[libvirt] [PATCH 02/13] conf: Introduce migrate_tls_x509_cert_dir

Jiri Denemark jdenemar at redhat.com
Mon Feb 20 16:03:16 UTC 2017 

On Fri, Feb 17, 2017 at 14:39:19 -0500, John Ferlan wrote:
> Add a new TLS X.509 certificate type - "migrate". This will handle the
> creation of a TLS certificate capability (and possibly repository) to
> be used for migrations. Similar to chardev's, credentials will be handled
> via a libvirt secrets.
> 
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
>  src/qemu/libvirtd_qemu.aug         |  6 ++++++
>  src/qemu/qemu.conf                 | 39 ++++++++++++++++++++++++++++++++++++++
>  src/qemu/qemu_conf.c               |  2 ++
>  src/qemu/qemu_conf.h               |  5 +++++
>  src/qemu/test_libvirtd_qemu.aug.in |  4 ++++
>  5 files changed, 56 insertions(+)
> 
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index 82bae9e..18679c1 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -54,6 +54,11 @@ module Libvirtd_qemu =
>                   | bool_entry "chardev_tls_x509_verify"
>                   | str_entry "chardev_tls_x509_secret_uuid"
>  
> +   let migrate_entry = bool_entry "migrate_tls"
> +                 | str_entry "migrate_tls_x509_cert_dir"
> +                 | bool_entry "migrate_tls_x509_verify"
> +                 | str_entry "migrate_tls_x509_secret_uuid"
> +
>     let nogfx_entry = bool_entry "nographics_allow_host_audio"
>  
>     let remote_display_entry = int_entry "remote_display_port_min"
> @@ -116,6 +121,7 @@ module Libvirtd_qemu =
>               | vnc_entry
>               | spice_entry
>               | chardev_entry
> +             | migrate_entry
>               | nogfx_entry
>               | remote_display_entry
>               | security_entry
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 97d769d..83d91b6 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -238,6 +238,45 @@
>  #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
>  
>  
> +# Enable use of TLS encryption for migration
> +#
> +# It is necessary to setup CA and issue a server certificate
> +# before enabling this.
> +#
> +#migrate_tls = 1

Actually what is this option supposed to do? It seems it doesn't do
anything but saying "yes, I configured TLS for migration". The TLS usage
for migration is turned on by VIR_MIGRATE_TLS flag which suggests the
configuration option here is useless.

Jirka

More information about the libvir-list mailing list