On Thu, Jun 16, 2016 at 06:42:23AM -0400, John Ferlan wrote: > Add a new TLS X.509 certificate type - "chartcp" (a/k/a charTCP). This will > handle the creation of a TLS certificate capability (and possibly repository) > for properly configured character device TCP backends. > > Unlike the vnc and spice there is no "listen" or "passwd" associated. The > credentials will be handled via a libvirt secret provided to a specific > backend. > > Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> > --- > src/qemu/libvirtd_qemu.aug | 4 ++ > src/qemu/qemu.conf | 16 +++++++ > src/qemu/qemu_conf.c | 4 ++ > src/qemu/qemu_conf.h | 3 ++ > src/qemu/test_libvirtd_qemu.aug.in | 2 + > .../qemuxml2argv-serial-tcp-tlsx509-chardev.xml | 41 ++++++++++++++++++ > .../qemuxml2xmlout-serial-tcp-tlsx509-chardev.xml | 50 ++++++++++++++++++++++ > tests/qemuxml2xmltest.c | 1 + > 8 files changed, 121 insertions(+) > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.xml > create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev.xml > > diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug > index 39b3a34..e70d38d 100644 > --- a/src/qemu/libvirtd_qemu.aug > +++ b/src/qemu/libvirtd_qemu.aug > @@ -44,6 +44,9 @@ module Libvirtd_qemu = > | bool_entry "spice_sasl" > | str_entry "spice_sasl_dir" > > + let chartcp_entry = bool_entry "chartcp_tls" > + | str_entry "chartcp_tls_x509_cert_dir" > + > let nogfx_entry = bool_entry "nographics_allow_host_audio" > > let remote_display_entry = int_entry "remote_display_port_min" > @@ -98,6 +101,7 @@ module Libvirtd_qemu = > let entry = default_tls_entry > | vnc_entry > | spice_entry > + | chartcp_entry > | nogfx_entry > | remote_display_entry > | security_entry > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > index 72acdfb..fa00be4 100644 > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf > @@ -166,6 +166,22 @@ > # > #spice_sasl_dir = "/some/directory/sasl2" > > +# Enable use of TLS encryption on the chardev TCP transports. > +# > +# It is necessary to setup CA and issue a server certificate > +# before enabling this. > +# > +#chartcp_tls = 1 > + > + > +# In order to override the default TLS certificate location for character > +# device TCP certificates, supply a valid path to the certificate directory. > +# If the provided path does not exist then the default_tls_x509_cert_dir > +# path will be used. > +# > +#chartcp_tls_x509_cert_dir = "/etc/pki/libvirt-chartcp" I'd suggest we just say 'chardev' instead of 'chartcp', as it is conceivable that we could use TLS with non-TCP chardevs in the future. I'm wondering if we should use /etc/pki/qemu-chardev as the default location too Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list