|
||||
##
|
||||
{ 'command': 'nbd-server-start',
|
||||
'data': { 'addr': 'SocketAddressLegacy',
|
||||
'*tls-creds': 'str'} }
|
||||
'*tls-creds': 'str',
|
||||
'*tls-authz': 'str'} }
|
||||
|
||||
##
|
||||
# @nbd-server-add:
|
||||
|
19
qemu-nbd.c
19
qemu-nbd.c
@ -58,6 +58,7 @@
|
||||
#define QEMU_NBD_OPT_TLSCREDS 261
|
||||
#define QEMU_NBD_OPT_IMAGE_OPTS 262
|
||||
#define QEMU_NBD_OPT_FORK 263
|
||||
#define QEMU_NBD_OPT_TLSAUTHZ 264
|
||||
|
||||
#define MBR_SIZE 512
|
||||
|
||||
@ -71,6 +72,7 @@ static int shared = 1;
|
||||
static int nb_fds;
|
||||
static QIONetListener *server;
|
||||
static QCryptoTLSCreds *tlscreds;
|
||||
static const char *tlsauthz;
|
||||
|
||||
static void usage(const char *name)
|
||||
{
|
||||
@ -103,6 +105,8 @@ static void usage(const char *name)
|
||||
" --object type,id=ID,... define an object such as 'secret' for providing\n"
|
||||
" passwords and/or encryption keys\n"
|
||||
" --tls-creds=ID use id of an earlier --object to provide TLS\n"
|
||||
" --tls-authz=ID use id of an earlier --object to provide\n"
|
||||
" authorization\n"
|
||||
" -T, --trace [[enable=]<pattern>][,events=<file>][,file=<file>]\n"
|
||||
" specify tracing options\n"
|
||||
" --fork fork off the server process and exit the parent\n"
|
||||
@ -452,7 +456,7 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
|
||||
|
||||
nb_fds++;
|
||||
nbd_update_server_watch();
|
||||
nbd_client_new(cioc, tlscreds, NULL, nbd_client_closed);
|
||||
nbd_client_new(cioc, tlscreds, tlsauthz, nbd_client_closed);
|
||||
}
|
||||
|
||||
static void nbd_update_server_watch(void)
|
||||
@ -643,6 +647,7 @@ int main(int argc, char **argv)
|
||||
{ "export-name", required_argument, NULL, 'x' },
|
||||
{ "description", required_argument, NULL, 'D' },
|
||||
{ "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
|
||||
{ "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
|
||||
{ "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
|
||||
{ "trace", required_argument, NULL, 'T' },
|
||||
{ "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
|
||||
@ -862,6 +867,9 @@ int main(int argc, char **argv)
|
||||
g_free(trace_file);
|
||||
trace_file = trace_opt_parse(optarg);
|
||||
break;
|
||||
case QEMU_NBD_OPT_TLSAUTHZ:
|
||||
tlsauthz = optarg;
|
||||
break;
|
||||
case QEMU_NBD_OPT_FORK:
|
||||
fork_process = true;
|
||||
break;
|
||||
@ -934,12 +942,21 @@ int main(int argc, char **argv)
|
||||
error_report("TLS is not supported with a host device");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
if (tlsauthz && list) {
|
||||
error_report("TLS authorization is incompatible with export list");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
|
||||
if (local_err) {
|
||||
error_report("Failed to get TLS creds %s",
|
||||
error_get_pretty(local_err));
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
} else {
|
||||
if (tlsauthz) {
|
||||
error_report("--tls-authz is not permitted without --tls-creds");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
|
||||
if (list) {
|
||||
|
@ -117,6 +117,10 @@ option; or provide the credentials needed for connecting as a client
|
||||
in list mode.
|
||||
@item --fork
|
||||
Fork off the server process and exit the parent once the server is running.
|
||||
@item --tls-authz=ID
|
||||
Specify the ID of a qauthz object previously created with the
|
||||
--object option. This will be used to authorize connecting users
|
||||
against their x509 distinguished name.
|
||||
@item -v, --verbose
|
||||
Display extra debugging information.
