|
|
d76c62 |
From ffe8028ca07eb049b12d5c152b3d66489378d731 Mon Sep 17 00:00:00 2001
|
|
|
d76c62 |
Message-Id: <ffe8028ca07eb049b12d5c152b3d66489378d731@dist-git>
|
|
|
d76c62 |
From: Peter Krempa <pkrempa@redhat.com>
|
|
|
d76c62 |
Date: Mon, 16 Mar 2020 22:11:56 +0100
|
|
|
d76c62 |
Subject: [PATCH] conf: Add support for modifying ssl validation for https/ftps
|
|
|
d76c62 |
disks
|
|
|
d76c62 |
MIME-Version: 1.0
|
|
|
d76c62 |
Content-Type: text/plain; charset=UTF-8
|
|
|
d76c62 |
Content-Transfer-Encoding: 8bit
|
|
|
d76c62 |
|
|
|
d76c62 |
To allow turning off verification of SSL cerificates add a new element
|
|
|
d76c62 |
<ssl> to the disk source XML which will allow configuring the validation
|
|
|
d76c62 |
process using the 'verify' attribute.
|
|
|
d76c62 |
|
|
|
d76c62 |
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
|
|
|
d76c62 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
d76c62 |
(cherry picked from commit 25481e25b14108373bf2e5e95c04fe30bff96bb4)
|
|
|
d76c62 |
|
|
|
d76c62 |
https://bugzilla.redhat.com/show_bug.cgi?id=1804750
|
|
|
d76c62 |
Message-Id: <ede13179128fc9ef05036a5408f4115132a2c12d.1584391727.git.pkrempa@redhat.com>
|
|
|
d76c62 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
d76c62 |
---
|
|
|
d76c62 |
docs/formatdomain.html.in | 9 ++++
|
|
|
d76c62 |
docs/schemas/domaincommon.rng | 51 ++++++++++++++++++-
|
|
|
d76c62 |
src/conf/domain_conf.c | 19 +++++++
|
|
|
d76c62 |
src/util/virstoragefile.c | 1 +
|
|
|
d76c62 |
src/util/virstoragefile.h | 1 +
|
|
|
d76c62 |
.../disk-network-http.xml | 9 ++++
|
|
|
d76c62 |
6 files changed, 88 insertions(+), 2 deletions(-)
|
|
|
d76c62 |
|
|
|
d76c62 |
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
|
|
|
d76c62 |
index e9830ab231..2cce247958 100644
|
|
|
d76c62 |
--- a/docs/formatdomain.html.in
|
|
|
d76c62 |
+++ b/docs/formatdomain.html.in
|
|
|
d76c62 |
@@ -2847,6 +2847,7 @@
|
|
|
d76c62 |
<driver name='qemu' type='raw'/>
|
|
|
d76c62 |
<source protocol="https" name="url_path">
|
|
|
d76c62 |
<host name="hostname" port="443"/>
|
|
|
d76c62 |
+ <ssl verify="no"/>
|
|
|
d76c62 |
</source>
|
|
|
d76c62 |
<target dev='hdf' bus='ide' tray='open'/>
|
|
|
d76c62 |
<readonly/>
|
|
|
d76c62 |
@@ -3373,6 +3374,14 @@
|
|
|
d76c62 |
The offset and size values are in bytes.
|
|
|
d76c62 |
Since 6.1.0
|
|
|
d76c62 |
|
|
|
d76c62 |
+ ssl
|
|
|
d76c62 |
+
|
|
|
d76c62 |
+ For https and ftps accessed storage it's
|
|
|
d76c62 |
+ possible to tweak the SSL transport parameters with this element.
