On 09/27/2017 08:43 AM, Peter Krempa wrote: > On Tue, Sep 19, 2017 at 21:32:43 -0400, John Ferlan wrote: >> From: Ashish Mittal <Ashish.Mittal@xxxxxxxxxxx> >> >> Add a new TLS X.509 certificate type - "vxhs". This will handle the >> creation of a TLS certificate capability for properly configured >> VxHS network block device clients. >> >> The following describes the behavior of TLS for VxHS block device: >> >> (1) Two new options have been added in /etc/libvirt/qemu.conf >> to control TLS behavior with VxHS block devices >> "vxhs_tls" and "vxhs_tls_x509_cert_dir". >> (2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable >> TLS for VxHS block devices. >> (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the >> TLS CA certificate and the client certificate and keys are saved. >> If this value is missing, the "default_tls_x509_cert_dir" will be >> used instead. If the environment is not configured properly the >> authentication to the VxHS server will fail. >> >> Signed-off-by: Ashish Mittal <Ashish.Mittal@xxxxxxxxxxx> >> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> >> --- >> src/qemu/libvirtd_qemu.aug | 4 ++++ >> src/qemu/qemu.conf | 34 ++++++++++++++++++++++++++++++++++ >> src/qemu/qemu_conf.c | 16 ++++++++++++++++ >> src/qemu/qemu_conf.h | 3 +++ >> src/qemu/test_libvirtd_qemu.aug.in | 2 ++ >> 5 files changed, 59 insertions(+) > > [...] > >> +# Enable use of TLS encryption for all VxHS network block devices that >> +# don't specifically disable. >> +# >> +# When the VxHS network block device server is set up appropriately, >> +# x509 certificates are required for authentication between the clients >> +# (qemu processes) and the remote VxHS server. >> +# >> +# It is necessary to setup CA and issue the client certificate before >> +# enabling this. >> +# >> +#vxhs_tls = 1 >> + >> + >> +# In order to override the default TLS certificate location for VxHS >> +# device TCP certificates, supply a valid path to the certificate directory. > > The first part of the sentence does not make much sense. > > In order to override the default TLS certificate location for VxHS > backed storage, supply a valid path to the certificate directory. > <me> wondering where "device TCP certificates," slipped into the text... Looks like it was present back in v4 as well... I'll adjust to use your text > >> +# This is used to authenticate the VxHS block device clients to the VxHS >> +# server. >> +# >> +# If the provided path does not exist then the default_tls_x509_cert_dir >> +# path will be used. >> +# >> +# VxHS block device clients expect the client certificate and key to be >> +# present in the certificate directory along with the CA master certificate. >> +# If using the default environment, default_tls_x509_verify must be configured. >> +# The server key as well as secret UUID that would decrypt it is not used. > > What do you mean by: "UUID that would decrypt it"? > > Rest looks okay, but I need clarification on the above statemet. > The "server key" comes from the default description of "server-key.pem" and the rest from the description of default_tls_x509_secret_uuid which essentially states the UUID would be UUID of a secret that would decrypt the server-key.pem file. Basically, it's a way to point out that the VxHS TLS certificate environment wouldn't use a similar setup from a default (or Chardev or Migrate) to provide a secret UUID parameter since the configuration is client only. I can strike out that last sentence completely as it perhaps not that important and probably confusing. John -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
