On 08/05/2016 04:25 AM, Daniel P. Berrange wrote: > On Thu, Aug 04, 2016 at 11:21:24AM -0400, John Ferlan wrote: >> Define, parse, and format a key secret element for a chardev tcp backend. >> This secret will be used in conjunction with the chartcp_tls_x509_cert_dir >> in order to provide the secret to the TLS encrypted TCP chardev. >> >> <secret type='tls' usage='tlsexample'/> >> >> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> >> --- >> docs/formatdomain.html.in | 29 ++++++++++++ >> docs/schemas/domaincommon.rng | 21 +++++++++ >> src/conf/domain_conf.c | 35 +++++++++++++++ >> src/conf/domain_conf.h | 3 ++ >> ...uxml2argv-serial-tcp-tlsx509-secret-chardev.xml | 51 ++++++++++++++++++++++ >> ...ml2xmlout-serial-tcp-tlsx509-secret-chardev.xml | 1 + >> tests/qemuxml2xmltest.c | 1 + >> 7 files changed, 141 insertions(+) >> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.xml >> create mode 120000 tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-secret-chardev.xml > > Hmm, it feels little odd that we're having to give the password in > the XML, for a certificate thats configured in qemu.conf. I wonder > if we instead need to have the secret UUID listed in qemu.conf too > > I knew there was something I wanted to get back to... I guess it seemed awkward to have to modify qemu.conf to list a UUID of a libvirt secret that would be generated after initial startup and thus would require a restart to read/load the secret into the cfg. I suppose that's akin to having/changing the "{spice|vnc}_password" in qemu.conf, so perhaps no different from that processing. Still Hmmm... I suppose the admin interface could handle these tasks as well. Anyway - secondarily, by adding UUID to qemu.conf, if cfg->chardevTLS was set (something I appear to have forgotten to do in patch 2 too, sigh), then that would mean every domain would use TLS. Is that desired? Or should there still be some domain XML attribute added to signify the desire for the domain to use TLS. Would there ever be a use case where multiple TLS environments would be set up for different domains with the same host? Tks - John -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list