|
|
|
d76c62 |
+ The verify attribute allows to turn on or off SSL
|
|
|
d76c62 |
+ certificate validation. Supported values are yes and
|
|
|
d76c62 |
+ no . Since 6.2.0
|
|
|
d76c62 |
+
|
|
|
d76c62 |
|
|
|
d76c62 |
|
|
|
d76c62 |
|
|
|
d76c62 |
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
|
|
|
d76c62 |
index aa70e340b9..548601b61c 100644
|
|
|
d76c62 |
--- a/docs/schemas/domaincommon.rng
|
|
|
d76c62 |
+++ b/docs/schemas/domaincommon.rng
|
|
|
d76c62 |
@@ -1808,12 +1808,39 @@
|
|
|
d76c62 |
</element>
|
|
|
d76c62 |
</define>
|
|
|
d76c62 |
|
|
|
d76c62 |
+ <define name="diskSourceNetworkProtocolSSLVerify">
|
|
|
d76c62 |
+ <element name="ssl">
|
|
|
d76c62 |
+ <attribute name="verify">
|
|
|
d76c62 |
+ <ref name="virYesNo"/>
|
|
|
d76c62 |
+ </attribute>
|
|
|
d76c62 |
+ <empty/>
|
|
|
d76c62 |
+ </element>
|
|
|
d76c62 |
+ </define>
|
|
|
d76c62 |
+
|
|
|
d76c62 |
+ <define name="diskSourceNetworkProtocolHTTPS">
|
|
|
d76c62 |
+ <element name="source">
|
|
|
d76c62 |
+ <attribute name="protocol">
|
|
|
d76c62 |
+ <choice>
|
|
|
d76c62 |
+ <value>https</value>
|
|
|
d76c62 |
+ </choice>
|
|
|
d76c62 |
+ </attribute>
|
|
|
d76c62 |
+ <attribute name="name"/>
|
|
|
d76c62 |
+ <ref name="diskSourceCommon"/>
|
|
|
d76c62 |
+ <ref name="diskSourceNetworkHost"/>
|
|
|
d76c62 |
+ <optional>
|
|
|
d76c62 |
+ <ref name="encryption"/>
|
|
|
d76c62 |
+ </optional>
|
|
|
d76c62 |
+ <optional>
|
|
|
d76c62 |
+ <ref name="diskSourceNetworkProtocolSSLVerify"/>
|
|
|
d76c62 |
+ </optional>
|
|
|
d76c62 |
+ </element>
|
|
|
d76c62 |
+ </define>
|
|
|
d76c62 |
+
|
|
|
d76c62 |
<define name="diskSourceNetworkProtocolHTTP">
|
|
|
d76c62 |
<element name="source">
|
|
|
d76c62 |
<attribute name="protocol">
|
|
|
d76c62 |
<choice>
|
|
|
d76c62 |
<value>http</value>
|
|
|
d76c62 |
- <value>https</value>
|
|
|
d76c62 |
</choice>
|
|
|
d76c62 |
</attribute>
|
|
|
d76c62 |
<attribute name="name"/>
|
|
|
d76c62 |
@@ -1825,13 +1852,31 @@
|
|
|
d76c62 |
</element>
|
|
|
d76c62 |
</define>
|
|
|
d76c62 |
|
|
|
d76c62 |
+ <define name="diskSourceNetworkProtocolFTPS">
|
|
|
d76c62 |
+ <element name="source">
|
|
|
d76c62 |
+ <attribute name="protocol">
|
|
|
d76c62 |
+ <choice>
|
|
|
d76c62 |
+ <value>ftps</value>
|
|
|
d76c62 |
+ </choice>
|
|
|
d76c62 |
+ </attribute>
|
|
|
d76c62 |
+ <attribute name="name"/>
|
|
|
d76c62 |
+ <ref name="diskSourceCommon"/>
|
|
|
d76c62 |
+ <ref name="diskSourceNetworkHost"/>
|
|
|
d76c62 |
+ <optional>
|
|
|
d76c62 |
+ <ref name="encryption"/>
|
|
|
d76c62 |
+ </optional>
|
|
|
d76c62 |
+ <optional>
|
|
|
d76c62 |
+ <ref name="diskSourceNetworkProtocolSSLVerify"/>
|
|
|
d76c62 |
+ </optional>
|
|
|
d76c62 |
+ </element>
|
|
|
d76c62 |
