Merge branch 'ZSTAC-81343@@2' into '5.5.12'

<feature>[kvm]: add libvirt TLS config

See merge request zstackio/zstack!9317

Author: PandaWuu

plugin/kvm/src/main/java/org/zstack/kvm/KVMAgentCommands.java

@@ -3805,6 +3805,26 @@ public static class MigrateVmCmd extends AgentCommand implements HasThreadContex
         private boolean reload;
         @GrayVersion(value = "5.0.0")
         private long bandwidth;
+        @GrayVersion(value = "5.5.12")
+        private boolean useTls;
+        @GrayVersion(value = "5.5.12")
+        private String srcHostManagementIp;
+
+        public String getSrcHostManagementIp() {
+            return srcHostManagementIp;
+        }
+
+        public void setSrcHostManagementIp(String srcHostManagementIp) {
+            this.srcHostManagementIp = srcHostManagementIp;
+        }
+
+        public boolean isUseTls() {
+            return useTls;
+        }
+
+        public void setUseTls(boolean useTls) {
+            this.useTls = useTls;
+        }
 
         public Integer getDownTime() {
             return downTime;

plugin/kvm/src/main/java/org/zstack/kvm/KVMGlobalConfig.java

@@ -139,6 +139,10 @@ public class KVMGlobalConfig {
     @BindResourceConfig({HostVO.class, ClusterVO.class})
     public static GlobalConfig RECONNECT_HOST_RESTART_LIBVIRTD_SERVICE = new GlobalConfig(CATEGORY, "reconnect.host.restart.libvirtd.service");
 
+    @GlobalConfigValidation(validValues = {"true", "false"})
+    @GlobalConfigDef(defaultValue = "true", type = Boolean.class, description = "enable TLS encryption for libvirt remote connections (migration)")
+    public static GlobalConfig LIBVIRT_TLS_ENABLED = new GlobalConfig(CATEGORY, "libvirt.tls.enabled");
+
     @GlobalConfigValidation
     public static GlobalConfig KVMAGENT_PHYSICAL_MEMORY_USAGE_ALARM_THRESHOLD = new GlobalConfig(CATEGORY, "kvmagent.physicalmemory.usage.alarm.threshold");
 

plugin/kvm/src/main/java/org/zstack/kvm/KVMHost.java

@@ -3163,6 +3163,7 @@ public void run(final FlowTrigger trigger, Map data) {
                         cmd.setDestHostIp(dstHostMigrateIp);
                         cmd.setSrcHostIp(srcHostMigrateIp);
                         cmd.setDestHostManagementIp(dstHostMnIp);
+                        cmd.setSrcHostManagementIp(srcHostMnIp);
                         cmd.setMigrateFromDestination(migrateFromDestination);
                         cmd.setStorageMigrationPolicy(storageMigrationPolicy == null ? null : storageMigrationPolicy.toString());
                         cmd.setVmUuid(vmUuid);
@@ -3174,6 +3175,8 @@ public void run(final FlowTrigger trigger, Map data) {
                         cmd.setDownTime(s.downTime);
                         cmd.setBandwidth(s.bandwidth);
                         cmd.setNics(nicTos);
+                        cmd.setUseTls(KVMGlobalConfig.LIBVIRT_TLS_ENABLED.value(Boolean.class)
+                                && rcf.getResourceConfigValue(KVMGlobalConfig.RECONNECT_HOST_RESTART_LIBVIRTD_SERVICE, self.getUuid(), Boolean.class));
 
                         if (s.diskMigrationMap != null) {
                             Map<String, VolumeTO> diskMigrationMap = new HashMap<>();
@@ -5815,6 +5818,16 @@ public void run(final FlowTrigger trigger, Map data) {
                         deployArguments.setSkipPackages(info.getSkipPackages());
                         deployArguments.setUpdatePackages(String.valueOf(CoreGlobalProperty.UPDATE_PKG_WHEN_CONNECT));
 
+                        // Build TLS cert IP list: management IP + extra IPs (migration network etc.)
+                        String managementIp = getSelf().getManagementIp();
+                        String extraIps = HostSystemTags.EXTRA_IPS.getTokenByResourceUuid(
+                                self.getUuid(), HostSystemTags.EXTRA_IPS_TOKEN);
+                        if (extraIps != null && !extraIps.isEmpty()) {
+                            deployArguments.setTlsCertIps(managementIp + "," + extraIps);
+                        } else {
+                            deployArguments.setTlsCertIps(managementIp);
+                        }
+
                         if (deployArguments.isForceRun()) {
                             runner.setForceRun(true);
                         }

plugin/kvm/src/main/java/org/zstack/kvm/KVMHostDeployArguments.java

@@ -39,6 +39,8 @@ public class KVMHostDeployArguments extends SyncTimeRequestedDeployArguments {
     private String restartLibvirtd;
     @SerializedName("extra_packages")
     private String extraPackages;
+    @SerializedName("tls_cert_ips")
+    private String tlsCertIps;
 
     private transient boolean forceRun = false;
 
@@ -135,6 +137,14 @@ public void setExtraPackages(String extraPackages) {
         this.extraPackages = extraPackages;
     }
 
