aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--block/Makefile.objs1
-rw-r--r--block/ssh.c995
-rwxr-xr-xconfigure48
-rw-r--r--qemu-doc.texi49
-rw-r--r--qemu-options.hx12
5 files changed, 1105 insertions, 0 deletions
diff --git a/block/Makefile.objs b/block/Makefile.objs
index c067f38e1d..6c4b5bc6b0 100644
--- a/block/Makefile.objs
+++ b/block/Makefile.objs
@@ -13,6 +13,7 @@ block-obj-$(CONFIG_LIBISCSI) += iscsi.o
block-obj-$(CONFIG_CURL) += curl.o
block-obj-$(CONFIG_RBD) += rbd.o
block-obj-$(CONFIG_GLUSTERFS) += gluster.o
+block-obj-$(CONFIG_LIBSSH2) += ssh.o
endif
common-obj-y += stream.o
diff --git a/block/ssh.c b/block/ssh.c
new file mode 100644
index 0000000000..89a9017b63
--- /dev/null
+++ b/block/ssh.c
@@ -0,0 +1,995 @@
+/*
+ * Secure Shell (ssh) backend for QEMU.
+ *
+ * Copyright (C) 2013 Red Hat Inc., Richard W.M. Jones <rjones@redhat.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <libssh2.h>
+#include <libssh2_sftp.h>
+
+#include "block/block_int.h"
+#include "qemu/sockets.h"
+#include "qemu/uri.h"
+#include "qapi/qmp/qint.h"
+
+/* DEBUG_SSH=1 enables the DPRINTF (debugging printf) statements in
+ * this block driver code.
+ *
+ * TRACE_LIBSSH2=<bitmask> enables tracing in libssh2 itself. Note
+ * that this requires that libssh2 was specially compiled with the
+ * `./configure --enable-debug' option, so most likely you will have
+ * to compile it yourself. The meaning of <bitmask> is described
+ * here: http://www.libssh2.org/libssh2_trace.html
+ */
+#define DEBUG_SSH 0
+#define TRACE_LIBSSH2 0 /* or try: LIBSSH2_TRACE_SFTP */
+
+#define DPRINTF(fmt, ...) \
+ do { \
+ if (DEBUG_SSH) { \
+ fprintf(stderr, "ssh: %-15s " fmt "\n", \
+ __func__, ##__VA_ARGS__); \
+ } \
+ } while (0)
+
+typedef struct BDRVSSHState {
+ /* Coroutine. */
+ CoMutex lock;
+
+ /* SSH connection. */
+ int sock; /* socket */
+ LIBSSH2_SESSION *session; /* ssh session */
+ LIBSSH2_SFTP *sftp; /* sftp session */
+ LIBSSH2_SFTP_HANDLE *sftp_handle; /* sftp remote file handle */
+
+ /* See ssh_seek() function below. */
+ int64_t offset;
+ bool offset_op_read;
+
+ /* File attributes at open. We try to keep the .filesize field
+ * updated if it changes (eg by writing at the end of the file).
+ */
+ LIBSSH2_SFTP_ATTRIBUTES attrs;
+} BDRVSSHState;
+
+static void ssh_state_init(BDRVSSHState *s)
+{
+ memset(s, 0, sizeof *s);
+ s->sock = -1;
+ s->offset = -1;
+ qemu_co_mutex_init(&s->lock);
+}
+
+static void ssh_state_free(BDRVSSHState *s)
+{
+ if (s->sftp_handle) {
+ libssh2_sftp_close(s->sftp_handle);
+ }
+ if (s->sftp) {
+ libssh2_sftp_shutdown(s->sftp);
+ }
+ if (s->session) {
+ libssh2_session_disconnect(s->session,
+ "from qemu ssh client: "
+ "user closed the connection");
+ libssh2_session_free(s->session);
+ }
+ if (s->sock >= 0) {
+ close(s->sock);
+ }
+}
+
+/* Wrappers around error_report which make sure to dump as much
+ * information from libssh2 as possible.
+ */
+static void
+session_error_report(BDRVSSHState *s, const char *fs, ...)
+{
+ va_list args;
+
+ va_start(args, fs);
+ error_vprintf(fs, args);
+
+ if ((s)->session) {
+ char *ssh_err;
+ int ssh_err_code;
+
+ libssh2_session_last_error((s)->session, &ssh_err, NULL, 0);
+ /* This is not an errno. See <libssh2.h>. */
+ ssh_err_code = libssh2_session_last_errno((s)->session);
+
+ error_printf(": %s (libssh2 error code: %d)", ssh_err, ssh_err_code);
+ }
+
+ va_end(args);
+ error_printf("\n");
+}
+
+static void
+sftp_error_report(BDRVSSHState *s, const char *fs, ...)
+{
+ va_list args;
+
+ va_start(args, fs);
+ error_vprintf(fs, args);
+
+ if ((s)->sftp) {
+ char *ssh_err;
+ int ssh_err_code;
+ unsigned long sftp_err_code;
+
+ libssh2_session_last_error((s)->session, &ssh_err, NULL, 0);
+ /* This is not an errno. See <libssh2.h>. */
+ ssh_err_code = libssh2_session_last_errno((s)->session);
+ /* See <libssh2_sftp.h>. */
+ sftp_err_code = libssh2_sftp_last_error((s)->sftp);
+
+ error_printf(": %s (libssh2 error code: %d, sftp error code: %lu)",
+ ssh_err, ssh_err_code, sftp_err_code);
+ }
+
+ va_end(args);
+ error_printf("\n");
+}
+
+static int parse_uri(const char *filename, QDict *options, Error **errp)
+{
+ URI *uri = NULL;
+ QueryParams *qp = NULL;
+ int i;
+
+ uri = uri_parse(filename);
+ if (!uri) {
+ return -EINVAL;
+ }
+
+ if (strcmp(uri->scheme, "ssh") != 0) {
+ error_setg(errp, "URI scheme must be 'ssh'");
+ goto err;
+ }
+
+ if (!uri->server || strcmp(uri->server, "") == 0) {
+ error_setg(errp, "missing hostname in URI");
+ goto err;
+ }
+
+ if (!uri->path || strcmp(uri->path, "") == 0) {
+ error_setg(errp, "missing remote path in URI");
+ goto err;
+ }
+
+ qp = query_params_parse(uri->query);
+ if (!qp) {
+ error_setg(errp, "could not parse query parameters");
+ goto err;
+ }
+
+ if(uri->user && strcmp(uri->user, "") != 0) {
+ qdict_put(options, "user", qstring_from_str(uri->user));
+ }
+
+ qdict_put(options, "host", qstring_from_str(uri->server));
+
+ if (uri->port) {
+ qdict_put(options, "port", qint_from_int(uri->port));
+ }
+
+ qdict_put(options, "path", qstring_from_str(uri->path));
+
+ /* Pick out any query parameters that we understand, and ignore
+ * the rest.
+ */
+ for (i = 0; i < qp->n; ++i) {
+ if (strcmp(qp->p[i].name, "host_key_check") == 0) {
+ qdict_put(options, "host_key_check",
+ qstring_from_str(qp->p[i].value));
+ }
+ }
+
+ query_params_free(qp);
+ uri_free(uri);
+ return 0;
+
+ err:
+ if (qp) {
+ query_params_free(qp);
+ }
+ if (uri) {
+ uri_free(uri);
+ }
+ return -EINVAL;
+}
+
+static void ssh_parse_filename(const char *filename, QDict *options,
+ Error **errp)
+{
+ if (qdict_haskey(options, "user") ||
+ qdict_haskey(options, "host") ||
+ qdict_haskey(options, "port") ||
+ qdict_haskey(options, "path") ||
+ qdict_haskey(options, "host_key_check")) {
+ error_setg(errp, "user, host, port, path, host_key_check cannot be used at the same time as a file option");
+ return;
+ }
+
+ parse_uri(filename, options, errp);
+}
+
+static int check_host_key_knownhosts(BDRVSSHState *s,
+ const char *host, int port)
+{
+ const char *home;
+ char *knh_file = NULL;
+ LIBSSH2_KNOWNHOSTS *knh = NULL;
+ struct libssh2_knownhost *found;
+ int ret, r;
+ const char *hostkey;
+ size_t len;
+ int type;
+
+ hostkey = libssh2_session_hostkey(s->session, &len, &type);
+ if (!hostkey) {
+ ret = -EINVAL;
+ session_error_report(s, "failed to read remote host key");
+ goto out;
+ }
+
+ knh = libssh2_knownhost_init(s->session);
+ if (!knh) {
+ ret = -EINVAL;
+ session_error_report(s, "failed to initialize known hosts support");
+ goto out;
+ }
+
+ home = getenv("HOME");
+ if (home) {
+ knh_file = g_strdup_printf("%s/.ssh/known_hosts", home);
+ } else {
+ knh_file = g_strdup_printf("/root/.ssh/known_hosts");
+ }
+
+ /* Read all known hosts from OpenSSH-style known_hosts file. */
+ libssh2_knownhost_readfile(knh, knh_file, LIBSSH2_KNOWNHOST_FILE_OPENSSH);
+
+ r = libssh2_knownhost_checkp(knh, host, port, hostkey, len,
+ LIBSSH2_KNOWNHOST_TYPE_PLAIN|
+ LIBSSH2_KNOWNHOST_KEYENC_RAW,
+ &found);
+ switch (r) {
+ case LIBSSH2_KNOWNHOST_CHECK_MATCH:
+ /* OK */
+ DPRINTF("host key OK: %s", found->key);
+ break;
+ case LIBSSH2_KNOWNHOST_CHECK_MISMATCH:
+ ret = -EINVAL;
+ session_error_report(s, "host key does not match the one in known_hosts (found key %s)",
+ found->key);
+ goto out;
+ case LIBSSH2_KNOWNHOST_CHECK_NOTFOUND:
+ ret = -EINVAL;
+ session_error_report(s, "no host key was found in known_hosts");
+ goto out;
+ case LIBSSH2_KNOWNHOST_CHECK_FAILURE:
+ ret = -EINVAL;
+ session_error_report(s, "failure matching the host key with known_hosts");
+ goto out;
+ default:
+ ret = -EINVAL;
+ session_error_report(s, "unknown error matching the host key with known_hosts (%d)",
+ r);
+ goto out;
+ }
+
+ /* known_hosts checking successful. */
+ ret = 0;
+
+ out:
+ if (knh != NULL) {
+ libssh2_knownhost_free(knh);
+ }
+ g_free(knh_file);
+ return ret;
+}
+
+static unsigned hex2decimal(char ch)
+{
+ if (ch >= '0' && ch <= '9') {
+ return (ch - '0');
+ } else if (ch >= 'a' && ch <= 'f') {
+ return 10 + (ch - 'a');
+ } else if (ch >= 'A' && ch <= 'F') {
+ return 10 + (ch - 'A');
+ }
+
+ return -1;
+}
+
+/* Compare the binary fingerprint (hash of host key) with the
+ * host_key_check parameter.
