On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote: > Add a new TLS X.509 certificate type - "migrate". This will handle the > creation of a TLS certificate capability (and possibly repository) to > be used for migrations. Similar to chardev's, credentials will be handled > via a libvirt secrets; however, unlike chardev's enablement and usage > will be via a CLI flag instead of a conf flag and a domain XML attribute. > The migrations will also require the client-cert.pem and client-key.pem > files to be present in the clients TLS directory. > > Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> > --- > src/qemu/libvirtd_qemu.aug | 5 +++++ > src/qemu/qemu.conf | 37 +++++++++++++++++++++++++++++++++++++ > src/qemu/qemu_conf.c | 6 ++++++ > src/qemu/qemu_conf.h | 4 ++++ > src/qemu/test_libvirtd_qemu.aug.in | 3 +++ > 5 files changed, 55 insertions(+) > > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > index 9925ac9..40bcec3 100644 > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf ... > +# In order to override the default TLS certificate location for migration > +# certificates, supply a valid path to the certificate directory. If the > +# provided path does not exist then the default_tls_x509_cert_dir path > +# will be used. Once/if a default certificate is enabled/defined, migration > +# will then be able to use the certificate via migration API flags. > +# > +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" > + > + > +# The default TLS configuration only uses certificates for the server > +# allowing the client to verify the server's identity and establish > +# an encrypted channel. > +# > +# It is possible to use x509 certificates for authentication too, by > +# issuing a x509 certificate to every client who needs to connect. s/a x509/an x509/ > +# > +# Enabling this option will reject any client who does not have a > +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem "ca-cert.pem in migrate_tls_x509_cert_dir" or something like that. Mentioning /etc/pki/libvirt-migrate might be quite confusing. > +# > +#migrate_tls_x509_verify = 1 ... ACK with the comments fixed. Jirka -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
