On 10/17/2016 06:52 AM, Pavel Hrdina wrote: > On Fri, Oct 14, 2016 at 04:23:05PM -0400, John Ferlan wrote: >> Add a new qemu.conf variables to store the UUID for the secret that could >> be used to present credentials to access the TLS chardev. Since this will >> be a server level and it's possible to use some sort of default, introduce >> both the default and chardev logic at the same time making the setting of >> the chardev check for it's own value, then if not present checking whether >> the default value had been set. >> >> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> >> --- >> src/qemu/libvirtd_qemu.aug | 2 ++ >> src/qemu/qemu.conf | 24 ++++++++++++++++++++++++ >> src/qemu/qemu_conf.c | 14 ++++++++++++++ >> src/qemu/qemu_conf.h | 2 ++ >> src/qemu/test_libvirtd_qemu.aug.in | 2 ++ >> 5 files changed, 44 insertions(+) >> >> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug >> index 988201e..73ebeda 100644 >> --- a/src/qemu/libvirtd_qemu.aug >> +++ b/src/qemu/libvirtd_qemu.aug >> @@ -29,6 +29,7 @@ module Libvirtd_qemu = >> (* Config entry grouped by function - same order as example config *) >> let default_tls_entry = str_entry "default_tls_x509_cert_dir" >> | bool_entry "default_tls_x509_verify" >> + | str_entry "default_tls_x509_secret_uuid" >> >> let vnc_entry = str_entry "vnc_listen" >> | bool_entry "vnc_auto_unix_socket" >> @@ -51,6 +52,7 @@ module Libvirtd_qemu = >> let chardev_entry = bool_entry "chardev_tls" >> | str_entry "chardev_tls_x509_cert_dir" >> | bool_entry "chardev_tls_x509_verify" >> + | str_entry "chardev_tls_x509_secret_uuid" >> >> let nogfx_entry = bool_entry "nographics_allow_host_audio" >> >> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf >> index e4c2aae..493c171 100644 >> --- a/src/qemu/qemu.conf >> +++ b/src/qemu/qemu.conf >> @@ -28,6 +28,20 @@ >> # >> #default_tls_x509_verify = 1 >> >> +# >> +# Libvirt assumes the server-key.pem file is unencrypted by default. >> +# To use an encrypted server-key.pem file, the password to decrypt the > > You've forgot to remove the extra "the". > Weird - I konw I made the change... where'd it go... >> +# the PEM file is required. This can be provided by creating a secret >> +# object in libvirt and then to uncomment this setting to set the UUID >> +# of the secret. >> +# >> +# NB This default all-zeros UUID will not work. Replace it with the >> +# output from the UUID for the TLS secret from a 'virsh secret-list' >> +# command and then uncomment the entry >> +# >> +#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" >> + >> + >> # VNC is configured to listen on 127.0.0.1 by default. >> # To make it listen on all public interfaces, uncomment >> # this next option. >> @@ -214,6 +228,16 @@ >> #chardev_tls_x509_verify = 1 >> >> >> +# Uncomment and use the following option to override the default secret >> +# uuid provided in the default_tls_x509_secret_uuid parameter. > > s/uuid/UUID/ > > ACK > change - thanks John [...] -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list