search for: tls0

Now that we have implemented systemd socket activation, we can use this to run qemu-nbd in tests. The first patch leaves some dead code around (the -DSERVE_OVER_TCP=1 path). It's possible we might want to use this to test against a putative future NBD server that only supports TCP, but on the other hand maybe we should just remove it. Tests & valgrind still pass for me. Rich.

...24 insertions(+), 6 deletions(-) diff --git a/interop/Makefile.am b/interop/Makefile.am index 9cb8071..8a5b787 100644 --- a/interop/Makefile.am +++ b/interop/Makefile.am @@ -100,6 +100,7 @@ interop_qemu_nbd_tls_certs_CPPFLAGS = \ -DSERVER_PARAMS='"--object", "tls-creds-x509,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests/pki", "--tls-creds", "tls0", "-f", "raw", "-x", "/", "-p", port_str, tmpfile' \ -DEXPORT_NAME='"/"' \ -DCERTS=1 \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ $(...

.../test-tls-psk.sh +++ b/tests/test-tls-psk.sh @@ -72,12 +72,11 @@ start_nbdkit -P tls-psk.pid -p $port -n \ --tls=require --tls-psk=keys.psk example1 # Run qemu-img against the server. -LANG=C \ -qemu-img info \ +qemu-img info --output=json \ --object "tls-creds-psk,id=tls0,endpoint=client,dir=$PWD" \ --image-opts "file.driver=nbd,file.host=localhost,file.port=$port,file.tls-creds=tls0" > tls-psk.out cat tls-psk.out -grep -sq "^file format: raw" tls-psk.out -grep -sq "^virtual size: 100M" tls-psk.out +grep -sq '&q...

...() on that pointer as char* has catastrophic effects). With this patch, I was able to set up a qemu-nbd encrypted server over a Unix socket (using a pending patch on the qemu list), coupled with a python connection to that socket: $ ~/qemu/qemu-nbd -r -k /tmp/nbdsock --object \ tls-creds-psk,id=tls0,endpoint=server,dir=/home/eblake/libnbd/tests \ --tls-creds tls0 -f raw -x / tmpfile $ ./run nbdsh nbd> h.set_tls_psk_file('tests/keys.psk') nbd> h.set_tls(2) nbd> h.set_export_name('/') nbd> h.connect_unix('/tmp/nbdsock') instead of getting a segfault. --- g...

..."/"' \ + $(NULL) interop_qemu_nbd_CFLAGS = $(WARNINGS_CFLAGS) interop_qemu_nbd_LDADD = $(top_builddir)/lib/libnbd.la @@ -89,7 +95,8 @@ interop_qemu_nbd_tls_certs_CPPFLAGS = \ -DSERVER=\"$(QEMU_NBD)\" \ -DSERVER_PARAMS='"--object", "tls-creds-x509,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests/pki", "--tls-creds", "tls0", "-f", "raw", "-x", "/", "-p", port_str, tmpfile' \ -DEXPORT_NAME='"/"' \ - -DCERTS=1 + -DCERTS=1 \ + $(NULL) interop_qemu_nb...

I was a little surprised to find that LIBNBD_TLS_ALLOW worked out of the box, so I had to examine the logs whereupon I saw the magic message ... libnbd: debug: nbd1: nbd_connect_command: server refused TLS (policy), continuing with unencrypted connection I don't believe this path has ever been tested before. It's possible the tests could be improved if they actually checked for this

v2: * Improved documentation. * Added a test (interop with qemu client).