On Thu, Jul 02, 2020 at 14:53:28 -0500, Eric Blake wrote: > On 7/2/20 9:40 AM, Peter Krempa wrote: > > Allow enabling TLS for the NBD server used to do pull-mode backups. Note > > that documentation already mentions 'tls', so this just implements the > > schema and XML bits. > > > > Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> > > --- > > > +++ b/tests/domainbackupxml2xmlin/backup-pull-encrypted.xml > > @@ -1,6 +1,6 @@ > > <domainbackup mode="pull"> > > <incremental>1525889631</incremental> > > - <server transport='tcp' name='localhost' port='10809'/> > > + <server transport='tcp' tls='yes' name='localhost' port='10809'/> > > So this doesn't say what files are actually feeding the TLS configuration; > the docs already mentioned 'tls', but do we need to add a cross-reference > that states when tls='yes' is in effect then the server uses the files as > configured in qemu.conf? Knowing how the server is keyed is important for > writing a client that can connect over TLS to the server. Note that patch 22 actually adds the following paragraph to formatbackup.rst into the NBD section: + Note that for the QEMU hypervisor the TLS environment in controlled using + ``backup_tls_x509_cert_dir``, ``backup_tls_x509_verify``, and + ``backup_tls_x509_secret_uuid`` properties in ``/etc/libvirt/qemu.conf``. > But the overall idea makes sense. > > Reviewed-by: Eric Blake <eblake@xxxxxxxxxx> > > -- > Eric Blake, Principal Software Engineer > Red Hat, Inc. +1-919-301-3226 > Virtualization: qemu.org | libvirt.org >
