[PATCH 0/6] update tls files without restarting libvirtd

Zhangbo (Oscar) oscar.zhangbo at huawei.com
Sun Feb 9 13:57:32 UTC 2020


When a client wants to establish a TLS connection with libvirtd, a CRL
file, CA cert and server cert/key are used. Right
now, if these files are changed, you must restart libvirtd to make them
take effect. The restart behavior of libvirtd will cause clients
connecting with libvirtd to fail.

In a server cluster, these files, mostly the CRL, may be updated
quite frequently dueto the large amount of certificates.  If the new
file does not take effect in time, there are security risks. So you
may need to restart libvirtd frequently to make the CRL etc. take
effect in time. However, frequent restarts will affect the reliability
of cluster virtual machine management(such as openstack) services.

These patches add a virt-admin command to update the tls related files
*online*.

Zhang Bo (6):
  virnettlscontext: refactoring virNetTLSContextLoadCredentials
  virnetserver: Introduce virNetServerUpdateTlsFiles
  admin: Introduce virAdmServerUpdateTlsFiles
  admin: support server cert update mode
  virt-admin: Introduce command srv-update-tls
  docs: update virt-admin.rst for server-update-tls

 docs/manpages/virt-admin.rst         |  21 ++++
 include/libvirt/libvirt-admin.h      |  26 ++++
 src/admin/admin_protocol.x           |  13 +-
 src/admin/admin_server.c             |   8 ++
 src/admin/admin_server.h             |   4 +
 src/admin/libvirt-admin.c            |  39 ++++++
 src/admin/libvirt_admin_private.syms |   1 +
 src/admin/libvirt_admin_public.syms  |   1 +
 src/libvirt_remote.syms              |   1 +
 src/rpc/virnetserver.c               |  81 ++++++++++++
 src/rpc/virnetserver.h               |   4 +
 src/rpc/virnetserverclient.c         |   4 +
 src/rpc/virnettlscontext.c           | 179 +++++++++++++++++++--------
 src/rpc/virnettlscontext.h           |   3 +
 tools/virt-admin.c                   |  88 +++++++++++++
 15 files changed, 419 insertions(+), 54 deletions(-)

--
2.23.0.windows.1




More information about the libvir-list mailing list