Re: [PATCH 02/13] conf: Introduce migrate_tls_x509_cert_dir

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 20, 2017 at 03:30:26PM +0000, Daniel P. Berrange wrote:
> On Mon, Feb 20, 2017 at 10:26:16AM -0500, John Ferlan wrote:
> > 
> > 
> > On 02/20/2017 10:13 AM, Jiri Denemark wrote:
> > > On Fri, Feb 17, 2017 at 14:39:19 -0500, John Ferlan wrote:
> > >> Add a new TLS X.509 certificate type - "migrate". This will handle the
> > >> creation of a TLS certificate capability (and possibly repository) to
> > >> be used for migrations. Similar to chardev's, credentials will be handled
> > >> via a libvirt secrets.
> > >>
> > >> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
> > >> ---
> > >>  src/qemu/libvirtd_qemu.aug         |  6 ++++++
> > >>  src/qemu/qemu.conf                 | 39 ++++++++++++++++++++++++++++++++++++++
> > >>  src/qemu/qemu_conf.c               |  2 ++
> > >>  src/qemu/qemu_conf.h               |  5 +++++
> > >>  src/qemu/test_libvirtd_qemu.aug.in |  4 ++++
> > >>  5 files changed, 56 insertions(+)
> > > 
> > > I'm not a big fan of setting up two sets of X.509 environments, but I
> > > guess it could be useful to someone a we could always set both to the
> > > same values, right?
> > > 
> > > Jirka
> > > 
> > 
> > Cannot disagree... setting up one is daunting enough ;-)!
> > 
> > With this there's going to be 4 and could be 5 if NBD needed it's own
> > (the other 3 being VNC, Spice, and Chardev)...  I do have a patch beyond
> > this series "in process" which would do the same for NBD (but I keep
> > thinking it'd be overkill).

BTW, we should *not* add certs for NBD - logically the NBD connections
we're managing are just part of the migration data flow - they just
happen to be separate TCP connections. IOW the 'migration' certs should
always be used for the NBD channels too.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux