On Wed, Dec 01, 2010 at 10:26:35AM +0000, Daniel P. Berrange wrote:
On Wed, Dec 01, 2010 at 05:35:38PM +0800, Osier Yang wrote:
> Hi, all
>
> We have some new requirements of preferences, I listed
> which of them I known, and think is useful as follows:
>
> 1) for the path of x509 certificate and keys of client
>
> The path of x509 certificate and keys of client is hard
> coded in remote driver. e.g.
>
> /* Defaults for PKI directory. */
> # define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
> # define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
> # define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private
> /clientkey.pem"
> # define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
We can't assume one set of certs/keys is suitable for all
URIs, so making this a preference setting doesn't help. There
needs to be a parameter in the URI to specify a cert/key name
to override the defaults on a per-connection basis
As much as I disliked adding long ugly filenames to the URI, I do not
see any way around it now. A single client application may need to open
two connections with different cert/key pairs, so a single client.conf
or environment variables won't cut it.