On Mon, Sep 19, 2016 at 10:39:21AM -0400, John Ferlan wrote:
> Add a new qemu.conf variables to store the UUID for the secret that could
> be used to present credentials to access the TLS chardev.  Since this will
> be a server level and it's possible to use some sort of default, introduce
> both the default and chardev logic at the same time making the setting of
> the chardev check for it's own value, then if not present checking whether
> the default value had been set.
> 
> The chardevTLSx509haveUUID bool will be used as the marker for whether
> the chardevTLSx509secretUUID was successfully read. In the future this
> is how it'd determined whether to add the secret object for a TLS object.
> 
> Signed-off-by: John Ferlan <jfer...@redhat.com>
> ---
>  src/qemu/libvirtd_qemu.aug         |  2 ++
>  src/qemu/qemu.conf                 | 24 ++++++++++++++++++++++++
>  src/qemu/qemu_conf.c               | 22 ++++++++++++++++++++++
>  src/qemu/qemu_conf.h               |  3 +++
>  src/qemu/test_libvirtd_qemu.aug.in |  2 ++
>  5 files changed, 53 insertions(+)
> 
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index 988201e..73ebeda 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -29,6 +29,7 @@ module Libvirtd_qemu =
>     (* Config entry grouped by function - same order as example config *)
>     let default_tls_entry = str_entry "default_tls_x509_cert_dir"
>                   | bool_entry "default_tls_x509_verify"
> +                 | str_entry "default_tls_x509_secret_uuid"
>  
>     let vnc_entry = str_entry "vnc_listen"
>                   | bool_entry "vnc_auto_unix_socket"
> @@ -51,6 +52,7 @@ module Libvirtd_qemu =
>     let chardev_entry = bool_entry "chardev_tls"
>                   | str_entry "chardev_tls_x509_cert_dir"
>                   | bool_entry "chardev_tls_x509_verify"
> +                 | str_entry "chardev_tls_x509_secret_uuid"
>  
>     let nogfx_entry = bool_entry "nographics_allow_host_audio"
>  
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index e4c2aae..7114fa1 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -28,6 +28,20 @@
>  #
>  #default_tls_x509_verify = 1
>  
> +#
> +# In order to provide a password to unlock the private key to be used
> +# in order to provide the TLS credentials, a libvirt secret will need
> +# to be created and then the UUID of that secret added as a configuration
> +# parameter. See the libvirt documentation for specific details regarding
> +# how to create a "tls" secret type.
> +#
> +# NB This default all-zeros UUID will not work. Replace it with the
> +# output from the UUID for the TLS secret from a 'virsh secret-list'
> +# command and then uncomment the entry
> +#
> +#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"

We could perhaps be a little more explicit about the fact that when
this is commented out, the private key is required to be in
non-encrypted PEM format.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to