[libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

Jiri Denemark jdenemar at redhat.com
Thu Mar 23 08:24:55 UTC 2017 

On Wed, Mar 22, 2017 at 14:52:28 -0400, John Ferlan wrote:
> 
> 
> On 03/22/2017 12:26 PM, Jiri Denemark wrote:
> > On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote:
> >> Add a new TLS X.509 certificate type - "migrate". This will handle the
> >> creation of a TLS certificate capability (and possibly repository) to
> >> be used for migrations. Similar to chardev's, credentials will be handled
> >> via a libvirt secrets; however, unlike chardev's enablement and usage
> >> will be via a CLI flag instead of a conf flag and a domain XML attribute.
> >> The migrations will also require the client-cert.pem and client-key.pem
> >> files to be present in the clients TLS directory.
> >>
> >> Signed-off-by: John Ferlan <jferlan at redhat.com>
> >> ---
> >>  src/qemu/libvirtd_qemu.aug         |  5 +++++
> >>  src/qemu/qemu.conf                 | 37 +++++++++++++++++++++++++++++++++++++
> >>  src/qemu/qemu_conf.c               |  6 ++++++
> >>  src/qemu/qemu_conf.h               |  4 ++++
> >>  src/qemu/test_libvirtd_qemu.aug.in |  3 +++
> >>  5 files changed, 55 insertions(+)
> >>
> >> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> >> index 9925ac9..40bcec3 100644
> >> --- a/src/qemu/qemu.conf
> >> +++ b/src/qemu/qemu.conf
> > ...
> >> +# In order to override the default TLS certificate location for migration
> >> +# certificates, supply a valid path to the certificate directory. If the
> >> +# provided path does not exist then the default_tls_x509_cert_dir path
> >> +# will be used. Once/if a default certificate is enabled/defined, migration
> >> +# will then be able to use the certificate via migration API flags.
> >> +#
> >> +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
> >> +
> >> +
> >> +# The default TLS configuration only uses certificates for the server
> >> +# allowing the client to verify the server's identity and establish
> >> +# an encrypted channel.
> >> +#
> >> +# It is possible to use x509 certificates for authentication too, by
> >> +# issuing a x509 certificate to every client who needs to connect.
> > 
> > s/a x509/an x509/
> > 
> >> +#
> >> +# Enabling this option will reject any client who does not have a
> >> +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem
> > 
> > "ca-cert.pem in migrate_tls_x509_cert_dir" or something like that.
> > Mentioning /etc/pki/libvirt-migrate might be quite confusing.
> 
> The is a cut-n-paste of the libvirt-vnc and libvirt-chardev - would you
> like to see those changed as well (in a separate patch).

Yeah, I think it would make sense to fix them too.

Jirka

More information about the libvir-list mailing list