[libvirt] [PATCH v9 1/5] domain: Add optional 'tls' attribute for TCP chardev

Daniel P. Berrange berrange at redhat.com
Tue Oct 18 11:21:06 UTC 2016 

On Tue, Oct 18, 2016 at 06:59:57AM -0400, John Ferlan wrote:
> 
> 
> On 10/18/2016 02:27 AM, Pavel Hrdina wrote:
> [...]
> 
> >>
> >> "As default behaviour I think it is desirable that we can turn TLS on
> >> for every VM at once - I tend to view it as a host network integration
> >> task, rather than a VM configuration task. Same rationale that we use
> >> for TLS wth VNC/SPICE."
> > 
> > Don't forget this part of the same review:
> > 
> > "There's no reason we can't have a tri-state TLS flag against the chardev
> > in the XML too, to override the default behaviour of cfg->chardevTLS"
> > 
> > That also means to override chardev_tls = "0" by "tls='yes'".
> 
> If the default cfg behaviour is "1", then that tells us "someone" has
> set up the TLS environment and thus the domain/chardev override would be
> "no".
> 
> If the default cfg behaviour is "0", then that means we cannot guarantee
> the environment necessary has been set up and we cannot allow the
> domain/chardev setting to enable TLS.

We have two separate tasks at the host level

 - Setup of TLS certificates (ie put the PEM files in the right places)
 - Global default for use of TLS by chardevs

We only have a config option in qemu.conf for the latter. ie if
chardev_tls=1, this is implicitly saying that TLS certs are deployed
in right place.  IIUC, you're saying that if chardev_tls=0, then we
should interpret that to meant TLS certs are *not* deployed.

Pavel is saying that if chardev_tls=0 in qemu.conf, and tls=1 in the
XML, then we should assume that TLS certs *are* deployed on the host
in the right place. I think this is not unreasonable - we can easily
check to see if the certs exist on disk in this case.

IOW, I agree that we should have a tri-state at the XML level

 - no tls attribute in XML - honour  chardev_tls from qemu.conf
 - tls=1 in XML, then turn on TLS
 - tls=0 in XML, then don't use TLS

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

More information about the libvir-list mailing list