On 02/21/2017 06:43 AM, Jiri Denemark wrote: > On Mon, Feb 20, 2017 at 14:28:42 -0500, John Ferlan wrote: >> On 02/20/2017 11:03 AM, Jiri Denemark wrote: >>> On Fri, Feb 17, 2017 at 14:39:19 -0500, John Ferlan wrote: >>>> +# Enable use of TLS encryption for migration >>>> +# >>>> +# It is necessary to setup CA and issue a server certificate >>>> +# before enabling this. >>>> +# >>>> +#migrate_tls = 1 >>> >>> Actually what is this option supposed to do? It seems it doesn't do >>> anything but saying "yes, I configured TLS for migration". The TLS usage >>> for migration is turned on by VIR_MIGRATE_TLS flag which suggests the >>> configuration option here is useless. >> >> It more or less follows the same logic for chardev's which got an >> additional 'tls="yes"' to allow one to enable/disable an object in a >> domain on a case by case basis if chardev tls was enabled for the host. >> >> See: http://libvirt.org/formatdomain.html#elementsConsole >> >> and search down for 'tls' >> >> So my feeling while coding was - if I don't supply some sort of way to >> have an option to allow someone to choose to use the configured TLS >> environment for the migration, I'd end up being asked to add one since >> chardev has it. > > The problem is chardevs and migration are quite different. While you can > easily have a default configuration for chardevs and use tls="yes|no" to > override it (no tls attribute will just tell libvirt to use the > default), it's not really possible with migration API. API flags have > not two states (in contrast to three-state boolean attributes in XML). > Setting VIR_MIGRATE_TLS flag turns TLS on and using the flag turns TLS > off. That is the default value is not used anywhere. If VIR_MIGRATE_TLS > flag is used, the code checks migrate_tls is 1. Which translates to > "yes, I configured TLS for migration" semantics of the configuration > option. > > In other words, it makes sense to have the configuration option for > devices defined in the XML, but using it for migration doesn't make any > sense. This would of course mean its parsing would need to be moved out > of the macro introduced in 1/13 and used for chardevs only. > > Jirka > So I've circled back around to this... It seems like you're advocating the removal of the VIR_MIGRATE_TLS flag - which is fine. The only question I'd have for that is would there be a scenario/case where TLS for migration was defined on the host, but someone would prefer to not use it for migration. Or perhaps someone sets up the migrate_tls for some external LAN, but sometimes wants to migrate inside the LAN - having to reconfigure migrate_tls each time would seem to be more work than necessary so having a flag and config value would be desirable. IDC either way... Is there a preference? John -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
