Re: [PATCH v9 1/4] conf: Introduce TLS options for VxHS block device clients

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 19, 2017 at 21:32:43 -0400, John Ferlan wrote:
> From: Ashish Mittal <Ashish.Mittal@xxxxxxxxxxx>
> 
> Add a new TLS X.509 certificate type - "vxhs". This will handle the
> creation of a TLS certificate capability for properly configured
> VxHS network block device clients.
> 
> The following describes the behavior of TLS for VxHS block device:
> 
>   (1) Two new options have been added in /etc/libvirt/qemu.conf
>       to control TLS behavior with VxHS block devices
>       "vxhs_tls" and "vxhs_tls_x509_cert_dir".
>   (2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable
>       TLS for VxHS block devices.
>   (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the
>       TLS CA certificate and the client certificate and keys are saved.
>       If this value is missing, the "default_tls_x509_cert_dir" will be
>       used instead. If the environment is not configured properly the
>       authentication to the VxHS server will fail.
> 
> Signed-off-by: Ashish Mittal <Ashish.Mittal@xxxxxxxxxxx>
> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
> ---
>  src/qemu/libvirtd_qemu.aug         |  4 ++++
>  src/qemu/qemu.conf                 | 34 ++++++++++++++++++++++++++++++++++
>  src/qemu/qemu_conf.c               | 16 ++++++++++++++++
>  src/qemu/qemu_conf.h               |  3 +++
>  src/qemu/test_libvirtd_qemu.aug.in |  2 ++
>  5 files changed, 59 insertions(+)

[...]

> +# Enable use of TLS encryption for all VxHS network block devices that
> +# don't specifically disable.
> +#
> +# When the VxHS network block device server is set up appropriately,
> +# x509 certificates are required for authentication between the clients
> +# (qemu processes) and the remote VxHS server.
> +#
> +# It is necessary to setup CA and issue the client certificate before
> +# enabling this.
> +#
> +#vxhs_tls = 1
> +
> +
> +# In order to override the default TLS certificate location for VxHS
> +# device TCP certificates, supply a valid path to the certificate directory.

The first part of the sentence does not make much sense.

In order to override the default TLS certificate location for VxHS
backed storage, supply a valid path to the certificate directory.


> +# This is used to authenticate the VxHS block device clients to the VxHS
> +# server.
> +#
> +# If the provided path does not exist then the default_tls_x509_cert_dir
> +# path will be used.
> +#
> +# VxHS block device clients expect the client certificate and key to be
> +# present in the certificate directory along with the CA master certificate.
> +# If using the default environment, default_tls_x509_verify must be configured.
> +# The server key as well as secret UUID that would decrypt it is not used.

What do you mean by: "UUID that would decrypt it"?

Rest looks okay, but I need clarification on the above statemet.

Attachment: signature.asc
Description: PGP signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux