[libvirt] [PATCH 02/13] conf: Introduce migrate_tls_x509_cert_dir

Thu Feb 23 13:10:18 UTC 2017

On 02/21/2017 06:43 AM, Jiri Denemark wrote:
> On Mon, Feb 20, 2017 at 14:28:42 -0500, John Ferlan wrote:
>> On 02/20/2017 11:03 AM, Jiri Denemark wrote:
>>> On Fri, Feb 17, 2017 at 14:39:19 -0500, John Ferlan wrote:
>>>> +# Enable use of TLS encryption for migration
>>>> +#
>>>> +# It is necessary to setup CA and issue a server certificate
>>>> +# before enabling this.
>>>> +#
>>>> +#migrate_tls = 1
>>>
>>> Actually what is this option supposed to do? It seems it doesn't do
>>> anything but saying "yes, I configured TLS for migration". The TLS usage
>>> for migration is turned on by VIR_MIGRATE_TLS flag which suggests the
>>> configuration option here is useless.
>>
>> It more or less follows the same logic for chardev's which got an
>> additional 'tls="yes"' to allow one to enable/disable an object in a
>> domain on a case by case basis if chardev tls was enabled for the host.
>>
>> See: http://libvirt.org/formatdomain.html#elementsConsole
>>
>> and search down for 'tls'
>>
>> So my feeling while coding was - if I don't supply some sort of way to
>> have an option to allow someone to choose to use the configured TLS
>> environment for the migration, I'd end up being asked to add one since
>> chardev has it.
> 
> The problem is chardevs and migration are quite different. While you can
> easily have a default configuration for chardevs and use tls="yes|no" to
> override it (no tls attribute will just tell libvirt to use the
> default), it's not really possible with migration API. API flags have
> not two states (in contrast to three-state boolean attributes in XML).
> Setting VIR_MIGRATE_TLS flag turns TLS on and using the flag turns TLS
> off. That is the default value is not used anywhere. If VIR_MIGRATE_TLS
> flag is used, the code checks migrate_tls is 1. Which translates to
> "yes, I configured TLS for migration" semantics of the configuration
> option.
> 
> In other words, it makes sense to have the configuration option for
> devices defined in the XML, but using it for migration doesn't make any
> sense. This would of course mean its parsing would need to be moved out
> of the macro introduced in 1/13 and used for chardevs only.
> 
> Jirka
> 

So I've circled back around to this...  It seems like you're advocating
the removal of the VIR_MIGRATE_TLS flag - which is fine.  The only
question I'd have for that is would there be a scenario/case where TLS
for migration was defined on the host, but someone would prefer to not
use it for migration. Or perhaps someone sets up the migrate_tls for
some external LAN, but sometimes wants to migrate inside the LAN -
having to reconfigure migrate_tls each time would seem to be more work
than necessary so having a flag and config value would be desirable.

IDC either way... Is there a preference?

John