[libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir
Jiri Denemark
jdenemar at redhat.com
Wed Mar 22 16:26:40 UTC 2017
On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote:
> Add a new TLS X.509 certificate type - "migrate". This will handle the
> creation of a TLS certificate capability (and possibly repository) to
> be used for migrations. Similar to chardev's, credentials will be handled
> via a libvirt secrets; however, unlike chardev's enablement and usage
> will be via a CLI flag instead of a conf flag and a domain XML attribute.
> The migrations will also require the client-cert.pem and client-key.pem
> files to be present in the clients TLS directory.
>
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
> src/qemu/libvirtd_qemu.aug | 5 +++++
> src/qemu/qemu.conf | 37 +++++++++++++++++++++++++++++++++++++
> src/qemu/qemu_conf.c | 6 ++++++
> src/qemu/qemu_conf.h | 4 ++++
> src/qemu/test_libvirtd_qemu.aug.in | 3 +++
> 5 files changed, 55 insertions(+)
>
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 9925ac9..40bcec3 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
...
> +# In order to override the default TLS certificate location for migration
> +# certificates, supply a valid path to the certificate directory. If the
> +# provided path does not exist then the default_tls_x509_cert_dir path
> +# will be used. Once/if a default certificate is enabled/defined, migration
> +# will then be able to use the certificate via migration API flags.
> +#
> +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
> +
> +
> +# The default TLS configuration only uses certificates for the server
> +# allowing the client to verify the server's identity and establish
> +# an encrypted channel.
> +#
> +# It is possible to use x509 certificates for authentication too, by
> +# issuing a x509 certificate to every client who needs to connect.
s/a x509/an x509/
> +#
> +# Enabling this option will reject any client who does not have a
> +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem
"ca-cert.pem in migrate_tls_x509_cert_dir" or something like that.
Mentioning /etc/pki/libvirt-migrate might be quite confusing.
> +#
> +#migrate_tls_x509_verify = 1
...
ACK with the comments fixed.
Jirka
More information about the libvir-list
mailing list