diff options
author | Alon Levy <alevy@redhat.com> | 2011-08-11 11:46:55 +0300 |
---|---|---|
committer | Alon Levy <alevy@redhat.com> | 2011-08-11 11:46:55 +0300 |
commit | dae2385229850de9decadde83ac098c8a7d192fd (patch) | |
tree | 9a1cb882515616c1922fedbec821f5f5f1599d1c | |
parent | 9fde4ce4109b5fd3d7442fe592c53a4e10c77eea (diff) |
add --secure, defaults to off
-rwxr-xr-x | migrate.py | 51 | ||||
-rwxr-xr-x | spice_make_certs.sh | 39 |
2 files changed, 79 insertions, 11 deletions
@@ -61,6 +61,7 @@ def get_args(): parser.add_argument('--client', dest='client', default='spicy', choices=['spicec', 'spicy']) parser.add_argument('--vdagent', choices=['on', 'off'], default='on') parser.add_argument('--usbtablet', choices=['on', 'off'], default='on') + parser.add_argument('--secure', choices=['on', 'off'], default='off') args = parser.parse_args(sys.argv[1:]) if os.path.exists(args.qemu): args.qemu_exec = args.qemu @@ -72,17 +73,23 @@ def get_args(): print "qemu = %s" % args.qemu_exec return args -def start_qemu(qemu_exec, image, spice_port, qmp_filename, incoming_port=None, extra_args=[]): +def start_qemu(qemu_exec, image, spice_port, qmp_filename, incoming_port=None, extra_args=[], secure=False): incoming_args = [] if incoming_port: incoming_args = ("-incoming tcp::%s" % incoming_port).split() + spice_params = ["disable-ticketing"] + if secure: + spice_params.extend(['tls-port=%s' % spice_port, 'x509-dir=%s' % os.getcwd()]) + else: + spice_params.append("port=%s" % spice_port) args = ([qemu_exec, "-qmp", "unix:%s,server,nowait" % qmp_filename, - "-spice", "disable-ticketing,port=%s" % spice_port] + "-spice", ','.join(spice_params)] + extra_args + incoming_args) if os.path.exists(image): args += ["-m", "512", "-drive", "file=%s,index=0,media=disk,cache=unsafe" % image, "-snapshot"] - print repr(args) + print args + print ' '.join(args) proc = Popen(args, executable=qemu_exec, stdin=PIPE, stdout=PIPE) while not os.path.exists(qmp_filename): time.sleep(0.1) @@ -98,9 +105,16 @@ def start_qemu(qemu_exec, image, spice_port, qmp_filename, incoming_port=None, e proc.incoming_port = incoming_port return proc -def start_client(client, spice_port): - return Popen(("%(client)s -h localhost -p %(port)d" % dict(port=spice_port, - client=client)).split(), executable=client) +def start_client(client, spice_port, secure, host_subject): + cmdline = [str(client), '-h', 'localhost'] + if secure: + cmdline.extend(['-s', str(spice_port), '--host-subject', host_subject, '--ca-file', + os.path.join(os.getcwd(), 'ca-cert.pem')]) + else: + cmdline.extend(['-p', str(spice_port)]) + print cmdline + print ' '.join(cmdline) + return Popen(cmdline, executable=client) def wait_active(q, active): events = ["RESUME"] if active else ["STOP"] @@ -135,7 +149,7 @@ class Migrator(object): migration_count = 0 def __init__(self, log, client, qemu_exec, image, monitor_files, client_count, - spice_ports, migration_port, vdagent, usbtablet): + spice_ports, migration_port, vdagent, usbtablet, secure, host_subject): self.client = client self.log = log self.qemu_exec = qemu_exec @@ -146,6 +160,8 @@ class Migrator(object): self.spice_ports = spice_ports self.vdagent = vdagent self.usbtablet = usbtablet + self.secure = secure + self.host_subject = host_subject extra_args = [] if self.vdagent: extra_args = ['-device', 'virtio-serial', '-chardev', 'spicevmc,name=vdagent,id=vdagent', '-device', 'virtserialport,chardev=vdagent,name=com.redhat.spice.0'] @@ -165,6 +181,7 @@ class