[libvirt] [PATCH v2 1/6] conf: Add new default TLS X.509 certificate default directory
Daniel P. Berrange
berrange at redhat.com
Thu Jun 16 13:20:27 UTC 2016
On Thu, Jun 16, 2016 at 06:42:22AM -0400, John Ferlan wrote:
> Rather that specify perhaps multiple TLS X.509 certificate directories,
> let's create a "default" directory which can then be used if the service
> (e.g. for now vnc and spice) does not supply a default directory.
>
> Since the default for vnc and spice may have existed before without being
> supplied, the default check will first check if the service specific path
> exists and if so, set the cfg entry to that; otherwise, the default will
> be set to the (now) new defaultTLSx509certdir.
>
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
> src/qemu/libvirtd_qemu.aug | 5 ++++-
> src/qemu/qemu.conf | 36 ++++++++++++++++-----------------
> src/qemu/qemu_conf.c | 41 ++++++++++++++++++++++++++++++++------
> src/qemu/qemu_conf.h | 2 ++
> src/qemu/test_libvirtd_qemu.aug.in | 1 +
> 5 files changed, 60 insertions(+), 25 deletions(-)
>
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index 8bc23ba..39b3a34 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -24,6 +24,8 @@ module Libvirtd_qemu =
>
>
> (* Config entry grouped by function - same order as example config *)
> + let default_tls_entry = str_entry "default_tls_x509_cert_dir"
> +
> let vnc_entry = str_entry "vnc_listen"
> | bool_entry "vnc_auto_unix_socket"
> | bool_entry "vnc_tls"
> @@ -93,7 +95,8 @@ module Libvirtd_qemu =
> let nvram_entry = str_array_entry "nvram"
>
> (* Each entry in the config is one of the following ... *)
> - let entry = vnc_entry
> + let entry = default_tls_entry
> + | vnc_entry
> | spice_entry
> | nogfx_entry
> | remote_display_entry
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 7964273..72acdfb 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -2,6 +2,16 @@
> # All settings described here are optional - if omitted, sensible
> # defaults are used.
>
> +# Use of TLS requires that x509 certificates be issued. The default is
> +# to keep them in /etc/pki/libvirt-default. This directory must contain
> +#
> +# ca-cert.pem - the CA master certificate
> +# server-cert.pem - the server certificate signed with ca-cert.pem
> +# server-key.pem - the server private key
> +#
> +#default_tls_x509_cert_dir = "/etc/pki/libvirt-default"
Oh, just remembered we should add a
default_tls_x509_verify = 1|0
to control how we set the 'verify-peer' config option on the TLS
certs (ie whether we mandate the client provide a x509 cert as a
crude form of authorization, as opposed to letting any client
conncect).
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list