admin: Introduce virAdmServerUpdateTlsFiles

The server needs to use CA certificate, CRL, server certificate/key to
complete the TLS handshake. If these files change, we needed to restart
libvirtd for them to take effect. This API can update the TLS context
*ONLINE* without restarting libvirtd.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhang Bo <oscar.zhangbo@huawei.com>
Signed-off-by: Wu Qingliang <wuqingliang4@huawei.com>

diff --git a/include/libvirt/libvirt-admin.h b/include/libvirt/libvirt-admin.h
index abf279292617fd2834e63823e716b7802f68e2b1..e414f776e4c0b8b5b8bf5be2fde3838e59cf6e50 100644 (file)
--- a/include/libvirt/libvirt-admin.h
+++ b/include/libvirt/libvirt-admin.h
@@ -402,6 +402,9 @@ int virAdmServerSetClientLimits(virAdmServerPtr srv,
                                 int nparams,
                                 unsigned int flags);
 
+int virAdmServerUpdateTlsFiles(virAdmServerPtr srv,
+                               unsigned int flags);
+
 int virAdmConnectGetLoggingOutputs(virAdmConnectPtr conn,
                                    char **outputs,
                                    unsigned int flags);

diff --git a/src/admin/admin_protocol.x b/src/admin/admin_protocol.x
index 42e215d23a2b143c2375a1134e32dcb7800308e8..7dc672403201be72b2659967246642b59ad7a4a3 100644 (file)
--- a/src/admin/admin_protocol.x
+++ b/src/admin/admin_protocol.x
@@ -181,6 +181,11 @@ struct admin_server_set_client_limits_args {
     unsigned int flags;
 };
 
+struct admin_server_update_tls_files_args {
+    admin_nonnull_server srv;
+    unsigned int flags;
+};
+
 struct admin_connect_get_logging_outputs_args {
     unsigned int flags;
 };
@@ -314,5 +319,10 @@ enum admin_procedure {
     /**
      * @generate: both
      */
-    ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS = 17
+    ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS = 17,
+
+    /**
+     * @generate: both
+     */
+    ADMIN_PROC_SERVER_UPDATE_TLS_FILES = 18
 };

diff --git a/src/admin/admin_server.c b/src/admin/admin_server.c
index ba87f701c3111599a335bda886a0520b2babefbc..ebc0cfb0451ca155b5f454693e24df88476f990c 100644 (file)
--- a/src/admin/admin_server.c
+++ b/src/admin/admin_server.c
@@ -367,3 +367,12 @@ adminServerSetClientLimits(virNetServerPtr srv,
 
     return 0;
 }
+
+int
+adminServerUpdateTlsFiles(virNetServerPtr srv,
+                          unsigned int flags)
+{
+    virCheckFlags(0, -1);
+
+    return virNetServerUpdateTlsFiles(srv);
+}

diff --git a/src/admin/admin_server.h b/src/admin/admin_server.h
index 1d5cbec55f9d89ecdcd2a801757eb2c746f51675..08877a8edcf8c66eadea47bd6b3f63bebd6bfcd5 100644 (file)
--- a/src/admin/admin_server.h
+++ b/src/admin/admin_server.h
@@ -67,3 +67,6 @@ int adminServerSetClientLimits(virNetServerPtr srv,
                                virTypedParameterPtr params,
                                int nparams,
                                unsigned int flags);
+
+int adminServerUpdateTlsFiles(virNetServerPtr srv,
+                              unsigned int flags);

diff --git a/src/admin/libvirt-admin.c b/src/admin/libvirt-admin.c
index a8592ebfd375f5efb9da0e17f55781d5e09d580e..835b5560d2fe644dd4ed183be331bb2cde26b4a7 100644 (file)
--- a/src/admin/libvirt-admin.c
+++ b/src/admin/libvirt-admin.c
@@ -1078,6 +1078,36 @@ virAdmServerSetClientLimits(virAdmServerPtr srv,
     return ret;
 }
 
+/**
+ * virAdmServerUpdateTlsFiles:
+ * @srv: a valid server object reference
+ * @flags: extra flags; not used yet, so callers should always pass 0
+ *
+ * Notify server to update tls file, such as cacert, cacrl, server cert / key.
+ *
+ * Returns 0 if the TLS files have been updated successfully or -1 in case of an
+ * error.
+ */
+int
+virAdmServerUpdateTlsFiles(virAdmServerPtr srv,
+                           unsigned int flags)
+{
+    int ret = -1;
+
+    VIR_DEBUG("srv=%p, flags=0x%x", srv, flags);
+    virResetLastError();
+
+    virCheckAdmServerGoto(srv, error);
+
+    if ((ret = remoteAdminServerUpdateTlsFiles(srv, flags)) < 0)
+        goto error;
+
+    return ret;
+ error:
+    virDispatchError(NULL);
+    return ret;
+}
+
 /**
  * virAdmConnectGetLoggingOutputs:
  * @conn: pointer to an active admin connection

diff --git a/src/admin/libvirt_admin_private.syms b/src/admin/libvirt_admin_private.syms
index 9526412de8b27cc715578c6bca3763eb97244c31..157a45341e31a894e6f9b36c303eda256b822464 100644 (file)
--- a/src/admin/libvirt_admin_private.syms
+++ b/src/admin/libvirt_admin_private.syms
@@ -31,6 +31,7 @@ xdr_admin_server_lookup_client_args;
 xdr_admin_server_lookup_client_ret;
 xdr_admin_server_set_client_limits_args;
 xdr_admin_server_set_threadpool_parameters_args;
+xdr_admin_server_update_tls_files_args;
 
 # datatypes.h
 virAdmClientClass;

diff --git a/src/admin/libvirt_admin_public.syms b/src/admin/libvirt_admin_public.syms
index 9a3f843780b7b78c6dd247920a70b966fdc99fcb..8126973e5bb980b97fd31b5da236381362f86eaa 100644 (file)
--- a/src/admin/libvirt_admin_public.syms
+++ b/src/admin/libvirt_admin_public.syms
@@ -38,6 +38,7 @@ LIBVIRT_ADMIN_2.0.0 {
         virAdmClientClose;
         virAdmServerGetClientLimits;
         virAdmServerSetClientLimits;
+        virAdmServerUpdateTlsFiles;
 };
 
 LIBVIRT_ADMIN_3.0.0 {

diff --git a/src/admin_protocol-structs b/src/admin_protocol-structs
index 983e6e5292dbda8dcb80edb41fbf5bb0c172b1e0..76c511babfc82d7d3422d96fd8e6054a7c390a1b 100644 (file)
--- a/src/admin_protocol-structs
+++ b/src/admin_protocol-structs
@@ -118,6 +118,10 @@ struct admin_server_set_client_limits_args {
         } params;
         u_int                      flags;
 };
+struct admin_server_update_tls_files_args {
+        admin_nonnull_server       srv;
+        u_int                      flags;
+};
 struct admin_connect_get_logging_outputs_args {
         u_int                      flags;
 };
@@ -158,4 +162,5 @@ enum admin_procedure {
         ADMIN_PROC_CONNECT_GET_LOGGING_FILTERS = 15,
         ADMIN_PROC_CONNECT_SET_LOGGING_OUTPUTS = 16,
         ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS = 17,
+        ADMIN_PROC_SERVER_UPDATE_TLS_FILES = 18,
 };