1. 22 Feb, 2016 1 commit
  2. 16 Feb, 2016 3 commits
    • Daniel P. Berrange's avatar
      nbd: enable use of TLS with qemu-nbd server · 145614a1
      Daniel P. Berrange authored
      This modifies the qemu-nbd program so that it is possible to
      request the use of TLS with the server. It simply adds a new
      command line option --tls-creds which is used to provide the
      ID of a QCryptoTLSCreds object previously created via the
      --object command line option.
      For example
        qemu-nbd --object tls-creds-x509,id=tls0,endpoint=server,\
                          dir=/home/berrange/security/qemutls \
                 --tls-creds tls0 \
                 --exportname default
      TLS requires the new style NBD protocol, so if no export name
      is set (via --export-name), then we use the default NBD protocol
      export name ""
      TLS is only supported when using an IPv4/IPv6 socket listener.
      It is not possible to use with UNIX sockets, which includes
      when connecting the NBD server to a host device.
      Signed-off-by: 's avatarDaniel P. Berrange <berrange@redhat.com>
      Message-Id: <1455129674-17255-16-git-send-email-berrange@redhat.com>
      Signed-off-by: 's avatarPaolo Bonzini <pbonzini@redhat.com>
    • Daniel P. Berrange's avatar
      nbd: allow setting of an export name for qemu-nbd server · 3d4b2f9c
      Daniel P. Berrange authored
      The qemu-nbd server currently always uses the old style protocol
      since it never sets any export name. This is a problem because
      future TLS support will require use of the new style protocol
      This adds "--exportname NAME" / "-x NAME" arguments to qemu-nbd
      which allow the user to set an explicit export name. When an
      export name is set the server will always use the new style
      NBD protocol.
      Signed-off-by: 's avatarDaniel P. Berrange <berrange@redhat.com>
      Message-Id: <1455129674-17255-11-git-send-email-berrange@redhat.com>
      Signed-off-by: 's avatarPaolo Bonzini <pbonzini@redhat.com>
    • Daniel P. Berrange's avatar
      qemu-nbd: add support for --object command line arg · 0ab3b337
      Daniel P. Berrange authored
      Allow creation of user creatable object types with qemu-nbd
      via a new --object command line arg. This will be used to supply
      passwords and/or encryption keys to the various block driver
      backends via the recently added 'secret' object type.
       # printf letmein > mypasswd.txt
       # qemu-nbd --object secret,id=sec0,file=mypasswd.txt \
            ...other nbd args...
      Reviewed-by: 's avatarEric Blake <eblake@redhat.com>
      Signed-off-by: 's avatarDaniel P. Berrange <berrange@redhat.com>
      Message-Id: <1455129674-17255-3-git-send-email-berrange@redhat.com>
      Signed-off-by: 's avatarPaolo Bonzini <pbonzini@redhat.com>
  3. 09 Feb, 2016 3 commits
  4. 23 May, 2014 1 commit
  5. 04 Dec, 2013 2 commits
  6. 15 Apr, 2013 1 commit
    • Daniel P. Berrange's avatar
      Add -f FMT / --format FMT arg to qemu-nbd · e6b63677
      Daniel P. Berrange authored
      Currently the qemu-nbd program will auto-detect the format of
      any disk it is given. This behaviour is known to be insecure.
      For example, if qemu-nbd initially exposes a 'raw' file to an
      unprivileged app, and that app runs
         'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0'
      then the next time the app is started, the qemu-nbd will now
      detect it as a 'qcow2' file and expose /etc/shadow to the
      unprivileged app.
      The only way to avoid this is to explicitly tell qemu-nbd what
      disk format to use on the command line, completely disabling
      auto-detection. This patch adds a '-f' / '--format' arg for
      this purpose, mirroring what is already available via qemu-img
      and qemu commands.
        qemu-nbd --format raw -p 9000 evil.img
      will now always use raw, regardless of what format 'evil.img'
      looks like it contains
      Signed-off-by: 's avatarDaniel P. Berrange <berrange@redhat.com>
      [Use errx, not err. - Paolo]
      Signed-off-by: 's avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: 's avatarAnthony Liguori <aliguori@us.ibm.com>
  7. 22 Feb, 2013 1 commit
  8. 08 Feb, 2013 1 commit
  9. 07 Apr, 2012 1 commit
  10. 06 Mar, 2010 1 commit
  11. 22 Sep, 2008 1 commit
  12. 03 Jul, 2008 4 commits
  13. 27 May, 2008 1 commit