+ </define>
|
|
|
d76c62 |
+
|
|
|
d76c62 |
<define name="diskSourceNetworkProtocolSimple">
|
|
|
d76c62 |
<element name="source">
|
|
|
d76c62 |
<attribute name="protocol">
|
|
|
d76c62 |
<choice>
|
|
|
d76c62 |
<value>sheepdog</value>
|
|
|
d76c62 |
<value>ftp</value>
|
|
|
d76c62 |
- <value>ftps</value>
|
|
|
d76c62 |
<value>tftp</value>
|
|
|
d76c62 |
</choice>
|
|
|
d76c62 |
</attribute>
|
|
|
d76c62 |
@@ -1909,6 +1954,8 @@
|
|
|
d76c62 |
<ref name="diskSourceNetworkProtocolRBD"/>
|
|
|
d76c62 |
<ref name="diskSourceNetworkProtocolISCSI"/>
|
|
|
d76c62 |
<ref name="diskSourceNetworkProtocolHTTP"/>
|
|
|
d76c62 |
+ <ref name="diskSourceNetworkProtocolHTTPS"/>
|
|
|
d76c62 |
+ <ref name="diskSourceNetworkProtocolFTPS"/>
|
|
|
d76c62 |
<ref name="diskSourceNetworkProtocolSimple"/>
|
|
|
d76c62 |
<ref name="diskSourceNetworkProtocolVxHS"/>
|
|
|
d76c62 |
</choice>
|
|
|
d76c62 |
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
|
|
|
d76c62 |
index b3c4084c38..70bbc35bb3 100644
|
|
|
d76c62 |
--- a/src/conf/domain_conf.c
|
|
|
d76c62 |
+++ b/src/conf/domain_conf.c
|
|
|
d76c62 |
@@ -9259,6 +9259,7 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
|
|
|
d76c62 |
g_autofree char *protocol = NULL;
|
|
|
d76c62 |
g_autofree char *haveTLS = NULL;
|
|
|
d76c62 |
g_autofree char *tlsCfg = NULL;
|
|
|
d76c62 |
+ g_autofree char *sslverifystr = NULL;
|
|
|
d76c62 |
|
|
|
d76c62 |
if (!(protocol = virXMLPropString(node, "protocol"))) {
|
|
|
d76c62 |
virReportError(VIR_ERR_XML_ERROR, "%s",
|
|
|
d76c62 |
@@ -9331,6 +9332,19 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
|
|
|
d76c62 |
|
|
|
d76c62 |
virStorageSourceInitiatorParseXML(ctxt, &src->initiator);
|
|
|
d76c62 |
|
|
|
d76c62 |
+ if ((src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
|
|
|
d76c62 |
+ src->protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) &&
|
|
|
d76c62 |
+ (sslverifystr = virXPathString("string(./ssl/@verify)", ctxt))) {
|
|
|
d76c62 |
+ int verify;
|
|
|
d76c62 |
+ if ((verify = virTristateBoolTypeFromString(sslverifystr)) < 0) {
|
|
|
d76c62 |
+ virReportError(VIR_ERR_XML_ERROR,
|
|
|
d76c62 |
+ _("invalid ssl verify mode '%s'"), sslverifystr);
|
|
|
d76c62 |
+ return -1;
|
|
|
d76c62 |
+ }
|
|
|
d76c62 |
+
|
|
|
d76c62 |
+ src->sslverify = verify;
|
|
|
d76c62 |
+ }
|
|
|
d76c62 |
+
|
|
|
d76c62 |
return 0;
|
|
|
d76c62 |
}
|
|
|
d76c62 |
|
|
|
d76c62 |
@@ -24312,6 +24326,11 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
|
|
|
d76c62 |
|
|
|
d76c62 |
virStorageSourceInitiatorFormatXML(&src->initiator, childBuf);
|
|
|
d76c62 |
|
|
|
d76c62 |
+ if (src->sslverify != VIR_TRISTATE_BOOL_ABSENT) {
|
|
|
d76c62 |
+ virBufferAsprintf(childBuf, "<ssl verify='%s'/>\n",
