[libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

John Ferlan jferlan at redhat.com
Wed Mar 22 18:52:28 UTC 2017 


On 03/22/2017 12:26 PM, Jiri Denemark wrote:
> On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote:
>> Add a new TLS X.509 certificate type - "migrate". This will handle the
>> creation of a TLS certificate capability (and possibly repository) to
>> be used for migrations. Similar to chardev's, credentials will be handled
>> via a libvirt secrets; however, unlike chardev's enablement and usage
>> will be via a CLI flag instead of a conf flag and a domain XML attribute.
>> The migrations will also require the client-cert.pem and client-key.pem
>> files to be present in the clients TLS directory.
>>
>> Signed-off-by: John Ferlan <jferlan at redhat.com>
>> ---
>>  src/qemu/libvirtd_qemu.aug         |  5 +++++
>>  src/qemu/qemu.conf                 | 37 +++++++++++++++++++++++++++++++++++++
>>  src/qemu/qemu_conf.c               |  6 ++++++
>>  src/qemu/qemu_conf.h               |  4 ++++
>>  src/qemu/test_libvirtd_qemu.aug.in |  3 +++
>>  5 files changed, 55 insertions(+)
>>
>> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
>> index 9925ac9..40bcec3 100644
>> --- a/src/qemu/qemu.conf
>> +++ b/src/qemu/qemu.conf
> ...
>> +# In order to override the default TLS certificate location for migration
>> +# certificates, supply a valid path to the certificate directory. If the
>> +# provided path does not exist then the default_tls_x509_cert_dir path
>> +# will be used. Once/if a default certificate is enabled/defined, migration
>> +# will then be able to use the certificate via migration API flags.
>> +#
>> +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
>> +
>> +
>> +# The default TLS configuration only uses certificates for the server
>> +# allowing the client to verify the server's identity and establish
>> +# an encrypted channel.
>> +#
>> +# It is possible to use x509 certificates for authentication too, by
>> +# issuing a x509 certificate to every client who needs to connect.
> 
> s/a x509/an x509/
> 
>> +#
>> +# Enabling this option will reject any client who does not have a
>> +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem
> 
> "ca-cert.pem in migrate_tls_x509_cert_dir" or something like that.
> Mentioning /etc/pki/libvirt-migrate might be quite confusing.
> 

The is a cut-n-paste of the libvirt-vnc and libvirt-chardev - would you
like to see those changed as well (in a separate patch).

It now reads:

# Enabling this option will reject any client who does not have a
# ca-cert.pem certificate signed by the CA in migrate_tls_x509_cert_dir
# (or default_tls_x509_cert_dir).

John


<grumble, grumble> if certificates were any less confusing they may
actually be more widely used. It's really confusing that libvirtd
expects one set of names, while a different set of names is expected by
qemu - so while one could conceivably share "copied" .pem files one
could not share the libvirtd and qemu TLS directories unless both files
were present...

qemu expects in say /etc/pki/qemu:

ca-cert.pem
client-cert.pem
client-key.pem
server-cert.pem
server-key.pem

libvirtd expects:
/etc/pki/CA/cacert.pem
/etc/pki/libvirt/clientcert.pem
/etc/pki/libvirt/servercert.pem
/etc/pki/libvirt/private/clientkey.pem
/etc/pki/libvirt/private/serverkey.pem

>> +#
>> +#migrate_tls_x509_verify = 1
> ...
> 
> ACK with the comments fixed.
> 
> Jirka
>

More information about the libvir-list mailing list