[PATCH 23/24] conf: backup: Add 'tls' attribute for 'server' element
Peter Krempa
pkrempa at redhat.com
Tue Jul 7 10:56:22 UTC 2020
On Thu, Jul 02, 2020 at 14:53:28 -0500, Eric Blake wrote:
> On 7/2/20 9:40 AM, Peter Krempa wrote:
> > Allow enabling TLS for the NBD server used to do pull-mode backups. Note
> > that documentation already mentions 'tls', so this just implements the
> > schema and XML bits.
> >
> > Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> > ---
>
> > +++ b/tests/domainbackupxml2xmlin/backup-pull-encrypted.xml
> > @@ -1,6 +1,6 @@
> > <domainbackup mode="pull">
> > <incremental>1525889631</incremental>
> > - <server transport='tcp' name='localhost' port='10809'/>
> > + <server transport='tcp' tls='yes' name='localhost' port='10809'/>
>
> So this doesn't say what files are actually feeding the TLS configuration;
> the docs already mentioned 'tls', but do we need to add a cross-reference
> that states when tls='yes' is in effect then the server uses the files as
> configured in qemu.conf? Knowing how the server is keyed is important for
> writing a client that can connect over TLS to the server.
Note that patch 22 actually adds the following paragraph to
formatbackup.rst into the NBD section:
+ Note that for the QEMU hypervisor the TLS environment in controlled using
+ ``backup_tls_x509_cert_dir``, ``backup_tls_x509_verify``, and
+ ``backup_tls_x509_secret_uuid`` properties in ``/etc/libvirt/qemu.conf``.
> But the overall idea makes sense.
>
> Reviewed-by: Eric Blake <eblake at redhat.com>
>
> --
> Eric Blake, Principal Software Engineer
> Red Hat, Inc. +1-919-301-3226
> Virtualization: qemu.org | libvirt.org
>
More information about the libvir-list
mailing list