[libvirt] Libvirt 0.8.7 installer ready for testing

[Matthias Bolte]

2011/1/8 Justin Clift <jclift at redhat.com>:
> Hi guys,
>
> Created the windows libvirt 0.8.7 installer using Matthias's updated scripting:
>
>  http://libvirt.org/sources/win32_experimental/Libvirt-0.8.7-0.exe
>
> Does someone have time to test and confirm it's ok, before we point to it from
> the website?
>
> Arnaud, this version of the installer adds the virsh bin directory to the system PATH
> variable.  So I'm thinking don't need to copy the libvirt dll's around, when using
> your C# bindings.
>
> If you've have time to test that, it would be great.  Could then update the web page
> with that info. :)
>
> Regards and best wishes,
>
> Justin Clift

The readme suggests (at least to me) that the TLS certs for libvirt's
TLS transport and the ESX driver using HTTPS are the same:

"TLS certificates are needed prior to connecting to either
QEMU instances with TLS, or connecting to VMware
ESX/vSphere."

Yes, the ESX driver (actually libcurl) needs to know the cacert.pem
for the key that signed the HTTPS certificate in order to verify the
server's certificate. That's what you can disable using the
no_verify=1 query parameter. But HTTPS doesn't do mutual verification
as libvirt's TLS transport does. There is no clientcert/key.pem
involved in HTTPS.

The ESX driver could tell libcurl to add libvirt's cacert.pem to the
certificate pool that libcurl uses to verify the HTTPS certificate.
Currently it doesn't do this and libcurl just uses the common
certificate pool provided by the OS. A while ago I tested this
(generating and using a certificate set independent from libvirt ones
for ESX) and it worked on Ubuntu. I didn't test this on Windows yet,
but I've added this to my todo list now.

Another thing is that the installer adds the bin directory to the path
unconditionally. I'd suggest to ask to let the user choose this, for
example like the msysGit InnoSetup-based installer does.

The rest looks good :)

Matthias