|
||||
@item -h, --help
|
||||
@ -142,13 +146,16 @@ qemu-nbd -f qcow2 file.qcow2
|
||||
@end example
|
||||
|
||||
Start a long-running server listening with encryption on port 10810,
|
||||
and require clients to have a correct X.509 certificate to connect to
|
||||
and whitelist clients with a specific X.509 certificate to connect to
|
||||
a 1 megabyte subset of a raw file, using the export name 'subset':
|
||||
|
||||
@example
|
||||
qemu-nbd \
|
||||
--object tls-creds-x509,id=tls0,endpoint=server,dir=/path/to/qemutls \
|
||||
--tls-creds tls0 -t -x subset -p 10810 \
|
||||
--object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
|
||||
O=Example Org,,L=London,,ST=London,,C=GB' \
|
||||
--tls-creds tls0 --tls-authz auth0 \
|
||||
-t -x subset -p 10810 \
|
||||
--image-opts driver=raw,offset=1M,size=1M,file.driver=file,file.filename=file.raw
|
||||
@end example
|
||||
|
||||
|
@ -179,6 +179,7 @@ _send_qemu_cmd $QEMU_HANDLE '{"execute":"nbd-server-remove",
|
||||
_send_qemu_cmd $QEMU_HANDLE '{"execute":"nbd-server-stop"}' "return"
|
||||
_send_qemu_cmd $QEMU_HANDLE '{"execute":"nbd-server-stop"}' "error" # Again
|
||||
_send_qemu_cmd $QEMU_HANDLE '{"execute":"quit"}' "return"
|
||||
wait=yes _cleanup_qemu
|
||||
|
||||
echo
|
||||
echo "=== Use qemu-nbd as server ==="
|
||||
|
@ -89,6 +89,7 @@ read 2097152/2097152 bytes at offset 2097152
|
||||
{"return": {}}
|
||||
{"error": {"class": "GenericError", "desc": "NBD server not running"}}
|
||||
{"return": {}}
|
||||
{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
|
||||
|
||||
=== Use qemu-nbd as server ===
|
||||
|
||||
|
@ -61,6 +61,7 @@ tls_x509_create_root_ca "ca2"
|
||||
tls_x509_create_server "ca1" "server1"
|
||||
tls_x509_create_client "ca1" "client1"
|
||||
tls_x509_create_client "ca2" "client2"
|
||||
tls_x509_create_client "ca1" "client3"
|
||||
|
||||
echo
|
||||
echo "== preparing image =="
|
||||
@ -93,11 +94,15 @@ $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port
|
||||
|
||||
echo
|
||||
echo "== check TLS works =="
|
||||
obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
|
||||
$QEMU_IMG info --image-opts --object $obj \
|
||||
obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
|
||||
obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0
|
||||
$QEMU_IMG info --image-opts --object $obj1 \
|
||||
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
|
||||
2>&1 | sed "s/$nbd_tcp_port/PORT/g"
|
||||
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
|
||||
$QEMU_IMG info --image-opts --object $obj2 \
|
||||
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
|
||||
2>&1 | sed "s/$nbd_tcp_port/PORT/g"
|
||||
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \
|
||||
--tls-creds=tls0
|
||||
|
||||
echo
|
||||
@ -119,6 +124,27 @@ $QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --image-opts \
|
||||
|
||||
$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" | _filter_qemu_io
|
||||
|
||||
echo
|
||||
echo "== check TLS with authorization =="
|
||||
|
||||
nbd_server_stop
|
||||
|
||||
nbd_server_start_tcp_socket \
|
||||
--object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
|
||||
--object "authz-simple,id=authz0,identity=CN=localhost,, \
|
||||
O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \
|
||||
--tls-authz authz0 \
|
||||
--tls-creds tls0 \
|
||||
-f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
|
||||
|
||||
$QEMU_IMG info --image-opts \
|
||||
--object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
|
||||
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0
|
||||
|
||||
$QEMU_IMG info --image-opts \
|
||||
--object tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 \
|
||||
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0
|
||||
|
||||
echo
|
||||
echo "== final server log =="
|
||||
cat "$TEST_DIR/server.log"
|
||||
|
@ -6,6 +6,7 @@ Generating a self signed certificate...
|
||||
Generating a signed certificate...
|
||||
Generating a signed certificate...
|
||||
Generating a signed certificate...
|
||||
Generating a signed certificate...
|
||||
|
||||
== preparing image ==
|
||||
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
|
||||
@ -29,6 +30,10 @@ image: nbd://127.0.0.1:PORT
|
||||
file format: nbd
|
||||
virtual size: 64M (67108864 bytes)
|
||||
disk size: unavailable
|
||||
image: nbd://127.0.0.1:PORT
|
||||
file format: nbd
|
||||
virtual size: 64M (67108864 bytes)
|
||||
disk size: unavailable
|
||||
exports available: 1
|
||||
export: ''
|
||||
size: 67108864
|
||||
@ -51,7 +56,13 @@ wrote 1048576/1048576 bytes at offset 1048576
|
||||
read 1048576/1048576 bytes at offset 1048576
|
||||
1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
||||
|
||||
== check TLS with authorization ==
|
||||
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=10809,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
|
||||
qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=10809,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
|
||||
|
||||
== final server log ==
|
||||
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
|
||||
qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
|
||||
qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client1,L=R'lyeh,C=South Pacific is denied
|
||||
qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client3,L=R'lyeh,C=South Pacific is denied
|
||||
*** done
|
||||
|
Loading…
Reference in New Issue
Block a user