[libvirt] [PATCH v9 1/4] conf: Introduce TLS options for VxHS block device clients
Peter Krempa
pkrempa at redhat.com
Wed Sep 27 14:27:21 UTC 2017
On Wed, Sep 27, 2017 at 15:27:15 +0200, Peter Krempa wrote:
> On Wed, Sep 27, 2017 at 09:12:06 -0400, John Ferlan wrote:
> >
> >
> > On 09/27/2017 08:43 AM, Peter Krempa wrote:
> > > On Tue, Sep 19, 2017 at 21:32:43 -0400, John Ferlan wrote:
> > >> From: Ashish Mittal <Ashish.Mittal at veritas.com>
> > >>
> > >> Add a new TLS X.509 certificate type - "vxhs". This will handle the
> > >> creation of a TLS certificate capability for properly configured
> > >> VxHS network block device clients.
> > >>
> > >> The following describes the behavior of TLS for VxHS block device:
> > >>
> > >> (1) Two new options have been added in /etc/libvirt/qemu.conf
> > >> to control TLS behavior with VxHS block devices
> > >> "vxhs_tls" and "vxhs_tls_x509_cert_dir".
> > >> (2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable
> > >> TLS for VxHS block devices.
> > >> (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the
> > >> TLS CA certificate and the client certificate and keys are saved.
> > >> If this value is missing, the "default_tls_x509_cert_dir" will be
> > >> used instead. If the environment is not configured properly the
> > >> authentication to the VxHS server will fail.
> > >>
> > >> Signed-off-by: Ashish Mittal <Ashish.Mittal at veritas.com>
> > >> Signed-off-by: John Ferlan <jferlan at redhat.com>
> > >> ---
> > >> src/qemu/libvirtd_qemu.aug | 4 ++++
> > >> src/qemu/qemu.conf | 34 ++++++++++++++++++++++++++++++++++
> > >> src/qemu/qemu_conf.c | 16 ++++++++++++++++
> > >> src/qemu/qemu_conf.h | 3 +++
> > >> src/qemu/test_libvirtd_qemu.aug.in | 2 ++
> > >> 5 files changed, 59 insertions(+)
>
> [...]
>
> > The "server key" comes from the default description of "server-key.pem"
> > and the rest from the description of default_tls_x509_secret_uuid which
> > essentially states the UUID would be UUID of a secret that would decrypt
> > the server-key.pem file.
>
> Ah, right.
>
> >
> > Basically, it's a way to point out that the VxHS TLS certificate
> > environment wouldn't use a similar setup from a default (or Chardev or
> > Migrate) to provide a secret UUID parameter since the configuration is
> > client only. I can strike out that last sentence completely as it
> > perhaps not that important and probably confusing.
>
> You can state that since this is only a client, the server key/cert is
> not needed in such configuration, which automatically implies that the
> secret for decrypting it is not necessary as well.
ACK with the above modification.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170927/98e32d03/attachment-0001.sig>
More information about the libvir-list
mailing list