Re: [libvirt] [PATCH v10 2/4] domain: Add optional 'tls' attribute for TCP chardev

On Thu, Oct 20, 2016 at 03:48:30PM -0400, John Ferlan wrote: > [...] >

Now I see why we are not able to agree on this change. The modification done in qemuProcessPrepareDomain() are only to live definition, the config definition remains untouched, which means the *tls* attribute (if it's based on qemu.conf) will appear only in live XML. The config XML will remain the same after the guest is stopped. > I think it should be strictly optional and that's where we differ. I see > no reason to change the domain xml unless as a consumer that's what you > want to do - be able to control which domains will have the setting. > What else would be the purpose of a host wide setting to go with a > domain optional setting? > > Finally, if your idea is accepted, that means for any configuration with > chardev_tls=0 (either because it's commented or set that way), every > domain that starts will be updated to have this new attribute > "tls='no'". Then one day, I read up on this wonderful new feature and Not the domain, only the live XML which is not saved as config XML ... > modify my qemu.conf file to set chardev_tls=1 and set up the TLS > environment properly. I go to start my domain, but wait it's not using And after you start the domain there will be "tls='yes'" because the config XML doesn't contain any *tls* attribute. I've tested all of those cases before proposing this patch: prerequisite: prepare certificate files to be used for chardev devices for running domain: live XML - virsh dumpxml $domain config XML - virsh dumpxml $domain --config migratable XML - virsh dumpxml $domain --migratable 1. set chardev_tls = 1 a) start domain where there is no *tls* attribute in config XML - the domain is started and TLS is properly configured - in the live XML there is "tls='yes'" - in the config XML there is no *tls* attribute - in the migratable XML there is no *tls* attribure b) start domain where there is "tls='no'" in config XML - the domain is started and TLS is not configured - in the live XML there is "tls='no'" - in the config XML there is "tls='no'" - in the migratable XML there is "tls='no'" c) start domain where there is "tls='yes'" in config XML - the domain is started and TLS is properly configured - in the live XML there is "tls='yes'" - in the config XML there is "tls='yes'" - in the migratable XML there is "tls='yes'" 2. set chardev_tls = 0 a) start domain where there is no *tls* attribute in config XML - the domain is started and TLS is not configured - in the live XML there is "tls='no'" - in the config XML there is no *tls* attribute - in the migratable XML there is no *tls* attribure b) start domain where there is "tls='no'" in config XML - the domain is started and TLS is not configured - in the live XML there is "tls='no'" - in the config XML there is "tls='no'" - in the migratable XML there is "tls='no'" c) start domain where there is "tls='yes'" in config XML - the domain is started and TLS is properly configured - in the live XML there is "tls='yes'" - in the config XML there is "tls='yes'" - in the migratable XML there is "tls='yes'" Pavel > it. Closer inspection finds, someone put "tls='no'" into my domain... To > me that's not right. And I won't necessarily know unless I know to look > at the cmdline of the started domain to find that 'tls-creds' or I in > some way "track" when TLS is being used. > > > John > > -- > libvir-list mailing list > libvir-list(a)redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list