[PATCH 4/4] virsh: Add --tls-destination option for migrate command

Jiri Denemark <jdenemar@xxxxxxxxxx> · Tue, 3 Dec 2019 16:33:58 +0100

This option can be used to override the destination host name used for
TLS verification.

Signed-off-by: Jiri Denemark <jdenemar@xxxxxxxxxx>
---
 tools/virsh-domain.c | 11 +++++++++++
 tools/virsh.pod      |  8 ++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
index 21ea1a69ea..c2cfcf409d 100644
--- a/tools/virsh-domain.c
+++ b/tools/virsh-domain.c
@@ -10566,6 +10566,10 @@ static const vshCmdOptDef opts_migrate[] = {
      .type = VSH_OT_INT,
      .help = N_("migration bandwidth limit in MiB/s")
     },
+    {.name = "tls-destination",
+     .type = VSH_OT_STRING,
+     .help = N_("override the destination host name used for TLS verification")
+    },
     {.name = NULL}
 };
 
@@ -10789,6 +10793,13 @@ doMigrate(void *opaque)
             goto save_error;
     }
 
+    if (vshCommandOptStringReq(ctl, cmd, "tls-destination", &opt) < 0)
+        goto out;
+    if (opt &&
+        virTypedParamsAddString(&params, &nparams, &maxparams,
+                                VIR_MIGRATE_PARAM_TLS_DESTINATION, opt) < 0)
+        goto save_error;
+
     if (vshCommandOptBool(cmd, "live"))
         flags |= VIR_MIGRATE_LIVE;
     if (vshCommandOptBool(cmd, "p2p"))
diff --git a/tools/virsh.pod b/tools/virsh.pod
index a8331154e1..aaf1eba825 100644
--- a/tools/virsh.pod
+++ b/tools/virsh.pod
@@ -2174,7 +2174,7 @@ I<domain> I<desturi> [I<migrateuri>] [I<graphicsuri>] [I<listen-address>] [I<dna
 [I<auto-converge-increment>] [I<--persistent-xml> B<file>] [I<--tls>]
 [I<--postcopy-bandwidth> B<bandwidth>]
 [I<--parallel> [I<--parallel-connections> B<connections>]]
-[I<--bandwidth> B<bandwidth>]
+[I<--bandwidth> B<bandwidth>] [I<--tls-destination> B<hostname>]
 
 Migrate domain to another host.  Add I<--live> for live migration; <--p2p>
 for peer-2-peer migration; I<--direct> for direct migration; or I<--tunnelled>
@@ -2267,7 +2267,11 @@ respectively. I<--comp-xbzrle-cache> sets size of page cache in bytes.
 Providing I<--tls> causes the migration to use the host configured TLS setup
 (see migrate_tls_x509_cert_dir in /etc/libvirt/qemu.conf) in order to perform
 the migration of the domain. Usage requires proper TLS setup for both source
-and target.
+and target. Normally the TLS certificate from the destination host must match
+the host's name for TLS verification to succeed. When the certificate does not
+match the destination hostname and the expected cetificate's hostname is
+known, I<--tls-destination> can be used to pass the expected B<hostname> when
+starting the migration.
 
 I<--parallel> option will cause migration data to be sent over multiple
 parallel connections. The number of such connections can be set using
-- 
2.24.0

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







