On 09/20/2016 08:52 AM, Daniel P. Berrange wrote:
> On Tue, Sep 20, 2016 at 08:26:55AM -0400, John Ferlan wrote:
>>
>>
>> On 09/19/2016 10:53 AM, Daniel P. Berrange wrote:
>>> On Mon, Sep 19, 2016 at 10:39:21AM -0400, John Ferlan wrote:
>>>> Add a new qemu.conf variables to store the UUID for the secret that could
>>>> be used to present credentials to access the TLS chardev.  Since this will
>>>> be a server level and it's possible to use some sort of default, introduce
>>>> both the default and chardev logic at the same time making the setting of
>>>> the chardev check for it's own value, then if not present checking whether
>>>> the default value had been set.
>>>>
>>>> The chardevTLSx509haveUUID bool will be used as the marker for whether
>>>> the chardevTLSx509secretUUID was successfully read. In the future this
>>>> is how it'd determined whether to add the secret object for a TLS object.
>>>>
>>>> Signed-off-by: John Ferlan <jfer...@redhat.com>
>>>> ---
>>>>  src/qemu/libvirtd_qemu.aug         |  2 ++
>>>>  src/qemu/qemu.conf                 | 24 ++++++++++++++++++++++++
>>>>  src/qemu/qemu_conf.c               | 22 ++++++++++++++++++++++
>>>>  src/qemu/qemu_conf.h               |  3 +++
>>>>  src/qemu/test_libvirtd_qemu.aug.in |  2 ++
>>>>  5 files changed, 53 insertions(+)
>>>>
>>>> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
>>>> index 988201e..73ebeda 100644
>>>> --- a/src/qemu/libvirtd_qemu.aug
>>>> +++ b/src/qemu/libvirtd_qemu.aug
>>>> @@ -29,6 +29,7 @@ module Libvirtd_qemu =
>>>>     (* Config entry grouped by function - same order as example config *)
>>>>     let default_tls_entry = str_entry "default_tls_x509_cert_dir"
>>>>                   | bool_entry "default_tls_x509_verify"
>>>> +                 | str_entry "default_tls_x509_secret_uuid"
>>>>  
>>>>     let vnc_entry = str_entry "vnc_listen"
>>>>                   | bool_entry "vnc_auto_unix_socket"
>>>> @@ -51,6 +52,7 @@ module Libvirtd_qemu =
>>>>     let chardev_entry = bool_entry "chardev_tls"
>>>>                   | str_entry "chardev_tls_x509_cert_dir"
>>>>                   | bool_entry "chardev_tls_x509_verify"
>>>> +                 | str_entry "chardev_tls_x509_secret_uuid"
>>>>  
>>>>     let nogfx_entry = bool_entry "nographics_allow_host_audio"
>>>>  
>>>> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
>>>> index e4c2aae..7114fa1 100644
>>>> --- a/src/qemu/qemu.conf
>>>> +++ b/src/qemu/qemu.conf
>>>> @@ -28,6 +28,20 @@
>>>>  #
>>>>  #default_tls_x509_verify = 1
>>>>  
>>>> +#
>>>> +# In order to provide a password to unlock the private key to be used
>>>> +# in order to provide the TLS credentials, a libvirt secret will need
>>>> +# to be created and then the UUID of that secret added as a configuration
>>>> +# parameter. See the libvirt documentation for specific details regarding
>>>> +# how to create a "tls" secret type.
>>>> +#
>>>> +# NB This default all-zeros UUID will not work. Replace it with the
>>>> +# output from the UUID for the TLS secret from a 'virsh secret-list'
>>>> +# command and then uncomment the entry
>>>> +#
>>>> +#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
>>>
>>> We could perhaps be a little more explicit about the fact that when
>>> this is commented out, the private key is required to be in
>>> non-encrypted PEM format.
>>>
>>
>> Fair enough - a simple enough addition, so at the end of the first
>> paragraph (and repeated again for chardev_tls_x509_secret_uuid), how about:
>>
>> " A libvirt secret requires usage of a non-encrypted PEM format
>> certificate."
>>
>> Or is there some other wording that is preferable?
> 
> Something like this:
> 
>   "Libvirt assumes the server-key.pem file is unencrypted by default.
>    To use an encrypted server-key.pem file, the password to decrypt
>    the PEM file is requird. This can be provided by creating a secret
>    object in libvirt and then uncommenting this setting to set the
>    UUID of the secret"
> 

OK - I'll adjust this patch.

In terms of the others are they reasonable or is it more of the case
that the available hours needed to review exceed capacity...

Tks -

John

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to