5:12 a.m.
On Tue, May 14, 2024 at 04:28:28PM +0100, Richard W.M. Jones wrote:
If TLS is required (--tls=require), when either --run or --print-uri
is used, include extra query parameters ?tls-certificates=... or
?tls-psk-key=... in the URI.
These are simply copied from the corresponding --tls-certificates or
--tls-psk parameter on the nbdkit command line without any other
modification (we don't make it an absolute path as it's not needed).
This will probably only work for libnbd-based clients.
This commit as it stands doesn't actually work well for PSK, unless
the username in the PSK file happens to coincide with the local login
name.
Example:
$ nbdkit null \
--tls=require --tls-certificates=tests/pki --tls-verify-peer \
--print-uri \
--run 'echo uri="$uri" ; nbdinfo "$uri"'
nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki
Shell-quoted URI:
"nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki"
Command to query the NBD endpoint:
nbdinfo
"nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki"
uri=nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki
protocol: newstyle-fixed with TLS, using structured packets
export="":
export-size: 0
content: empty
uri: nbds+unix:///?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki
contexts:
base:allocation
is_rotational: false
is_read_only: false
can_block_status_payload: false
can_cache: true
can_df: true
can_fast_zero: true
can_flush: true
can_fua: true
can_multi_conn: true
can_trim: true
can_zero: true
---
server/uri.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/server/uri.c b/server/uri.c
index 0810ee4c06..441034261a 100644
--- a/server/uri.c
+++ b/server/uri.c
@@ -52,6 +52,7 @@ make_uri (void)
char *r = NULL;
const bool tls_required = tls == 2;
const char *scheme;
+ bool query_appended;
switch (service_mode) {
case SERVICE_MODE_SOCKET_ACTIVATION:
@@ -97,6 +98,7 @@ make_uri (void)
}
fprintf (fp, "?socket=");
uri_quote (unixsocket, fp);
+ query_appended = true;
break;
case SERVICE_MODE_VSOCK:
/* 1 = VMADDR_CID_LOCAL */
@@ -109,6 +111,7 @@ make_uri (void)
putc ('/', fp);
uri_quote (export_name, fp);
}
+ query_appended = false;
break;
case SERVICE_MODE_TCPIP:
fputs ("localhost", fp);
@@ -120,6 +123,7 @@ make_uri (void)
putc ('/', fp);
uri_quote (export_name, fp);
}
+ query_appended = false;
break;
case SERVICE_MODE_SOCKET_ACTIVATION:
@@ -130,6 +134,24 @@ make_uri (void)
abort ();
}
+ /* For TLS, append tls-certificates or tls-psk-file. Note that
+ * tls-certificates requires libnbd >= 1.10 (Sep 2021) and it fails
+ * strangely with older versions (RHEL 8 is too old). Hopefully
+ * this will resolve itself over time as people upgrade libnbd.
+ * qemu probably ignores these parameters.
+ */
Yes, you can't pass TLS certs via an NBD URI to QEMU. They
need to be loaded with QEMU's '-object id=$ID,....' argument
and then referenced from the nbd blockdev with 'tls-creds=$ID'
I don't believe QEMU complains about unknown URI query
parameters, though I might make the argument that it should
complain about anything unknown as an aid to dianose user
errors. I'm not planning any such change myself though.
+ if (tls_required && (tls_certificates_dir || tls_psk)) {
+ putc (query_appended ? '&' : '?', fp);
+ if (tls_certificates_dir) {
+ fputs ("tls-certificates=", fp);
+ uri_quote (tls_certificates_dir, fp);
+ }
+ else if (tls_psk) {
+ fputs ("tls-psk-file=", fp);
+ uri_quote (tls_psk, fp);
+ }
+ }
+
if (close_memstream (fp) == EOF) {
perror ("uri: close_memstream");
exit (EXIT_FAILURE);
--
2.44.0
_______________________________________________
Libguestfs mailing list -- guestfs(a)lists.libguestfs.org
To unsubscribe send an email to guestfs-leave(a)lists.libguestfs.org
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|