Re: [libvirt] [PATCH v3 2/7] conf: Introduce migrate_tls_x509_cert_dir

Add a new TLS X.509 certificate type - "migrate". This will handle the creation of a TLS certificate capability (and possibly repository) to be used for migrations. Similar to chardev's, credentials will be handled via a libvirt secrets; however, unlike chardev's enablement and usage will be via a CLI flag instead of a conf flag and a domain XML attribute. The migrations will also require the client-cert.pem and client-key.pem files to be present in the clients TLS directory. Signed-off-by: John Ferlan <jferlan(a)redhat.com&gt; --- src/qemu/libvirtd_qemu.aug | 5 +++++ src/qemu/qemu.conf | 37 +++++++++++++++++++++++++++++++++++++ src/qemu/qemu_conf.c | 6 ++++++ src/qemu/qemu_conf.h | 4 ++++ src/qemu/test_libvirtd_qemu.aug.in | 3 +++ 5 files changed, 55 insertions(+) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 9925ac9..40bcec3 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf

+# In order to override the default TLS certificate location for migration +# certificates, supply a valid path to the certificate directory. If the +# provided path does not exist then the default_tls_x509_cert_dir path +# will be used. Once/if a default certificate is enabled/defined, migration +# will then be able to use the certificate via migration API flags. +# +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing a x509 certificate to every client who needs to connect.

+# +# Enabling this option will reject any client who does not have a +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem

+# +#migrate_tls_x509_verify = 1