Migrator(object): spice_port=self.spice_ports[which], qmp_filename=self.monitor_files[which], extra_args=self.extra_args, + secure=self.secure, **kw) @@ -189,13 +206,19 @@ class Migrator(object): if len(self.clients) == 0: for i in range(self.client_count): self.clients.append(start_client(client=self.client, - spice_port=self.spice_ports[0])) + spice_port=self.spice_ports[0], secure=self.secure, host_subject=self.host_subject)) wait_for_event(self.active.qmp, 'SPICE_INITIALIZED') if wait_for_user_input: print "waiting for Enter to start migrations" raw_input() - self.active.qmp.cmd('client_migrate_info', {'protocol':'spice', - 'hostname':'localhost', 'port':self.target.spice_port}) + migrate_info_arguments = {'protocol':'spice', 'hostname':'localhost'} + if self.secure: + migrate_info_arguments['port'] = -1 + migrate_info_arguments['tls-port'] = self.target.spice_port + migrate_info_arguments['cert-subject'] = self.host_subject + else: + migrate_info_arguments['port'] = self.target.spice_port + self.active.qmp.cmd('client_migrate_info', migrate_info_arguments) self.active.qmp.cmd('migrate', {'uri': 'tcp:localhost:%s' % self.migration_port}) wait_active(self.active.qmp, False) wait_active(self.target.qmp, True) @@ -217,6 +240,11 @@ class Migrator(object): def main(): args = get_args() + host_subject = None + if args.secure == 'on': + if any([not os.path.exists(f) for f in "ca-key.pem ca-cert.pem server-cert.pem server-key.pem".split()]): + os.system('./spice_make_certs.sh') + host_subject = ','.join(os.popen('openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "').read().strip().split(', ')) print "log file %s" % args.log_filename log = open(args.log_filename, "a+") log.write("# "+str(datetime.datetime.now())+"\n") @@ -224,7 +252,8 @@ def main(): image=args.image, log=log, monitor_files=[args.qmp1, args.qmp2], migration_port=args.migrate_port, spice_ports=[args.spice_port1, args.spice_port2], client_count=args.client_count, vdagent=(args.vdagent=='on'), - usbtablet=(args.usbtablet=='on')) + usbtablet=(args.usbtablet=='on'), + secure=(args.secure=='on'), host_subject=host_subject) atexit.register(cleanup, migrator) while True: migrator.iterate() diff --git a/spice_make_certs.sh b/spice_make_certs.sh new file mode 100755 index 0000000..7765def --- /dev/null +++ b/spice_make_certs.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +SERVER_KEY=server-key.pem + +# creating a key for our ca +if [ ! -e ca-key.pem ]; then + openssl genrsa -des3 -out ca-key.pem 1024 +fi +# creating a ca +if [ ! -e ca-cert.pem ]; then + openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA" +fi +# create server key +if [ ! -e $SERVER_KEY ]; then + openssl genrsa -out $SERVER_KEY 1024 +fi +# create a certificate signing request (csr) +if [ ! -e server-key.csr ]; then + openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server" +fi +# signing our server certificate with this ca +if [ ! -e server-cert.pem ]; then + openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem +fi + +# now create a key that doesn't require a passphrase +openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure +mv $SERVER_KEY $SERVER_KEY.secure +mv $SERVER_KEY.insecure $SERVER_KEY + +# show the results (no other effect) +openssl rsa -noout -text -in $SERVER_KEY +openssl rsa -noout -text -in ca-key.pem +openssl req -noout -text -in server-key.csr +openssl x509 -noout -text -in server-cert.pem +openssl x509 -noout -text -in ca-cert.pem + +# echo --host-subject +echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \" |