+ */
+static int compare_fingerprint(const unsigned char *fingerprint, size_t len,
+ const char *host_key_check)
+{
+ unsigned c;
+
+ while (len > 0) {
+ while (*host_key_check == ':')
+ host_key_check++;
+ if (!qemu_isxdigit(host_key_check[0]) ||
+ !qemu_isxdigit(host_key_check[1]))
+ return 1;
+ c = hex2decimal(host_key_check[0]) * 16 +
+ hex2decimal(host_key_check[1]);
+ if (c - *fingerprint != 0)
+ return c - *fingerprint;
+ fingerprint++;
+ len--;
+ host_key_check += 2;
+ }
+ return *host_key_check - '\0';
+}
+
+static int
+check_host_key_hash(BDRVSSHState *s, const char *hash,
+ int hash_type, size_t fingerprint_len)
+{
+ const char *fingerprint;
+
+ fingerprint = libssh2_hostkey_hash(s->session, hash_type);
+ if (!fingerprint) {
+ session_error_report(s, "failed to read remote host key");
+ return -EINVAL;
+ }
+
+ if(compare_fingerprint((unsigned char *) fingerprint, fingerprint_len,
+ hash) != 0) {
+ error_report("remote host key does not match host_key_check '%s'",
+ hash);
+ return -EPERM;
+ }
+
+ return 0;
+}
+
+static int check_host_key(BDRVSSHState *s, const char *host, int port,
+ const char *host_key_check)
+{
+ /* host_key_check=no */
+ if (strcmp(host_key_check, "no") == 0) {
+ return 0;
+ }
+
+ /* host_key_check=md5:xx:yy:zz:... */
+ if (strlen(host_key_check) >= 4 &&
+ strncmp(host_key_check, "md5:", 4) == 0) {
+ return check_host_key_hash(s, &host_key_check[4],
+ LIBSSH2_HOSTKEY_HASH_MD5, 16);
+ }
+
+ /* host_key_check=sha1:xx:yy:zz:... */
+ if (strlen(host_key_check) >= 5 &&
+ strncmp(host_key_check, "sha1:", 5) == 0) {
+ return check_host_key_hash(s, &host_key_check[5],
+ LIBSSH2_HOSTKEY_HASH_SHA1, 20);
+ }
+
+ /* host_key_check=yes */
+ if (strcmp(host_key_check, "yes") == 0) {
+ return check_host_key_knownhosts(s, host, port);
+ }
+
+ error_report("unknown host_key_check setting (%s)", host_key_check);
+ return -EINVAL;
+}
+
+static int authenticate(BDRVSSHState *s, const char *user)
+{
+ int r, ret;
+ const char *userauthlist;
+ LIBSSH2_AGENT *agent = NULL;
+ struct libssh2_agent_publickey *identity;
+ struct libssh2_agent_publickey *prev_identity = NULL;
+
+ userauthlist = libssh2_userauth_list(s->session, user, strlen(user));
+ if (strstr(userauthlist, "publickey") == NULL) {
+ ret = -EPERM;
+ error_report("remote server does not support \"publickey\" authentication");
+ goto out;
+ }
+
+ /* Connect to ssh-agent and try each identity in turn. */
+ agent = libssh2_agent_init(s->session);
+ if (!agent) {
+ ret = -EINVAL;
+ session_error_report(s, "failed to initialize ssh-agent support");
+ goto out;
+ }
+ if (libssh2_agent_connect(agent)) {
+ ret = -ECONNREFUSED;
+ session_error_report(s, "failed to connect to ssh-agent");
+ goto out;
+ }
+ if (libssh2_agent_list_identities(agent)) {
+ ret = -EINVAL;
+ session_error_report(s, "failed requesting identities from ssh-agent");
+ goto out;
+ }
+
+ for(;;) {
+ r = libssh2_agent_get_identity(agent, &identity, prev_identity);
+ if (r == 1) { /* end of list */
+ break;
+ }
+ if (r < 0) {
+ ret = -EINVAL;
+ session_error_report(s, "failed to obtain identity from ssh-agent");
+ goto out;
+ }
+ r = libssh2_agent_userauth(agent, user, identity);
+ if (r == 0) {
+ /* Authenticated! */
+ ret = 0;
+ goto out;
+ }
+ /* Failed to authenticate with this identity, try the next one. */
+ prev_identity = identity;
+ }
+
+ ret = -EPERM;
+ error_report("failed to authenticate using publickey authentication "
+ "and the identities held by your ssh-agent");
+
+ out:
+ if (agent != NULL) {
+ /* Note: libssh2 implementation implicitly calls
+ * libssh2_agent_disconnect if necessary.
