On Thu, Oct 20, 2016 at 08:51:45AM +0200, Pavel Hrdina wrote: > On Wed, Oct 19, 2016 at 04:53:54PM -0400, John Ferlan wrote: > > Add an optional "tls='yes|no'" attribute for a TCP chardev. > > > > For QEMU, this will allow for disabling the host config setting of the > > 'chardev_tls' for a domain chardev channel by setting the value to "no" or > > to attempt to use a host TLS environment when setting the value to "yes" > > when the host config 'chardev_tls' setting is disabled, but a TLS environment > > is configured via either the host config 'chardev_tls_x509_cert_dir' or > > 'default_tls_x509_cert_dir' > > > > Alter qemuDomainSupportTLSChardevTCP to augment the decision points for > > choosing whether to try to use TLS. > > > > Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> > > --- > > docs/formatdomain.html.in | 28 ++++++++++++ > > docs/schemas/domaincommon.rng | 5 +++ > > src/conf/domain_conf.c | 22 +++++++++- > > src/conf/domain_conf.h | 1 + > > src/qemu/qemu_command.c | 2 +- > > src/qemu/qemu_domain.c | 20 +++++++-- > > src/qemu/qemu_domain.h | 3 +- > > src/qemu/qemu_hotplug.c | 4 +- > > ...uxml2argv-serial-tcp-tlsx509-chardev-notls.args | 30 +++++++++++++ > > ...muxml2argv-serial-tcp-tlsx509-chardev-notls.xml | 50 ++++++++++++++++++++++ > > tests/qemuxml2argvtest.c | 3 ++ > > ...xml2xmlout-serial-tcp-tlsx509-chardev-notls.xml | 1 + > > tests/qemuxml2xmltest.c | 1 + > > 13 files changed, 162 insertions(+), 8 deletions(-) > > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.args > > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.xml > > create mode 120000 tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev-notls.xml > > > > diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in > > index 9051178..da6be67 100644 > > --- a/docs/formatdomain.html.in > > +++ b/docs/formatdomain.html.in > > @@ -6204,6 +6204,34 @@ qemu-kvm -net nic,model=? /dev/null > > </devices> > > ...</pre> > > > > + <p> > > + <span class="since">Since 2.4.0,</span> the optional attribute > > + <code>tls</code> can be used to control whether a serial chardev Remove reference to "serial" because this is valid for all chardevs. Pavel > > + TCP communication channel would utilize a hypervisor configured > > + TLS X.509 certificate environment in order to encrypt the data > > + channel. For the QEMU hypervisor, usage of a TLS envronment can > > + be controlled on the host by the <code>chardev_tls</code> and > > + <code>chardev_tls_x509_cert_dir</code> or > > + <code>default_tls_x509_cert_dir</code> settings in the file > > + /etc/libvirt/qemu.conf. If <code>chardev_tls</code> is enabled, > > + then unless the <code>tls</code> attribute is set to "no", libvirt > > + will use the host configured TLS environment. > > + If <code>chardev_tls</code> is disabled, but the <code>tls</code> > > + attribute is set to "yes", then libvirt will attempt to use the > > + host TLS environment if either the <code>chardev_tls_x509_cert_dir</code> > > + or <code>default_tls_x509_cert_dir</code> TLS directory structure exists. > > + </p> [...]
Attachment:
signature.asc
Description: Digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list