[libvirt] [RFC] new preferences requirement

Dan Kenigsberg danken at redhat.com
Mon Dec 6 11:48:00 UTC 2010


On Mon, Dec 06, 2010 at 10:32:21AM +0000, Daniel P. Berrange wrote:
> On Thu, Dec 02, 2010 at 11:38:26PM +0200, Dan Kenigsberg wrote:
> > On Wed, Dec 01, 2010 at 10:26:35AM +0000, Daniel P. Berrange wrote:
> > > On Wed, Dec 01, 2010 at 05:35:38PM +0800, Osier Yang wrote:
> > > > Hi, all
> > > > 
> > > >    We have some new requirements of preferences, I listed
> > > > which of them I known, and think is useful as follows:
> > > > 
> > > > 1) for the path of x509 certificate and keys of client
> > > > 
> > > >    The path of x509 certificate and keys of client is hard
> > > > coded in remote driver. e.g.
> > > > 
> > > >    /* Defaults for PKI directory. */
> > > >    # define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
> > > >    # define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
> > > >    # define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private
> > > > /clientkey.pem"
> > > >    # define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
> > > 
> > > We can't assume one set of certs/keys is suitable for all
> > > URIs, so making this a preference setting doesn't help. There
> > > needs to be a parameter in the URI to specify a cert/key name
> > > to override the defaults on a per-connection basis
> > 
> > As much as I disliked adding long ugly filenames to the URI, I do not
> > see any way around it now. A single client application may need to open
> > two connections with different cert/key pairs, so a single client.conf
> > or environment variables won't cut it.
> 
> NB, I wasn't really suggesting adding the long filenames. Instead
> I'd suggest adding some cert "name" tag, and use that to formulate
> the filenames according to some pattern,
> 
>   eg
>     $HOME/.libvirt/$name/cacert.pem
>     $HOME/.libvirt/$name/clientcert.pem
>     $HOME/.libvirt/$name/clientkey.pem

(but make sure it works for homeless daemons, too)




More information about the libvir-list mailing list