diff --git a/src/ch/ch_conf.c b/src/ch/ch_conf.c index ae8e4af337..b9e4463aba 100644 --- a/src/ch/ch_conf.c +++ b/src/ch/ch_conf.c @@ -168,6 +168,9 @@ virCHDriverConfigNew(bool privileged) cfg->saveDir = g_strdup_printf("%s/ch/save", configbasedir); } + // TODO: we should read this from a config file. + cfg->migrateTLSx509certdir = g_strdup_printf("%s/pki", cfg->configDir); + return cfg; } @@ -185,6 +188,8 @@ virCHDriverConfigDispose(void *obj) g_free(cfg->saveDir); g_free(cfg->stateDir); g_free(cfg->logDir); + + g_free(cfg->migrateTLSx509certdir); } #define MIN_VERSION ((15 * 1000000) + (0 * 1000) + (0)) diff --git a/src/ch/ch_conf.h b/src/ch/ch_conf.h index 2ec89cc630..1c330b971c 100644 --- a/src/ch/ch_conf.h +++ b/src/ch/ch_conf.h @@ -53,6 +53,8 @@ struct _virCHDriverConfig { gid_t group; bool stdioLogD; + + char *migrateTLSx509certdir; }; G_DEFINE_AUTOPTR_CLEANUP_FUNC(virCHDriverConfig, virObjectUnref); diff --git a/src/ch/ch_domain.h b/src/ch/ch_domain.h index 771543bfe8..aba75aa2cd 100644 --- a/src/ch/ch_domain.h +++ b/src/ch/ch_domain.h @@ -58,6 +58,7 @@ struct _chMigrationDstArgs { virCond cond; volatile bool success; char *tcp_serial_url; + bool use_tls; }; #define CH_DOMAIN_PRIVATE(vm) \ diff --git a/src/ch/ch_driver.c b/src/ch/ch_driver.c index f58d8e6e4c..95f01de0a6 100644 --- a/src/ch/ch_driver.c +++ b/src/ch/ch_driver.c @@ -2756,7 +2756,8 @@ chDoMigrateDstReceive(void *opaque) args->def, args->driver, &args->cond, - args->tcp_serial_url) < 0) { + args->tcp_serial_url, + args->use_tls) < 0) { DBG("Migration receive failed."); args->success = false; return; @@ -2926,6 +2927,7 @@ chDomainMigratePrepare3(virConnectPtr dconn, args->driver = driver; args->success = false; args->tcp_serial_url = NULL; + args->use_tls = flags & VIR_MIGRATE_TLS; if (vm->def->nserials > 0 && vm->def->serials[0]->source->type == VIR_DOMAIN_CHR_TYPE_TCP) { @@ -3089,7 +3091,8 @@ chDomainMigratePerform3Impl(virDomainObj *vm, int *cookieoutlen, unsigned long flags, const char *dname, - unsigned parallel_connections) + unsigned parallel_connections, + bool use_tls) { virCHDomainObjPrivate *priv = vm->privateData; g_autofree char *id = NULL; @@ -3100,8 +3103,8 @@ chDomainMigratePerform3Impl(virDomainObj *vm, int rc = -1; g_autoptr(virCHDriverConfig) cfg = virCHDriverGetConfig(driver); - DBG("chDomainMigratePerform3Impl %s %s %s %lu %s %u", - xmlin, dconnuri, uri, flags, dname, parallel_connections); + DBG("chDomainMigratePerform3Impl %s %s %s %lu %s %u %s", + xmlin, dconnuri, uri, flags, dname, parallel_connections, use_tls ? "true" : "false"); if (!priv->monitor) { VIR_ERROR(_("VMs monitor not initialized")); @@ -3154,7 +3157,7 @@ chDomainMigratePerform3Impl(virDomainObj *vm, uri = uri_out; } - if (virCHMonitorMigrationSend(priv->monitor, uri, parallel_connections) < 0) { + if (virCHMonitorMigrationSend(priv->monitor, uri, parallel_connections, use_tls, driver->config->migrateTLSx509certdir) < 0) { DBG("Migration send failed."); dconn->driver->domainMigrateFinish3(dconn, vm->def->name, NULL, 0, NULL, NULL, NULL, uri, flags, 1); rc = -1; @@ -3245,7 +3248,8 @@ chDomainMigratePerform3(virDomainPtr dom, cookieoutlen, flags, dname, - 1); + 1, + false); cleanup: virDomainObjEndAPI(&vm); @@ -3270,6 +3274,7 @@ chDomainMigratePerform3Params(virDomainPtr dom, virDomainObj *vm; virCHDriver *driver = dom->conn->privateData; int rc = -1; + bool use_tls = false; if (virTypedParamsGetString(params, nparams, VIR_MIGRATE_PARAM_URI, @@ -3302,6 +3307,8 @@ chDomainMigratePerform3Params(virDomainPtr dom, parallel_connections = 1; } + use_tls = flags & VIR_MIGRATE_TLS; + DBG("chDomainMigratePerform3Params dconnuri: %s dname: %s parallel connection: %d", dconnuri, dname, parallel_connections); if (!(vm = virCHDomainObjFromDomain(dom))) @@ -3321,7 +3328,8 @@ chDomainMigratePerform3Params(virDomainPtr dom, cookieoutlen, flags, dname, - parallel_connections); + parallel_connections, + use_tls); error: virDomainObjEndAPI(&vm); return rc; diff --git a/src/ch/ch_monitor.c b/src/ch/ch_monitor.c index 236ad8a4f0..63cfd8c6e4 100644 --- a/src/ch/ch_monitor.c +++ b/src/ch/ch_monitor.c @@ -1667,7 +1667,9 @@ int virCHMonitorRemoveDevice(virCHMonitor *mon, int virCHMonitorMigrationSend(virCHMonitor *mon, const char *dst_uri, - unsigned parallel_connections) + unsigned parallel_connections, + bool use_tls, + char *tls_dir) { g_autofree char *url = NULL; int responseCode = 0; @@ -1692,6 +1694,19 @@ int virCHMonitorMigrationSend(virCHMonitor *mon, return -1; } + if (use_tls) { + if (!virFileExists(tls_dir)) { + virReportError( + VIR_ERR_CONF_SYNTAX, + _("migrate_tls_x509_cert_dir directory '%1$s' does not exist"), + tls_dir); + return -1; + } + + if (virJSONValueObjectAppendString(content, "tls_dir", tls_dir) != 0) + return -1; + } + if (!(payload = virJSONValueToString(content, false))) return -1; @@ -1814,7 +1829,8 @@ int virCHMonitorMigrationReceive(virCHMonitor *mon, virDomainDef *vmdef, virCHDriver *driver, virCond *cond, - char *tcp_serial_url) + char *tcp_serial_url, + bool use_tls) { size_t i = 0; VIR_AUTOCLOSE mon_sockfd = -1; @@ -1891,6 +1907,20 @@ int virCHMonitorMigrationReceive(virCHMonitor *mon, goto out; } } + + if (use_tls) { + if (!virFileExists(driver->config->migrateTLSx509certdir)) { + virReportError( + VIR_ERR_CONF_SYNTAX, + _("migrate_tls_x509_cert_dir directory '%1$s' does not exist"), + driver->config->migrateTLSx509certdir); + return -1; + } + + if (virJSONValueObjectAppendString(content, "tls_dir", driver->config->migrateTLSx509certdir) != 0) + return -1; + } + if (!(payload = virJSONValueToString(content, false))) { rc = -1; goto out; diff --git a/src/ch/ch_monitor.h b/src/ch/ch_monitor.h index 5d73381aca..0001634870 100644 --- a/src/ch/ch_monitor.h +++ b/src/ch/ch_monitor.h @@ -139,10 +139,12 @@ int virCHMonitorSaveVM(virCHMonitor *mon, const char *to); int virCHMonitorMigrationSend(virCHMonitor *mon, const char *dst_uri, - unsigned parallel_connections); + unsigned parallel_connections, + bool use_tls, + char *tls_dir); int virCHMonitorMigrationReceive(virCHMonitor *mon, const char *rcv_uri, - virDomainDef *vmdef, virCHDriver *driver, virCond *cond, char* tcp_serial_url); + virDomainDef *vmdef, virCHDriver *driver, virCond *cond, char* tcp_serial_url, bool use_tls); int virCHMonitorRemoveDevice(virCHMonitor *mon, const char* device_id); int virCHMonitorGetInfo(virCHMonitor *mon, virJSONValue **info);