Re: [libvirt] [PATCH v2 2/6] conf: Introduce chartcp_tls_x509_cert_dir
On Thu, Jun 16, 2016 at 06:42:23AM -0400, John Ferlan wrote:
Add a new TLS X.509 certificate type - "chartcp" (a/k/a
charTCP). This will
handle the creation of a TLS certificate capability (and possibly repository)
for properly configured character device TCP backends.
Unlike the vnc and spice there is no "listen" or "passwd" associated.
The
credentials will be handled via a libvirt secret provided to a specific
backend.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/libvirtd_qemu.aug | 4 ++
src/qemu/qemu.conf | 16 +++++++
src/qemu/qemu_conf.c | 4 ++
src/qemu/qemu_conf.h | 3 ++
src/qemu/test_libvirtd_qemu.aug.in | 2 +
.../qemuxml2argv-serial-tcp-tlsx509-chardev.xml | 41 ++++++++++++++++++
.../qemuxml2xmlout-serial-tcp-tlsx509-chardev.xml | 50 ++++++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
8 files changed, 121 insertions(+)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.xml
create mode 100644
tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev.xml
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 39b3a34..e70d38d 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -44,6 +44,9 @@ module Libvirtd_qemu =
| bool_entry "spice_sasl"
| str_entry "spice_sasl_dir"
+ let chartcp_entry = bool_entry "chartcp_tls"
+ | str_entry "chartcp_tls_x509_cert_dir"
+
let nogfx_entry = bool_entry "nographics_allow_host_audio"
let remote_display_entry = int_entry "remote_display_port_min"
@@ -98,6 +101,7 @@ module Libvirtd_qemu =
let entry = default_tls_entry
| vnc_entry
| spice_entry
+ | chartcp_entry
| nogfx_entry
| remote_display_entry
| security_entry
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 72acdfb..fa00be4 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -166,6 +166,22 @@
#
#spice_sasl_dir = "/some/directory/sasl2"
+# Enable use of TLS encryption on the chardev TCP transports.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#chartcp_tls = 1
+
+
+# In order to override the default TLS certificate location for character
+# device TCP certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist then the default_tls_x509_cert_dir
+# path will be used.
+#
+#chartcp_tls_x509_cert_dir = "/etc/pki/libvirt-chartcp"
I'd suggest we just say 'chardev' instead of 'chartcp', as it is
conceivable that we could use TLS with non-TCP chardevs in the
future.
I'm wondering if we should use /etc/pki/qemu-chardev as the
default location too
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|