conf: Add new default TLS X.509 certificate default directory

Rather than specify perhaps multiple TLS X.509 certificate directories, let's create a "default" directory which can then be used if the service (e.g. for now vnc and spice) does not supply a default directory. Since the default for vnc and spice may have existed before without being supplied, the default check will first check if the service specific path exists and if so, set the cfg entry to that; otherwise, the default will be set to the (now) new defaultTLSx509certdir. Additionally add a "default_tls_x509_verify" entry which can also be used to force the peer verification option (for vnc it's a x509verify option). Add/alter the macro for the option being found in the config file to accept the default value. Signed-off-by: N John Ferlan <jferlan@redhat.com>

conf: Add new default TLS X.509 certificate default directory
Rather than specify perhaps multiple TLS X.509 certificate directories, let's create a "default" directory which can then be used if the service (e.g. for now vnc and spice) does not supply a default directory. Since the default for vnc and spice may have existed before without being supplied, the default check will first check if the service specific path exists and if so, set the cfg entry to that; otherwise, the default will be set to the (now) new defaultTLSx509certdir. Additionally add a "default_tls_x509_verify" entry which can also be used to force the peer verification option (for vnc it's a x509verify option). Add/alter the macro for the option being found in the config file to accept the default value. Signed-off-by: N John Ferlan <jferlan@redhat.com>
c12cb5ed · John Ferlan · 66278d4b · c12cb5ed · c12cb5ed · c12cb5ed
5 changed file
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -27,6 +27,9 @@ module Libvirtd_qemu =


   (* Config entry grouped by function - same order as example config *)
+   let default_tls_entry = str_entry "default_tls_x509_cert_dir"
+                 | bool_entry "default_tls_x509_verify"
+
   let vnc_entry = str_entry "vnc_listen"
                 | bool_entry "vnc_auto_unix_socket"
                 | bool_entry "vnc_tls"
@@ -98,7 +101,8 @@ module Libvirtd_qemu =
   let nvram_entry = str_array_entry "nvram"

   (* Each entry in the config is one of the following ... *)
-   let entry = vnc_entry
+   let entry = default_tls_entry
+             | vnc_entry
             | spice_entry
             | nogfx_entry
             | remote_display_entry

--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -2,6 +2,32 @@
 # All settings described here are optional - if omitted, sensible
 # defaults are used.

+# Use of TLS requires that x509 certificates be issued. The default is
+# to keep them in /etc/pki/qemu. This directory must contain
+#
+#  ca-cert.pem - the CA master certificate
+#  server-cert.pem - the server certificate signed with ca-cert.pem
+#  server-key.pem  - the server private key
+#
+# and optionally may contain
+#
+#  dh-params.pem - the DH params configuration file
+#
+#default_tls_x509_cert_dir = "/etc/pki/qemu"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing a x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
+#
+#default_tls_x509_verify = 1
+
 # VNC is configured to listen on 127.0.0.1 by default.
 # To make it listen on all public interfaces, uncomment
 # this next option.
@@ -32,15 +58,10 @@
 #vnc_tls = 1


-# Use of TLS requires that x509 certificates be issued. The
-# default it to keep them in /etc/pki/libvirt-vnc. This directory
-# must contain
-#
-#  ca-cert.pem - the CA master certificate
-#  server-cert.pem - the server certificate signed with ca-cert.pem
-#  server-key.pem  - the server private key
-#
-# This option allows the certificate directory to be changed
+# In order to override the default TLS certificate location for
+# vnc certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist then the default_tls_x509_cert_dir
+# path will be used.
 #
 #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"

@@ -55,6 +76,9 @@
 # Enabling this option will reject any client who does not have a
 # certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
 #
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
 #vnc_tls_x509_verify = 1


@@ -117,15 +141,10 @@
 #spice_tls = 1


-# Use of TLS requires that x509 certificates be issued. The
-# default it to keep them in /etc/pki/libvirt-spice. This directory
-# must contain
-#
-#  ca-cert.pem - the CA master certificate
-#  server-cert.pem - the server certificate signed with ca-cert.pem
-#  server-key.pem  - the server private key
-#
-# This option allows the certificate directory to be changed.
+# In order to override the default TLS certificate location for
+# spice certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist then the default_tls_x509_cert_dir
+# path will be used.
 #
 #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"


--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -238,19 +238,44 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
    if (virAsprintf(&cfg->autostartDir, "%s/qemu/autostart", cfg->configBaseDir) < 0)
        goto error;