+ */
+ libssh2_agent_free(agent);
+ }
+
+ return ret;
+}
+
+static int connect_to_ssh(BDRVSSHState *s, QDict *options,
+ int ssh_flags, int creat_mode)
+{
+ int r, ret;
+ Error *err = NULL;
+ const char *host, *user, *path, *host_key_check;
+ int port;
+ char *hostport = NULL;
+
+ host = qdict_get_str(options, "host");
+
+ if (qdict_haskey(options, "port")) {
+ port = qdict_get_int(options, "port");
+ } else {
+ port = 22;
+ }
+
+ path = qdict_get_str(options, "path");
+
+ if (qdict_haskey(options, "user")) {
+ user = qdict_get_str(options, "user");
+ } else {
+ user = g_get_user_name();
+ if (!user) {
+ ret = -errno;
+ goto err;
+ }
+ }
+
+ if (qdict_haskey(options, "host_key_check")) {
+ host_key_check = qdict_get_str(options, "host_key_check");
+ } else {
+ host_key_check = "yes";
+ }
+
+ /* Open the socket and connect. */
+ hostport = g_strdup_printf("%s:%d", host, port);
+ s->sock = inet_connect(hostport, &err);
+ if (err != NULL) {
+ ret = -errno;
+ qerror_report_err(err);
+ error_free(err);
+ goto err;
+ }
+
+ /* Create SSH session. */
+ s->session = libssh2_session_init();
+ if (!s->session) {
+ ret = -EINVAL;
+ session_error_report(s, "failed to initialize libssh2 session");
+ goto err;
+ }
+
+#if TRACE_LIBSSH2 != 0
+ libssh2_trace(s->session, TRACE_LIBSSH2);
+#endif
+
+ r = libssh2_session_handshake(s->session, s->sock);
+ if (r != 0) {
+ ret = -EINVAL;
+ session_error_report(s, "failed to establish SSH session");
+ goto err;
+ }
+
+ /* Check the remote host's key against known_hosts. */
+ ret = check_host_key(s, host, port, host_key_check);
+ if (ret < 0) {
+ goto err;
+ }
+
+ /* Authenticate. */
+ ret = authenticate(s, user);
+ if (ret < 0) {
+ goto err;
+ }
+
+ /* Start SFTP. */
+ s->sftp = libssh2_sftp_init(s->session);
+ if (!s->sftp) {
+ session_error_report(s, "failed to initialize sftp handle");
+ ret = -EINVAL;
+ goto err;
+ }
+
+ /* Open the remote file. */
+ DPRINTF("opening file %s flags=0x%x creat_mode=0%o",
+ path, ssh_flags, creat_mode);
+ s->sftp_handle = libssh2_sftp_open(s->sftp, path, ssh_flags, creat_mode);
+ if (!s->sftp_handle) {
+ session_error_report(s, "failed to open remote file '%s'", path);
+ ret = -EINVAL;
+ goto err;
+ }
+
+ r = libssh2_sftp_fstat(s->sftp_handle, &s->attrs);
+ if (r < 0) {
+ sftp_error_report(s, "failed to read file attributes");
+ return -EINVAL;
+ }
+
+ /* Delete the options we've used; any not deleted will cause the
+ * block layer to give an error about unused options.
