On Fri, Feb 17, 2017 at 14:39:19 -0500, John Ferlan wrote: > Add a new TLS X.509 certificate type - "migrate". This will handle the > creation of a TLS certificate capability (and possibly repository) to > be used for migrations. Similar to chardev's, credentials will be handled > via a libvirt secrets. > > Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> > --- > src/qemu/libvirtd_qemu.aug | 6 ++++++ > src/qemu/qemu.conf | 39 ++++++++++++++++++++++++++++++++++++++ > src/qemu/qemu_conf.c | 2 ++ > src/qemu/qemu_conf.h | 5 +++++ > src/qemu/test_libvirtd_qemu.aug.in | 4 ++++ > 5 files changed, 56 insertions(+) > > diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug > index 82bae9e..18679c1 100644 > --- a/src/qemu/libvirtd_qemu.aug > +++ b/src/qemu/libvirtd_qemu.aug > @@ -54,6 +54,11 @@ module Libvirtd_qemu = > | bool_entry "chardev_tls_x509_verify" > | str_entry "chardev_tls_x509_secret_uuid" > > + let migrate_entry = bool_entry "migrate_tls" > + | str_entry "migrate_tls_x509_cert_dir" > + | bool_entry "migrate_tls_x509_verify" > + | str_entry "migrate_tls_x509_secret_uuid" > + > let nogfx_entry = bool_entry "nographics_allow_host_audio" > > let remote_display_entry = int_entry "remote_display_port_min" > @@ -116,6 +121,7 @@ module Libvirtd_qemu = > | vnc_entry > | spice_entry > | chardev_entry > + | migrate_entry > | nogfx_entry > | remote_display_entry > | security_entry > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > index 97d769d..83d91b6 100644 > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf > @@ -238,6 +238,45 @@ > #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" > > > +# Enable use of TLS encryption for migration > +# > +# It is necessary to setup CA and issue a server certificate > +# before enabling this. > +# > +#migrate_tls = 1 Actually what is this option supposed to do? It seems it doesn't do anything but saying "yes, I configured TLS for migration". The TLS usage for migration is turned on by VIR_MIGRATE_TLS flag which suggests the configuration option here is useless. Jirka -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
