On Thu, Oct 20, 2016 at 08:51:45AM +0200, Pavel Hrdina wrote:
On Wed, Oct 19, 2016 at 04:53:54PM -0400, John Ferlan wrote:
> Add an optional "tls='yes|no'" attribute for a TCP chardev.
>
> For QEMU, this will allow for disabling the host config setting of the
> 'chardev_tls' for a domain chardev channel by setting the value to
"no" or
> to attempt to use a host TLS environment when setting the value to "yes"
> when the host config 'chardev_tls' setting is disabled, but a TLS
environment
> is configured via either the host config 'chardev_tls_x509_cert_dir' or
> 'default_tls_x509_cert_dir'
>
> Alter qemuDomainSupportTLSChardevTCP to augment the decision points for
> choosing whether to try to use TLS.
>
> Signed-off-by: John Ferlan <jferlan(a)redhat.com>
> ---
> docs/formatdomain.html.in | 28 ++++++++++++
> docs/schemas/domaincommon.rng | 5 +++
> src/conf/domain_conf.c | 22 +++++++++-
> src/conf/domain_conf.h | 1 +
> src/qemu/qemu_command.c | 2 +-
> src/qemu/qemu_domain.c | 20 +++++++--
> src/qemu/qemu_domain.h | 3 +-
> src/qemu/qemu_hotplug.c | 4 +-
> ...uxml2argv-serial-tcp-tlsx509-chardev-notls.args | 30 +++++++++++++
> ...muxml2argv-serial-tcp-tlsx509-chardev-notls.xml | 50 ++++++++++++++++++++++
> tests/qemuxml2argvtest.c | 3 ++
> ...xml2xmlout-serial-tcp-tlsx509-chardev-notls.xml | 1 +
> tests/qemuxml2xmltest.c | 1 +
> 13 files changed, 162 insertions(+), 8 deletions(-)
> create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.args
> create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.xml
> create mode 120000
tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev-notls.xml
>
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index 9051178..da6be67 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -6204,6 +6204,34 @@ qemu-kvm -net nic,model=? /dev/null
> </devices>
> ...</pre>
>
> + <p>
> + <span class="since">Since 2.4.0,</span> the optional
attribute
> + <code>tls</code> can be used to control whether a serial chardev
Remove reference to "serial" because this is valid for all chardevs.
Pavel
> + TCP communication channel would utilize a hypervisor
configured
> + TLS X.509 certificate environment in order to encrypt the data
> + channel. For the QEMU hypervisor, usage of a TLS envronment can
> + be controlled on the host by the <code>chardev_tls</code> and
> + <code>chardev_tls_x509_cert_dir</code> or
> + <code>default_tls_x509_cert_dir</code> settings in the file
> + /etc/libvirt/qemu.conf. If <code>chardev_tls</code> is enabled,
> + then unless the <code>tls</code> attribute is set to
"no", libvirt
> + will use the host configured TLS environment.
> + If <code>chardev_tls</code> is disabled, but the
<code>tls</code>
> + attribute is set to "yes", then libvirt will attempt to use the
> + host TLS environment if either the
<code>chardev_tls_x509_cert_dir</code>
> + or <code>default_tls_x509_cert_dir</code> TLS directory structure
exists.
> + </p>
[...]