[libvirt] [PATCH v10 2/4] domain: Add optional 'tls' attribute for TCP chardev
Pavel Hrdina
phrdina at redhat.com
Thu Oct 20 07:29:15 UTC 2016
On Thu, Oct 20, 2016 at 08:51:45AM +0200, Pavel Hrdina wrote:
> On Wed, Oct 19, 2016 at 04:53:54PM -0400, John Ferlan wrote:
> > Add an optional "tls='yes|no'" attribute for a TCP chardev.
> >
> > For QEMU, this will allow for disabling the host config setting of the
> > 'chardev_tls' for a domain chardev channel by setting the value to "no" or
> > to attempt to use a host TLS environment when setting the value to "yes"
> > when the host config 'chardev_tls' setting is disabled, but a TLS environment
> > is configured via either the host config 'chardev_tls_x509_cert_dir' or
> > 'default_tls_x509_cert_dir'
> >
> > Alter qemuDomainSupportTLSChardevTCP to augment the decision points for
> > choosing whether to try to use TLS.
> >
> > Signed-off-by: John Ferlan <jferlan at redhat.com>
> > ---
> > docs/formatdomain.html.in | 28 ++++++++++++
> > docs/schemas/domaincommon.rng | 5 +++
> > src/conf/domain_conf.c | 22 +++++++++-
> > src/conf/domain_conf.h | 1 +
> > src/qemu/qemu_command.c | 2 +-
> > src/qemu/qemu_domain.c | 20 +++++++--
> > src/qemu/qemu_domain.h | 3 +-
> > src/qemu/qemu_hotplug.c | 4 +-
> > ...uxml2argv-serial-tcp-tlsx509-chardev-notls.args | 30 +++++++++++++
> > ...muxml2argv-serial-tcp-tlsx509-chardev-notls.xml | 50 ++++++++++++++++++++++
> > tests/qemuxml2argvtest.c | 3 ++
> > ...xml2xmlout-serial-tcp-tlsx509-chardev-notls.xml | 1 +
> > tests/qemuxml2xmltest.c | 1 +
> > 13 files changed, 162 insertions(+), 8 deletions(-)
> > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.args
> > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.xml
> > create mode 120000 tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev-notls.xml
> >
> > diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> > index 9051178..da6be67 100644
> > --- a/docs/formatdomain.html.in
> > +++ b/docs/formatdomain.html.in
> > @@ -6204,6 +6204,34 @@ qemu-kvm -net nic,model=? /dev/null
> > </devices>
> > ...</pre>
> >
> > + <p>
> > + <span class="since">Since 2.4.0,</span> the optional attribute
> > + <code>tls</code> can be used to control whether a serial chardev
Remove reference to "serial" because this is valid for all chardevs.
Pavel
> > + TCP communication channel would utilize a hypervisor configured
> > + TLS X.509 certificate environment in order to encrypt the data
> > + channel. For the QEMU hypervisor, usage of a TLS envronment can
> > + be controlled on the host by the <code>chardev_tls</code> and
> > + <code>chardev_tls_x509_cert_dir</code> or
> > + <code>default_tls_x509_cert_dir</code> settings in the file
> > + /etc/libvirt/qemu.conf. If <code>chardev_tls</code> is enabled,
> > + then unless the <code>tls</code> attribute is set to "no", libvirt
> > + will use the host configured TLS environment.
> > + If <code>chardev_tls</code> is disabled, but the <code>tls</code>
> > + attribute is set to "yes", then libvirt will attempt to use the
> > + host TLS environment if either the <code>chardev_tls_x509_cert_dir</code>
> > + or <code>default_tls_x509_cert_dir</code> TLS directory structure exists.
> > + </p>
[...]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20161020/4c94c10a/attachment-0001.sig>
More information about the libvir-list
mailing list