Re: [libvirt] [PATCH v10 2/4] domain: Add optional 'tls' attribute for TCP chardev

On Wed, Oct 19, 2016 at 04:53:54PM -0400, John Ferlan wrote: > Add an optional "tls='yes|no'" attribute for a TCP chardev. > > For QEMU, this will allow for disabling the host config setting of the > 'chardev_tls' for a domain chardev channel by setting the value to "no" or > to attempt to use a host TLS environment when setting the value to "yes" > when the host config 'chardev_tls' setting is disabled, but a TLS environment > is configured via either the host config 'chardev_tls_x509_cert_dir' or > 'default_tls_x509_cert_dir' > > Alter qemuDomainSupportTLSChardevTCP to augment the decision points for > choosing whether to try to use TLS. > > Signed-off-by: John Ferlan <jferlan(a)redhat.com&gt; > --- > docs/formatdomain.html.in | 28 ++++++++++++ > docs/schemas/domaincommon.rng | 5 +++ > src/conf/domain_conf.c | 22 +++++++++- > src/conf/domain_conf.h | 1 + > src/qemu/qemu_command.c | 2 +- > src/qemu/qemu_domain.c | 20 +++++++-- > src/qemu/qemu_domain.h | 3 +- > src/qemu/qemu_hotplug.c | 4 +- > ...uxml2argv-serial-tcp-tlsx509-chardev-notls.args | 30 +++++++++++++ > ...muxml2argv-serial-tcp-tlsx509-chardev-notls.xml | 50 ++++++++++++++++++++++ > tests/qemuxml2argvtest.c | 3 ++ > ...xml2xmlout-serial-tcp-tlsx509-chardev-notls.xml | 1 + > tests/qemuxml2xmltest.c | 1 + > 13 files changed, 162 insertions(+), 8 deletions(-) > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.args > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.xml > create mode 120000 tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev-notls.xml > > diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in > index 9051178..da6be67 100644 > --- a/docs/formatdomain.html.in > +++ b/docs/formatdomain.html.in > @@ -6204,6 +6204,34 @@ qemu-kvm -net nic,model=? /dev/null > &lt;/devices&gt; > ...</pre> > > + <p> > + <span class="since">Since 2.4.0,</span> the optional attribute > + <code>tls</code> can be used to control whether a serial chardev

> + TCP communication channel would utilize a hypervisor configured > + TLS X.509 certificate environment in order to encrypt the data > + channel. For the QEMU hypervisor, usage of a TLS envronment can > + be controlled on the host by the <code>chardev_tls</code> and > + <code>chardev_tls_x509_cert_dir</code> or > + <code>default_tls_x509_cert_dir</code> settings in the file > + /etc/libvirt/qemu.conf. If <code>chardev_tls</code> is enabled, > + then unless the <code>tls</code> attribute is set to "no", libvirt > + will use the host configured TLS environment. > + If <code>chardev_tls</code> is disabled, but the <code>tls</code> > + attribute is set to "yes", then libvirt will attempt to use the > + host TLS environment if either the <code>chardev_tls_x509_cert_dir</code> > + or <code>default_tls_x509_cert_dir</code> TLS directory structure exists. > + </p>