+ */
+ qdict_del(options, "host");
+ qdict_del(options, "port");
+ qdict_del(options, "user");
+ qdict_del(options, "path");
+ qdict_del(options, "host_key_check");
+
+ g_free(hostport);
+ return 0;
+
+ err:
+ if (s->sftp_handle) {
+ libssh2_sftp_close(s->sftp_handle);
+ }
+ s->sftp_handle = NULL;
+ if (s->sftp) {
+ libssh2_sftp_shutdown(s->sftp);
+ }
+ s->sftp = NULL;
+ if (s->session) {
+ libssh2_session_disconnect(s->session,
+ "from qemu ssh client: "
+ "error opening connection");
+ libssh2_session_free(s->session);
+ }
+ s->session = NULL;
+ g_free(hostport);
+
+ return ret;
+}
+
+static int ssh_file_open(BlockDriverState *bs, const char *filename,
+ QDict *options, int bdrv_flags)
+{
+ BDRVSSHState *s = bs->opaque;
+ int ret;
+ int ssh_flags;
+
+ ssh_state_init(s);
+
+ ssh_flags = LIBSSH2_FXF_READ;
+ if (bdrv_flags & BDRV_O_RDWR) {
+ ssh_flags |= LIBSSH2_FXF_WRITE;
+ }
+
+ /* Start up SSH. */
+ ret = connect_to_ssh(s, options, ssh_flags, 0);
+ if (ret < 0) {
+ goto err;
+ }
+
+ /* Go non-blocking. */
+ libssh2_session_set_blocking(s->session, 0);
+
+ return 0;
+
+ err:
+ if (s->sock >= 0) {
+ close(s->sock);
+ }
+ s->sock = -1;
+
+ return ret;
+}
+
+static QEMUOptionParameter ssh_create_options[] = {
+ {
+ .name = BLOCK_OPT_SIZE,
+ .type = OPT_SIZE,
+ .help = "Virtual disk size"
+ },
+ { NULL }
+};
+
+static int ssh_create(const char *filename, QEMUOptionParameter *options)
+{
+ int r, ret;
+ Error *local_err = NULL;
+ int64_t total_size = 0;
+ QDict *uri_options = NULL;
+ BDRVSSHState s;
+ ssize_t r2;
+ char c[1] = { '\0' };
+
+ ssh_state_init(&s);
+
+ /* Get desired file size. */
+ while (options && options->name) {
+ if (!strcmp(options->name, BLOCK_OPT_SIZE)) {
+ total_size = options->value.n;
+ }
+ options++;
+ }
+ DPRINTF("total_size=%" PRIi64, total_size);
+
+ uri_options = qdict_new();
+ r = parse_uri(filename, uri_options, &local_err);
+ if (r < 0) {
+ qerror_report_err(local_err);
+ error_free(local_err);
+ ret = r;
+ goto out;
+ }
+
+ r = connect_to_ssh(&s, uri_options,
+ LIBSSH2_FXF_READ|LIBSSH2_FXF_WRITE|
+ LIBSSH2_FXF_CREAT|LIBSSH2_FXF_TRUNC, 0644);
+ if (r < 0) {
+ ret = r;
+ goto out;
+ }
+
+ if (total_size > 0) {
+ libssh2_sftp_seek64(s.sftp_handle, total_size-1);
+ r2 = libssh2_sftp_write(s.sftp_handle, c, 1);
+ if (r2 < 0) {
+ sftp_error_report(&s, "truncate failed");
+ ret = -EINVAL;
+ goto out;
+ }
+ s.attrs.filesize = total_size;
+ }
+
+ ret = 0;
+
+ out:
+ ssh_state_free(&s);
+ if (uri_options != NULL) {
+ QDECREF(uri_options);
+ }
+ return ret;
+}
+
+static void ssh_close(BlockDriverState *bs)
+{
+ BDRVSSHState *s = bs->opaque;
+
+ ssh_state_free(s);
+}
+
+static void restart_coroutine(void *opaque)
+{
+ Coroutine *co = opaque;
+
+ DPRINTF("co=%p", co);
+
+ qemu_coroutine_enter(co, NULL);
+}
+
+/* Always true because when we have called set_fd_handler there is
+ * always a request being processed.
+ */
+static int return_true(void *opaque)
+{
+ return 1;
+}
+
+static coroutine_fn void set_fd_handler(BDRVSSHState *s)
+{
+ int r;
+ IOHandler *rd_handler = NULL, *wr_handler = NULL;
+ Coroutine *co = qemu_coroutine_self();
+
+ r = libssh2_session_block_directions(s->session);
+
+ if (r & LIBSSH2_SESSION_BLOCK_INBOUND) {
+ rd_handler = restart_coroutine;
+ }
+ if (r & LIBSSH2_SESSION_BLOCK_OUTBOUND) {
+ wr_handler = restart_coroutine;
+ }
+
+ DPRINTF("s->sock=%d rd_handler=%p wr_handler=%p", s->sock,
+ rd_handler, wr_handler);
+
+ qemu_aio_set_fd_handler(s->sock, rd_handler, wr_handler, return_true, co);
+}
+
+static coroutine_fn void clear_fd_handler(BDRVSSHState *s)
+{
+ DPRINTF("s->sock=%d", s->sock);
+ qemu_aio_set_fd_handler(s->sock, NULL, NULL, NULL, NULL);
+}
+
+/* A non-blocking call returned EAGAIN, so yield, ensuring the
+ * handlers are set up so that we'll be rescheduled when there is an
+ * interesting event on the socket.
+ */
+static coroutine_fn void co_yield(BDRVSSHState *s)
+{
+ set_fd_handler(s);
+ qemu_coroutine_yield();
+ clear_fd_handler(s);
+}
+
+/* SFTP has a function `libssh2_sftp_seek64' which seeks to a position
+ * in the remote file. Notice that it just updates a field in the
+ * sftp_handle structure, so there is no network traffic and it cannot
+ * fail.