|
|
|
d76c62 |
+ virTristateBoolTypeToString(src->sslverify));
|
|
|
d76c62 |
+ }
|
|
|
d76c62 |
+
|
|
|
d76c62 |
return 0;
|
|
|
d76c62 |
}
|
|
|
d76c62 |
|
|
|
d76c62 |
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
|
|
|
d76c62 |
index b88763b267..cfa77fccf8 100644
|
|
|
d76c62 |
--- a/src/util/virstoragefile.c
|
|
|
d76c62 |
+++ b/src/util/virstoragefile.c
|
|
|
d76c62 |
@@ -2270,6 +2270,7 @@ virStorageSourceCopy(const virStorageSource *src,
|
|
|
d76c62 |
def->cachemode = src->cachemode;
|
|
|
d76c62 |
def->discard = src->discard;
|
|
|
d76c62 |
def->detect_zeroes = src->detect_zeroes;
|
|
|
d76c62 |
+ def->sslverify = src->sslverify;
|
|
|
d76c62 |
|
|
|
d76c62 |
/* storage driver metadata are not copied */
|
|
|
d76c62 |
def->drv = NULL;
|
|
|
d76c62 |
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
|
|
|
d76c62 |
index 5b995d54ab..fab4248c3d 100644
|
|
|
d76c62 |
--- a/src/util/virstoragefile.h
|
|
|
d76c62 |
+++ b/src/util/virstoragefile.h
|
|
|
d76c62 |
@@ -282,6 +282,7 @@ struct _virStorageSource {
|
|
|
d76c62 |
virStorageEncryptionPtr encryption;
|
|
|
d76c62 |
bool encryptionInherited;
|
|
|
d76c62 |
virStoragePRDefPtr pr;
|
|
|
d76c62 |
+ virTristateBool sslverify;
|
|
|
d76c62 |
|
|
|
d76c62 |
virStorageSourceNVMeDefPtr nvme; /* type == VIR_STORAGE_TYPE_NVME */
|
|
|
d76c62 |
|
|
|
d76c62 |
diff --git a/tests/genericxml2xmlindata/disk-network-http.xml b/tests/genericxml2xmlindata/disk-network-http.xml
|
|
|
d76c62 |
index fde1222fd0..bdcc1977f2 100644
|
|
|
d76c62 |
--- a/tests/genericxml2xmlindata/disk-network-http.xml
|
|
|
d76c62 |
+++ b/tests/genericxml2xmlindata/disk-network-http.xml
|
|
|
d76c62 |
@@ -25,6 +25,7 @@
|
|
|
d76c62 |
<driver name='qemu' type='raw'/>
|
|
|
d76c62 |
<source protocol='https' name='test2.img'>
|
|
|
d76c62 |
<host name='example.org' port='443'/>
|
|
|
d76c62 |
+ <ssl verify='no'/>
|
|
|
d76c62 |
</source>
|
|
|
d76c62 |
<target dev='vdb' bus='virtio'/>
|
|
|
d76c62 |
</disk>
|
|
|
d76c62 |
@@ -35,6 +36,14 @@
|
|
|
d76c62 |
</source>
|
|
|
d76c62 |
<target dev='vdc' bus='virtio'/>
|
|
|
d76c62 |
</disk>
|
|
|
d76c62 |
+ <disk type='network' device='disk'>
|
|
|
d76c62 |
+ <driver name='qemu' type='raw'/>
|
|
|
d76c62 |
+ <source protocol='https' name='test4.img'>
|
|
|
d76c62 |
+ <host name='example.org' port='1234'/>
|
|
|
d76c62 |
+ <ssl verify='yes'/>
|
|
|
d76c62 |
+ </source>
|
|
|
d76c62 |
+ <target dev='vdd' bus='virtio'/>
|
|
|
d76c62 |
+ </disk>
|
|
|
d76c62 |
<controller type='usb' index='0'/>
|
|
|
d76c62 |
<controller type='pci' index='0' model='pci-root'/>
|
|
|
d76c62 |
<input type='mouse' bus='ps2'/>
|
|
|
d76c62 |
--
|
|
|
d76c62 |
2.25.1
|
|
|
d76c62 |
|