+    public String getTlsCertIps() {
+        return tlsCertIps;
+    }
+
+    public void setTlsCertIps(String tlsCertIps) {
+        this.tlsCertIps = tlsCertIps;
+    }
+
     public String getEnableSpiceTls() {
         return enableSpiceTls;
     }

plugin/kvm/src/main/java/org/zstack/kvm/KVMHostFactory.java

@@ -1,5 +1,6 @@
 package org.zstack.kvm;
 
+import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.util.UriComponentsBuilder;
@@ -9,6 +10,8 @@
 import org.zstack.compute.vm.VmNicManager;
 import org.zstack.core.CoreGlobalProperty;
 import org.zstack.core.ansible.AnsibleFacade;
+import org.zstack.core.jsonlabel.JsonLabel;
+import org.zstack.core.jsonlabel.JsonLabelInventory;
 import org.zstack.core.cloudbus.CloudBus;
 import org.zstack.core.cloudbus.CloudBusListCallBack;
 import org.zstack.core.cloudbus.CloudBusSteppingCallback;
@@ -75,6 +78,7 @@
 import org.zstack.resourceconfig.ResourceConfigFacade;
 import org.zstack.utils.CollectionUtils;
 import org.zstack.utils.IpRangeSet;
+import org.zstack.utils.ShellUtils;
 import org.zstack.utils.SizeUtils;
 import org.zstack.utils.Utils;
 import org.zstack.utils.data.SizeUnit;
@@ -85,6 +89,7 @@
 import org.zstack.utils.logging.CLogger;
 
 import javax.persistence.Tuple;
+import java.io.File;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
@@ -122,6 +127,10 @@ public class KVMHostFactory extends AbstractService implements HypervisorFactory
         HypervisorMessageFactory {
     private static final CLogger logger = Utils.getLogger(KVMHostFactory.class);
 
+    private static final String LIBVIRT_TLS_CA_KEY = "libvirtTLSCA";
+    private static final String LIBVIRT_TLS_PRIVATE_KEY = "libvirtTLSPrivateKey";
+    private static final String CA_DIR = "/var/lib/zstack/pki/CA";
+
     public static final HypervisorType hypervisorType = new HypervisorType(KVMConstant.KVM_HYPERVISOR_TYPE);
     public static final VolumeFormat QCOW2_FORMAT = new VolumeFormat(VolumeConstant.VOLUME_FORMAT_QCOW2, hypervisorType);
     public static final VolumeFormat RAW_FORMAT = new VolumeFormat(VolumeConstant.VOLUME_FORMAT_RAW, hypervisorType);
@@ -458,8 +467,56 @@ private void processKvmagentPhysicalMemUsageAbnormal(HostProcessPhysicalMemoryUs
         bus.send(restartKvmAgentMsg);
     }
 
+    private void initLibvirtTlsCA() {
+        if (CoreGlobalProperty.UNIT_TEST_ON) {
+            return;
+        }
+
+        try {
+            ShellUtils.run(String.format("mkdir -p %s", CA_DIR));
+            ShellUtils.run("chown -R zstack:zstack /var/lib/zstack/pki");
+
+            File caFile = new File(CA_DIR + "/cacert.pem");
+            File keyFile = new File(CA_DIR + "/cakey.pem");
+
+            // Local CA missing — generate with openssl
+            // NOTE: ShellUtils.run() prepends sudo only to the first command in &&-chains,
+            // so each command must be a separate call.
+            if (!caFile.exists() || !keyFile.exists()) {
+                ShellUtils.run(String.format(
+                        "openssl genrsa -out %s/cakey.pem 4096", CA_DIR));
+                ShellUtils.run(String.format(
+                        "openssl req -new -x509 -days 3650 -key %s/cakey.pem " +
+                        "-out %s/cacert.pem -subj '/O=ZStack/CN=ZStack Libvirt CA'",
+                        CA_DIR, CA_DIR));
+                ShellUtils.run(String.format("chown zstack:zstack %s/cakey.pem %s/cacert.pem",
+                        CA_DIR, CA_DIR));
+                ShellUtils.run(String.format("chmod 600 %s/cakey.pem", CA_DIR));
+                ShellUtils.run(String.format("chmod 644 %s/cacert.pem", CA_DIR));
+            }
+
+            String ca = FileUtils.readFileToString(caFile).trim();
+            String key = FileUtils.readFileToString(keyFile).trim();
+
+            // createIfAbsent: DB has no record → write; DB has record → return DB value
+            JsonLabelInventory caInv = new JsonLabel().createIfAbsent(LIBVIRT_TLS_CA_KEY, ca);
+            JsonLabelInventory keyInv = new JsonLabel().createIfAbsent(LIBVIRT_TLS_PRIVATE_KEY, key);
+
+            // Use DB as source of truth — overwrite local files (HA: MN2 uses MN1's CA from DB)
+            FileUtils.writeStringToFile(caFile, caInv.getLabelValue());
+            FileUtils.writeStringToFile(keyFile, keyInv.getLabelValue());
+            ShellUtils.run(String.format("chmod 600 %s/cakey.pem", CA_DIR));
+            ShellUtils.run(String.format("chmod 644 %s/cacert.pem", CA_DIR));
+
+            logger.info("Libvirt TLS CA initialized and persisted to database");
+        } catch (Exception e) {
+            logger.warn("Failed to initialize libvirt TLS CA", e);
+        }
+    }
+
     @Override
     public boolean start() {
+        initLibvirtTlsCA();
         deployAnsibleModule();
         populateExtensions();
         configKVMDeviceType();