+ *
+ * However, `libssh2_sftp_seek64' does have a catastrophic effect on
+ * performance since it causes the handle to throw away all in-flight
+ * reads and buffered readahead data. Therefore this function tries
+ * to be intelligent about when to call the underlying libssh2 function.
+ */
+#define SSH_SEEK_WRITE 0
+#define SSH_SEEK_READ 1
+#define SSH_SEEK_FORCE 2
+
+static void ssh_seek(BDRVSSHState *s, int64_t offset, int flags)
+{
+ bool op_read = (flags & SSH_SEEK_READ) != 0;
+ bool force = (flags & SSH_SEEK_FORCE) != 0;
+
+ if (force || op_read != s->offset_op_read || offset != s->offset) {
+ DPRINTF("seeking to offset=%" PRIi64, offset);
+ libssh2_sftp_seek64(s->sftp_handle, offset);
+ s->offset = offset;
+ s->offset_op_read = op_read;
+ }
+}
+
+static coroutine_fn int ssh_read(BDRVSSHState *s,
+ int64_t offset, size_t size,
+ QEMUIOVector *qiov)
+{
+ ssize_t r;
+ size_t got;
+ char *buf, *end_of_vec;
+ struct iovec *i;
+
+ DPRINTF("offset=%" PRIi64 " size=%zu", offset, size);
+
+ ssh_seek(s, offset, SSH_SEEK_READ);
+
+ /* This keeps track of the current iovec element ('i'), where we
+ * will write to next ('buf'), and the end of the current iovec
+ * ('end_of_vec').
+ */
+ i = &qiov->iov[0];
+ buf = i->iov_base;
+ end_of_vec = i->iov_base + i->iov_len;
+
+ /* libssh2 has a hard-coded limit of 2000 bytes per request,
+ * although it will also do readahead behind our backs. Therefore
+ * we may have to do repeated reads here until we have read 'size'
+ * bytes.
+ */
+ for (got = 0; got < size; ) {
+ again:
+ DPRINTF("sftp_read buf=%p size=%zu", buf, end_of_vec - buf);
+ r = libssh2_sftp_read(s->sftp_handle, buf, end_of_vec - buf);
+ DPRINTF("sftp_read returned %zd", r);
+
+ if (r == LIBSSH2_ERROR_EAGAIN || r == LIBSSH2_ERROR_TIMEOUT) {
+ co_yield(s);
+ goto again;
+ }
+ if (r < 0) {
+ sftp_error_report(s, "read failed");
+ s->offset = -1;
+ return -EIO;
+ }
+ if (r == 0) {
+ /* EOF: Short read so pad the buffer with zeroes and return it. */
+ qemu_iovec_memset(qiov, got, 0, size - got);
+ return 0;
+ }
+
+ got += r;
+ buf += r;
+ s->offset += r;
+ if (buf >= end_of_vec && got < size) {
+ i++;
+ buf = i->iov_base;
+ end_of_vec = i->iov_base + i->iov_len;
+ }
+ }
+
+ return 0;
+}
+
+static coroutine_fn int ssh_co_readv(BlockDriverState *bs,
+ int64_t sector_num,
+ int nb_sectors, QEMUIOVector *qiov)
+{
+ BDRVSSHState *s = bs->opaque;
+ int ret;
+
+ qemu_co_mutex_lock(&s->lock);
+ ret = ssh_read(s, sector_num * BDRV_SECTOR_SIZE,
+ nb_sectors * BDRV_SECTOR_SIZE, qiov);
+ qemu_co_mutex_unlock(&s->lock);
+
+ return ret;
+}
+
+static int ssh_write(BDRVSSHState *s,
+ int64_t offset, size_t size,
+ QEMUIOVector *qiov)
+{
+ ssize_t r;
+ size_t written;
+ char *buf, *end_of_vec;
+ struct iovec *i;
+
+ DPRINTF("offset=%" PRIi64 " size=%zu", offset, size);
+
+ ssh_seek(s, offset, SSH_SEEK_WRITE);
+
+ /* This keeps track of the current iovec element ('i'), where we
+ * will read from next ('buf'), and the end of the current iovec
+ * ('end_of_vec').
+ */
+ i = &qiov->iov[0];
+ buf = i->iov_base;
+ end_of_vec = i->iov_base + i->iov_len;
+
+ for (written = 0; written < size; ) {
+ again:
+ DPRINTF("sftp_write buf=%p size=%zu", buf, end_of_vec - buf);
+ r = libssh2_sftp_write(s->sftp_handle, buf, end_of_vec - buf);
+ DPRINTF("sftp_write returned %zd", r);
+
+ if (r == LIBSSH2_ERROR_EAGAIN || r == LIBSSH2_ERROR_TIMEOUT) {
+ co_yield(s);
+ goto again;
+ }
+ if (r < 0) {
+ sftp_error_report(s, "write failed");
+ s->offset = -1;
+ return -EIO;
+ }
+ /* The libssh2 API is very unclear about this. A comment in
+ * the code says "nothing was acked, and no EAGAIN was
+ * received!" which apparently means that no data got sent
+ * out, and the underlying channel didn't return any EAGAIN
+ * indication. I think this is a bug in either libssh2 or
+ * OpenSSH (server-side). In any case, forcing a seek (to
+ * discard libssh2 internal buffers), and then trying again
+ * works for me.