-
-    if (VIR_STRDUP(cfg->vncListen, "127.0.0.1") < 0)
+    /* Set the default directory to find TLS X.509 certificates.
+     * This will then be used as a fallback if the service specific
+     * directory doesn't exist (although we don't check if this exists).
+     */
+    if (VIR_STRDUP(cfg->defaultTLSx509certdir,
+                   SYSCONFDIR "/pki/qemu") < 0)
        goto error;

-    if (VIR_STRDUP(cfg->vncTLSx509certdir, SYSCONFDIR "/pki/libvirt-vnc") < 0)
+    if (VIR_STRDUP(cfg->vncListen, "127.0.0.1") < 0)
        goto error;

    if (VIR_STRDUP(cfg->spiceListen, "127.0.0.1") < 0)
        goto error;

-    if (VIR_STRDUP(cfg->spiceTLSx509certdir,
-                   SYSCONFDIR "/pki/libvirt-spice") < 0)
-        goto error;
+    /*
+     * If a "SYSCONFDIR" + "pki/libvirt-<val>" exists, then assume someone
+     * has created a val specific area to place service specific certificates.
+     *
+     * If the service specific directory doesn't exist, 'assume' that the
+     * user has created and populated the "SYSCONFDIR" + "pki/libvirt-default".
+     */
+#define SET_TLS_X509_CERT_DEFAULT(val)                                 \
+    do {                                                               \
+        if (virFileExists(SYSCONFDIR "/pki/libvirt-"#val)) {           \
+            if (VIR_STRDUP(cfg->val ## TLSx509certdir,                 \
+                           SYSCONFDIR "/pki/libvirt-"#val) < 0)        \
+                goto error;                                            \
+        } else {                                                       \
+            if (VIR_STRDUP(cfg->val ## TLSx509certdir,                 \
+                           cfg->defaultTLSx509certdir) < 0)            \
+                goto error;                                            \
+        }                                                              \
+    } while (false);
+
+    SET_TLS_X509_CERT_DEFAULT(vnc);
+    SET_TLS_X509_CERT_DEFAULT(spice);
+
+#undef SET_TLS_X509_CERT_DEFAULT

    cfg->remotePortMin = QEMU_REMOTE_PORT_MIN;
    cfg->remotePortMax = QEMU_REMOTE_PORT_MAX;
@@ -338,6 +363,8 @@ static void virQEMUDriverConfigDispose(void *obj)
    VIR_FREE(cfg->channelTargetDir);
    VIR_FREE(cfg->nvramDir);

+    VIR_FREE(cfg->defaultTLSx509certdir);
+
    VIR_FREE(cfg->vncTLSx509certdir);
    VIR_FREE(cfg->vncListen);
    VIR_FREE(cfg->vncPassword);
@@ -392,6 +419,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
 {
    virConfPtr conf = NULL;
    int ret = -1;
+    int rv;
    size_t i, j;
    char *stdioHandler = NULL;
    char *user = NULL, *group = NULL;
@@ -411,12 +439,18 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
    if (!(conf = virConfReadFile(filename, 0)))
        goto cleanup;

+    if (virConfGetValueString(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir) < 0)
+        goto cleanup;
+    if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0)
+        goto cleanup;
    if (virConfGetValueBool(conf, "vnc_auto_unix_socket", &cfg->vncAutoUnixSocket) < 0)
        goto cleanup;
    if (virConfGetValueBool(conf, "vnc_tls", &cfg->vncTLS) < 0)
        goto cleanup;
-    if (virConfGetValueBool(conf, "vnc_tls_x509_verify", &cfg->vncTLSx509verify) < 0)
+    if ((rv = virConfGetValueBool(conf, "vnc_tls_x509_verify", &cfg->vncTLSx509verify)) < 0)
        goto cleanup;
+    if (rv == 0)
+        cfg->vncTLSx509verify = cfg->defaultTLSx509verify;
    if (virConfGetValueString(conf, "vnc_tls_x509_cert_dir", &cfg->vncTLSx509certdir) < 0)
        goto cleanup;
    if (virConfGetValueString(conf, "vnc_listen", &cfg->vncListen) < 0)

--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -109,6 +109,9 @@ struct _virQEMUDriverConfig {
    char *channelTargetDir;
    char *nvramDir;

+    char *defaultTLSx509certdir;
+    bool defaultTLSx509verify;
+
    bool vncAutoUnixSocket;
    bool vncTLS;
    bool vncTLSx509verify;

--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -2,6 +2,8 @@ module Test_libvirtd_qemu =
  ::CONFIG::

   test Libvirtd_qemu.lns get conf =
+{ "default_tls_x509_cert_dir" = "/etc/pki/qemu" }
+{ "default_tls_x509_verify" = "1" }
 { "vnc_listen" = "0.0.0.0" }
 { "vnc_auto_unix_socket" = "1" }
 { "vnc_tls" = "1" }