On 03/22/2017 12:26 PM, Jiri Denemark wrote:
On Fri, Mar 17, 2017 at 14:38:56 -0400, John Ferlan wrote:
Add a new TLS X.509 certificate type - "migrate". This will handle the creation of a TLS certificate capability (and possibly repository) to be used for migrations. Similar to chardev's, credentials will be handled via a libvirt secrets; however, unlike chardev's enablement and usage will be via a CLI flag instead of a conf flag and a domain XML attribute. The migrations will also require the client-cert.pem and client-key.pem files to be present in the clients TLS directory.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/libvirtd_qemu.aug | 5 +++++ src/qemu/qemu.conf | 37 +++++++++++++++++++++++++++++++++++++ src/qemu/qemu_conf.c | 6 ++++++ src/qemu/qemu_conf.h | 4 ++++ src/qemu/test_libvirtd_qemu.aug.in | 3 +++ 5 files changed, 55 insertions(+)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 9925ac9..40bcec3 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf ... +# In order to override the default TLS certificate location for migration +# certificates, supply a valid path to the certificate directory. If the +# provided path does not exist then the default_tls_x509_cert_dir path +# will be used. Once/if a default certificate is enabled/defined, migration +# will then be able to use the certificate via migration API flags. +# +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing a x509 certificate to every client who needs to connect.
s/a x509/an x509/
+# +# Enabling this option will reject any client who does not have a +# certificate signed by the CA in /etc/pki/libvirt-migrate/ca-cert.pem
"ca-cert.pem in migrate_tls_x509_cert_dir" or something like that. Mentioning /etc/pki/libvirt-migrate might be quite confusing.
The is a cut-n-paste of the libvirt-vnc and libvirt-chardev - would you like to see those changed as well (in a separate patch). It now reads: # Enabling this option will reject any client who does not have a # ca-cert.pem certificate signed by the CA in migrate_tls_x509_cert_dir # (or default_tls_x509_cert_dir). John <grumble, grumble> if certificates were any less confusing they may actually be more widely used. It's really confusing that libvirtd expects one set of names, while a different set of names is expected by qemu - so while one could conceivably share "copied" .pem files one could not share the libvirtd and qemu TLS directories unless both files were present... qemu expects in say /etc/pki/qemu: ca-cert.pem client-cert.pem client-key.pem server-cert.pem server-key.pem libvirtd expects: /etc/pki/CA/cacert.pem /etc/pki/libvirt/clientcert.pem /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/clientkey.pem /etc/pki/libvirt/private/serverkey.pem
+# +#migrate_tls_x509_verify = 1 ...
ACK with the comments fixed.
Jirka