+ */
+ if (r == 0) {
+ ssh_seek(s, offset + written, SSH_SEEK_WRITE|SSH_SEEK_FORCE);
+ co_yield(s);
+ goto again;
+ }
+
+ written += r;
+ buf += r;
+ s->offset += r;
+ if (buf >= end_of_vec && written < size) {
+ i++;
+ buf = i->iov_base;
+ end_of_vec = i->iov_base + i->iov_len;
+ }
+
+ if (offset + written > s->attrs.filesize)
+ s->attrs.filesize = offset + written;
+ }
+
+ return 0;
+}
+
+static coroutine_fn int ssh_co_writev(BlockDriverState *bs,
+ int64_t sector_num,
+ int nb_sectors, QEMUIOVector *qiov)
+{
+ BDRVSSHState *s = bs->opaque;
+ int ret;
+
+ qemu_co_mutex_lock(&s->lock);
+ ret = ssh_write(s, sector_num * BDRV_SECTOR_SIZE,
+ nb_sectors * BDRV_SECTOR_SIZE, qiov);
+ qemu_co_mutex_unlock(&s->lock);
+
+ return ret;
+}
+
+static int64_t ssh_getlength(BlockDriverState *bs)
+{
+ BDRVSSHState *s = bs->opaque;
+ int64_t length;
+
+ /* Note we cannot make a libssh2 call here. */
+ length = (int64_t) s->attrs.filesize;
+ DPRINTF("length=%" PRIi64, length);
+
+ return length;
+}
+
+static BlockDriver bdrv_ssh = {
+ .format_name = "ssh",
+ .protocol_name = "ssh",
+ .instance_size = sizeof(BDRVSSHState),
+ .bdrv_parse_filename = ssh_parse_filename,
+ .bdrv_file_open = ssh_file_open,
+ .bdrv_create = ssh_create,
+ .bdrv_close = ssh_close,
+ .bdrv_co_readv = ssh_co_readv,
+ .bdrv_co_writev = ssh_co_writev,
+ .bdrv_getlength = ssh_getlength,
+ .create_options = ssh_create_options,
+};
+
+static void bdrv_ssh_init(void)
+{
+ int r;
+
+ r = libssh2_init(0);
+ if (r != 0) {
+ fprintf(stderr, "libssh2 initialization failed, %d\n", r);
+ exit(EXIT_FAILURE);
+ }
+
+ bdrv_register(&bdrv_ssh);
+}
+
+block_init(bdrv_ssh_init);
diff --git a/configure b/configure
index 73df181406..e6c5d2c3f6 100755
--- a/configure
+++ b/configure
@@ -239,6 +239,7 @@ virtio_blk_data_plane=""
gtk=""
gtkabi="2.0"
tpm="no"
+libssh2=""
# parse CC options first
for opt do
@@ -922,6 +923,10 @@ for opt do
;;
--enable-tpm) tpm="yes"
;;
+ --disable-libssh2) libssh2="no"
+ ;;
+ --enable-libssh2) libssh2="yes"
+ ;;
*) echo "ERROR: unknown option $opt"; show_help="yes"
;;
esac
@@ -1182,6 +1187,8 @@ echo " --disable-glusterfs disable GlusterFS backend"
echo " --enable-gcov enable test coverage analysis with gcov"
echo " --gcov=GCOV use specified gcov [$gcov_tool]"
echo " --enable-tpm enable TPM support"
+echo " --disable-libssh2 disable ssh block device support"
+echo " --enable-libssh2 enable ssh block device support"
echo ""
echo "NOTE: The object files are built at the place where configure is launched"
exit 1
@@ -2314,6 +2321,42 @@ EOF
fi
##########################################
+# libssh2 probe
+if test "$libssh2" != "no" ; then
+ cat > $TMPC <<EOF
+#include <stdio.h>
+#include <libssh2.h>
+#include <libssh2_sftp.h>
+int main(void) {
+ LIBSSH2_SESSION *session;
+ session = libssh2_session_init ();
+ (void) libssh2_sftp_init (session);
+ return 0;
+}
+EOF
+
+ if $pkg_config libssh2 --modversion >/dev/null 2>&1; then
+ libssh2_cflags=`$pkg_config libssh2 --cflags`
+ libssh2_libs=`$pkg_config libssh2 --libs`
+ else
+ libssh2_cflags=
+ libssh2_libs="-lssh2"
+ fi
+
+ if compile_prog "$libssh2_cflags" "$libssh2_libs" ; then
+ libssh2=yes
+ libs_tools="$libssh2_libs $libs_tools"
+ libs_softmmu="$libssh2_libs $libs_softmmu"
+ QEMU_CFLAGS="$QEMU_CFLAGS $libssh2_cflags"
+ else
+ if test "$libssh2" = "yes" ; then
+ feature_not_found "libssh2"
+ fi
+ libssh2=no
+ fi
+fi
+
+##########################################
# linux-aio probe
if test "$linux_aio" != "no" ; then
@@ -3435,6 +3478,7 @@ echo "virtio-blk-data-plane $virtio_blk_data_plane"
echo "gcov $gcov_tool"
echo "gcov enabled $gcov"
echo "TPM support $tpm"
+echo "libssh2 support $libssh2"
if test "$sdl_too_old" = "yes"; then
