I pushed some preliminary patches for this series already since they were all neutral refactorings. These three patches are the guts of it. They pass tests, I would push them ... but is this secure?
I can't imagine a way that it's not secure, but maybe there's something about copying file locations from the nbdkit command line into the --run script which is problematic. Anyway ... The first patch modifies $uri in the --run script to add &tls-certificates=... or &tls-psk-file=... so that TLS connections work (with libnbd anyway, I didn't check qemu). The second patch adds these as variables as well. The third patch updates a test to use this. A final point is that this doesn't work well with PSK. PSK has an implicit username (passed in the URI as nbds://user@...). The same username has to appear in the PSK file. We don't set a username at all right now, so libnbd uses the LOGNAME, which may or may not be what you want. The way to fix this would be to add a --tls-username parameter to nbdkit, but it would only be useful for URIs and might confuse things otherwise (eg. it could be used with --tls-psk but would have no apparent effect, thus confusing users). Rich. _______________________________________________ Libguestfs mailing list -- guestfs@lists.libguestfs.org To unsubscribe send an email to guestfs-le...@lists.libguestfs.org
