Re: [libvirt] [PATCH v9 1/4] conf: Introduce TLS options for VxHS block device clients

On Wed, Sep 27, 2017 at 09:12:06 -0400, John Ferlan wrote: > > > On 09/27/2017 08:43 AM, Peter Krempa wrote: > > On Tue, Sep 19, 2017 at 21:32:43 -0400, John Ferlan wrote: > >> From: Ashish Mittal <Ashish.Mittal(a)veritas.com&gt; > >> > >> Add a new TLS X.509 certificate type - "vxhs". This will handle the > >> creation of a TLS certificate capability for properly configured > >> VxHS network block device clients. > >> > >> The following describes the behavior of TLS for VxHS block device: > >> > >> (1) Two new options have been added in /etc/libvirt/qemu.conf > >> to control TLS behavior with VxHS block devices > >> "vxhs_tls" and "vxhs_tls_x509_cert_dir". > >> (2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable > >> TLS for VxHS block devices. > >> (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the > >> TLS CA certificate and the client certificate and keys are saved. > >> If this value is missing, the "default_tls_x509_cert_dir" will be > >> used instead. If the environment is not configured properly the > >> authentication to the VxHS server will fail. > >> > >> Signed-off-by: Ashish Mittal <Ashish.Mittal(a)veritas.com&gt; > >> Signed-off-by: John Ferlan <jferlan(a)redhat.com&gt; > >> --- > >> src/qemu/libvirtd_qemu.aug | 4 ++++ > >> src/qemu/qemu.conf | 34 ++++++++++++++++++++++++++++++++++ > >> src/qemu/qemu_conf.c | 16 ++++++++++++++++ > >> src/qemu/qemu_conf.h | 3 +++ > >> src/qemu/test_libvirtd_qemu.aug.in | 2 ++ > >> 5 files changed, 59 insertions(+) [...] > The "server key" comes from the default description of "server-key.pem" > and the rest from the description of default_tls_x509_secret_uuid which > essentially states the UUID would be UUID of a secret that would decrypt > the server-key.pem file. Ah, right. > > Basically, it's a way to point out that the VxHS TLS certificate > environment wouldn't use a similar setup from a default (or Chardev or > Migrate) to provide a secret UUID parameter since the configuration is > client only. I can strike out that last sentence completely as it > perhaps not that important and probably confusing. You can state that since this is only a client, the server key/cert is not needed in such configuration, which automatically implies that the secret for decrypting it is not necessary as well.