* Daniel P. Berrange (berra...@redhat.com) wrote: > The tls-creds parameter has a default value of NULL indicating > that TLS should not be used. Setting it to non-NULL enables > use of TLS. Once tls-creds are set to a non-NULL value via the > monitor, it isn't possible to set them back to NULL again, due > to current implementation limitations. The empty string is not > a valid QObject identifier, so this switches to use "" as the > default, indicating that TLS will not be used > > The tls-hostname parameter has a default value of NULL indicating > the the hostname from the migrate connection URI should be used. > Again, once tls-hostname is set non-NULL, to override the default > hostname for x509 cert validation, it isn't possible to reset it > back to NULL via the monitor. The empty string is not a valid > hostname, so this switches to use "" as the default, indicating > that the migrate URI hostname should be used. > > Using "" as the default for both, also means that the monitor > commands "info migrate_parameters" / "query-migrate-parameters" > will report existance of tls-creds/tls-parameters even when set > to their default values. > > Signed-off-by: Daniel P. Berrange <berra...@redhat.com>
Yes, simple enough. Reviewed-by: Dr. David Alan Gilbert <dgilb...@redhat.com> Markus, Eric - are you OK with that? Dave > --- > migration/migration.c | 4 ++++ > migration/tls.c | 2 +- > qapi-schema.json | 4 ++++ > 3 files changed, 9 insertions(+), 1 deletion(-) > > diff --git a/migration/migration.c b/migration/migration.c > index 3dab684..54060f7 100644 > --- a/migration/migration.c > +++ b/migration/migration.c > @@ -110,6 +110,8 @@ MigrationState *migrate_get_current(void) > > if (!once) { > qemu_mutex_init(¤t_migration.src_page_req_mutex); > + current_migration.parameters.tls_creds = g_strdup(""); > + current_migration.parameters.tls_hostname = g_strdup(""); > once = true; > } > return ¤t_migration; > @@ -458,6 +460,7 @@ void migration_channel_process_incoming(MigrationState *s, > ioc, object_get_typename(OBJECT(ioc))); > > if (s->parameters.tls_creds && > + *s->parameters.tls_creds && > !object_dynamic_cast(OBJECT(ioc), > TYPE_QIO_CHANNEL_TLS)) { > Error *local_err = NULL; > @@ -480,6 +483,7 @@ void migration_channel_connect(MigrationState *s, > ioc, object_get_typename(OBJECT(ioc)), hostname); > > if (s->parameters.tls_creds && > + *s->parameters.tls_creds && > !object_dynamic_cast(OBJECT(ioc), > TYPE_QIO_CHANNEL_TLS)) { > Error *local_err = NULL; > diff --git a/migration/tls.c b/migration/tls.c > index 203c11d..45bec44 100644 > --- a/migration/tls.c > +++ b/migration/tls.c > @@ -141,7 +141,7 @@ void migration_tls_channel_connect(MigrationState *s, > return; > } > > - if (s->parameters.tls_hostname) { > + if (s->parameters.tls_hostname && *s->parameters.tls_hostname) { > hostname = s->parameters.tls_hostname; > } > if (!hostname) { > diff --git a/qapi-schema.json b/qapi-schema.json > index 32b4a4b..eb9bf67 100644 > --- a/qapi-schema.json > +++ b/qapi-schema.json > @@ -1036,6 +1036,8 @@ > # credentials must be for a 'server' endpoint. Setting this > # will enable TLS for all migrations. The default is unset, > # resulting in unsecured migration at the QEMU level. (Since 2.7) > +# An empty string means that QEMU will use plain text mode for > +# migration, rather than TLS (Since 2.9) > # > # @tls-hostname: #optional hostname of the target host for the migration. > This > # is required when using x509 based TLS credentials and the > @@ -1043,6 +1045,8 @@ > # example if using fd: or exec: based migration, the > # hostname must be provided so that the server's x509 > # certificate identity can be validated. (Since 2.7) > +# An empty string means that QEMU will use the hostname > +# associated with the migration URI, if any. (Since 2.9) > # > # @max-bandwidth: to set maximum speed for migration. maximum speed in > # bytes per second. (Since 2.8) > -- > 2.9.3 > -- Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK