Re: [PATCH v10 2/4] domain: Add optional 'tls' attribute for TCP chardev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 10/21/2016 02:29 AM, Pavel Hrdina wrote:
> On Thu, Oct 20, 2016 at 03:48:30PM -0400, John Ferlan wrote:
>> [...]
>>

Since I assume you have these changes in your local branch - let's go
with the two patches and move on.

It would be nice while it's still fresh to update the documentation, but
that's a separate patch.

So "officially" it's an ACK of your changes on top of and in addition to
my changes.

John

[...]

> Now I see why we are not able to agree on this change.  The modification done
> in qemuProcessPrepareDomain() are only to live definition, the config
> definition remains untouched, which means the *tls* attribute (if it's based on
> qemu.conf) will appear only in live XML.  The config XML will remain the same
> after the guest is stopped.
> 
>> I think it should be strictly optional and that's where we differ. I see
>> no reason to change the domain xml unless as a consumer that's what you
>> want to do - be able to control which domains will have the setting.
>> What else would be the purpose of a host wide setting to go with a
>> domain optional setting?
>>
>> Finally, if your idea is accepted, that means for any configuration with
>> chardev_tls=0 (either because it's commented or set that way), every
>> domain that starts will be updated to have this new attribute
>> "tls='no'". Then one day, I read up on this wonderful new feature and
> 
> Not the domain, only the live XML which is not saved as config XML ...
> 
>> modify my qemu.conf file to set chardev_tls=1 and set up the TLS
>> environment properly. I go to start my domain, but wait it's not using
> 
> And after you start the domain there will be "tls='yes'" because the config XML
> doesn't contain any *tls* attribute.
> 
> I've tested all of those cases before proposing this patch:
> 
> prerequisite: prepare certificate files to be used for chardev devices
> 
> for running domain:
>     live XML - virsh dumpxml $domain
>     config XML - virsh dumpxml $domain --config
>     migratable XML - virsh dumpxml $domain --migratable
> 
> 1. set chardev_tls = 1
>     a) start domain where there is no *tls* attribute in config XML
>         - the domain is started and TLS is properly configured
>         - in the live XML there is "tls='yes'"
>         - in the config XML there is no *tls* attribute
>         - in the migratable XML there is no *tls* attribure
> 
>     b) start domain where there is "tls='no'" in config XML
>         - the domain is started and TLS is not configured
>         - in the live XML there is "tls='no'"
>         - in the config XML there is "tls='no'"
>         - in the migratable XML there is "tls='no'"
> 
>     c) start domain where there is "tls='yes'" in config XML
>         - the domain is started and TLS is properly configured
>         - in the live XML there is "tls='yes'"
>         - in the config XML there is "tls='yes'"
>         - in the migratable XML there is "tls='yes'"
> 
> 2. set chardev_tls = 0
>     a) start domain where there is no *tls* attribute in config XML
>         - the domain is started and TLS is not configured
>         - in the live XML there is "tls='no'"
>         - in the config XML there is no *tls* attribute
>         - in the migratable XML there is no *tls* attribure
> 
>     b) start domain where there is "tls='no'" in config XML
>         - the domain is started and TLS is not configured
>         - in the live XML there is "tls='no'"
>         - in the config XML there is "tls='no'"
>         - in the migratable XML there is "tls='no'"
> 
>     c) start domain where there is "tls='yes'" in config XML
>         - the domain is started and TLS is properly configured
>         - in the live XML there is "tls='yes'"
>         - in the config XML there is "tls='yes'"
>         - in the migratable XML there is "tls='yes'"
> 
> Pavel
> 
>> it. Closer inspection finds, someone put "tls='no'" into my domain... To
>> me that's not right.  And I won't necessarily know unless I know to look
>> at the cmdline of the started domain to find that 'tls-creds' or I in
>> some way "track" when TLS is being used.
>>
>>
>> John
>>
>> --
>> libvir-list mailing list
>> libvir-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/libvir-list

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]