On Mon, Dec 06, 2010 at 10:32:21AM +0000, Daniel P. Berrange wrote: > On Thu, Dec 02, 2010 at 11:38:26PM +0200, Dan Kenigsberg wrote: > > On Wed, Dec 01, 2010 at 10:26:35AM +0000, Daniel P. Berrange wrote: > > > On Wed, Dec 01, 2010 at 05:35:38PM +0800, Osier Yang wrote: > > > > Hi, all > > > > > > > > We have some new requirements of preferences, I listed > > > > which of them I known, and think is useful as follows: > > > > > > > > 1) for the path of x509 certificate and keys of client > > > > > > > > The path of x509 certificate and keys of client is hard > > > > coded in remote driver. e.g. > > > > > > > > /* Defaults for PKI directory. */ > > > > # define LIBVIRT_PKI_DIR SYSCONFDIR "/pki" > > > > # define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem" > > > > # define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private > > > > /clientkey.pem" > > > > # define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem" > > > > > > We can't assume one set of certs/keys is suitable for all > > > URIs, so making this a preference setting doesn't help. There > > > needs to be a parameter in the URI to specify a cert/key name > > > to override the defaults on a per-connection basis > > > > As much as I disliked adding long ugly filenames to the URI, I do not > > see any way around it now. A single client application may need to open > > two connections with different cert/key pairs, so a single client.conf > > or environment variables won't cut it. > > NB, I wasn't really suggesting adding the long filenames. Instead > I'd suggest adding some cert "name" tag, and use that to formulate > the filenames according to some pattern, > > eg > $HOME/.libvirt/$name/cacert.pem > $HOME/.libvirt/$name/clientcert.pem > $HOME/.libvirt/$name/clientkey.pem (but make sure it works for homeless daemons, too) -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list