echo "-> Your SDL version is too old - please upgrade to have SDL support"
@@ -3793,6 +3837,10 @@ if test "$glusterfs" = "yes" ; then
echo "CONFIG_GLUSTERFS=y" >> $config_host_mak
fi
+if test "$libssh2" = "yes" ; then
+ echo "CONFIG_LIBSSH2=y" >> $config_host_mak
+fi
+
if test "$virtio_blk_data_plane" = "yes" ; then
echo 'CONFIG_VIRTIO_BLK_DATA_PLANE=$(CONFIG_VIRTIO)' >> $config_host_mak
fi
diff --git a/qemu-doc.texi b/qemu-doc.texi
index af84bef0e9..5b36004873 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -423,6 +423,7 @@ snapshots.
* disk_images_sheepdog:: Sheepdog disk images
* disk_images_iscsi:: iSCSI LUNs
* disk_images_gluster:: GlusterFS disk images
+* disk_images_ssh:: Secure Shell (ssh) disk images
@end menu
@node disk_images_quickstart
@@ -1038,6 +1039,54 @@ qemu-system-x86_64 -drive file=gluster+unix:///testvol/dir/a.img?socket=/tmp/glu
qemu-system-x86_64 -drive file=gluster+rdma://1.2.3.4:24007/testvol/a.img
@end example
+@node disk_images_ssh
+@subsection Secure Shell (ssh) disk images
+
+You can access disk images located on a remote ssh server
+by using the ssh protocol:
+
+@example
+qemu-system-x86_64 -drive file=ssh://[@var{user}@@]@var{server}[:@var{port}]/@var{path}[?host_key_check=@var{host_key_check}]
+@end example
+
+Alternative syntax using properties:
+
+@example
+qemu-system-x86_64 -drive file.driver=ssh[,file.user=@var{user}],file.host=@var{server}[,file.port=@var{port}],file.path=@var{path}[,file.host_key_check=@var{host_key_check}]
+@end example
+
+@var{ssh} is the protocol.
+
+@var{user} is the remote user. If not specified, then the local
+username is tried.
+
+@var{server} specifies the remote ssh server. Any ssh server can be
+used, but it must implement the sftp-server protocol. Most Unix/Linux
+systems should work without requiring any extra configuration.
+
+@var{port} is the port number on which sshd is listening. By default
+the standard ssh port (22) is used.
+
+@var{path} is the path to the disk image.
+
+The optional @var{host_key_check} parameter controls how the remote
+host's key is checked. The default is @code{yes} which means to use
+the local @file{.ssh/known_hosts} file. Setting this to @code{no}
+turns off known-hosts checking. Or you can check that the host key
+matches a specific fingerprint:
+@code{host_key_check=md5:78:45:8e:14:57:4f:d5:45:83:0a:0e:f3:49:82:c9:c8}
+(@code{sha1:} can also be used as a prefix, but note that OpenSSH
+tools only use MD5 to print fingerprints).
+
+Currently authentication must be done using ssh-agent. Other
+authentication methods may be supported in future.
+
+Note: The ssh driver does not obey disk flush requests (ie. to commit
+data to the backing disk when the guest requests it). This is because
+the underlying protocol (SFTP) does not support this. Thus there is a
+risk of guest disk corruption if the remote server or network goes
+down during writes.
+
@node pcsys_network
@section Network emulation
diff --git a/qemu-options.hx b/qemu-options.hx
index 7cd6002d95..5c115d1cf9 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2107,6 +2107,18 @@ Example for Unix Domain Sockets
qemu-system-i386 --drive file=nbd:unix:/tmp/nbd-socket
@end example
+@item SSH
+QEMU supports SSH (Secure Shell) access to remote disks.
+
+Examples:
+@example
+qemu-system-i386 -drive file=ssh://user@@host/path/to/disk.img
+qemu-system-i386 -drive file.driver=ssh,file.user=user,file.host=host,file.port=22,file.path=/path/to/disk.img
+@end example
+
+Currently authentication must be done using ssh-agent. Other
+authentication methods may be supported in future.
+
@item Sheepdog
Sheepdog is a distributed storage system for QEMU.
QEMU supports using either local sheepdog devices or remote networked