Re: [libvirt] [PATCH v7 2/5] conf: Introduce {default|chardev}_tls_x509_secret_uuid

On 09/19/2016 10:53 AM, Daniel P. Berrange wrote: > On Mon, Sep 19, 2016 at 10:39:21AM -0400, John Ferlan wrote: >> Add a new qemu.conf variables to store the UUID for the secret that could >> be used to present credentials to access the TLS chardev. Since this will >> be a server level and it's possible to use some sort of default, introduce >> both the default and chardev logic at the same time making the setting of >> the chardev check for it's own value, then if not present checking whether >> the default value had been set. >> >> The chardevTLSx509haveUUID bool will be used as the marker for whether >> the chardevTLSx509secretUUID was successfully read. In the future this >> is how it'd determined whether to add the secret object for a TLS object. >> >> Signed-off-by: John Ferlan <jferlan(a)redhat.com&gt; >> --- >> src/qemu/libvirtd_qemu.aug | 2 ++ >> src/qemu/qemu.conf | 24 ++++++++++++++++++++++++ >> src/qemu/qemu_conf.c | 22 ++++++++++++++++++++++ >> src/qemu/qemu_conf.h | 3 +++ >> src/qemu/test_libvirtd_qemu.aug.in | 2 ++ >> 5 files changed, 53 insertions(+) >> >> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug >> index 988201e..73ebeda 100644 >> --- a/src/qemu/libvirtd_qemu.aug >> +++ b/src/qemu/libvirtd_qemu.aug >> @@ -29,6 +29,7 @@ module Libvirtd_qemu = >> (* Config entry grouped by function - same order as example config *) >> let default_tls_entry = str_entry "default_tls_x509_cert_dir" >> | bool_entry "default_tls_x509_verify" >> + | str_entry "default_tls_x509_secret_uuid" >> >> let vnc_entry = str_entry "vnc_listen" >> | bool_entry "vnc_auto_unix_socket" >> @@ -51,6 +52,7 @@ module Libvirtd_qemu = >> let chardev_entry = bool_entry "chardev_tls" >> | str_entry "chardev_tls_x509_cert_dir" >> | bool_entry "chardev_tls_x509_verify" >> + | str_entry "chardev_tls_x509_secret_uuid" >> >> let nogfx_entry = bool_entry "nographics_allow_host_audio" >> >> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf >> index e4c2aae..7114fa1 100644 >> --- a/src/qemu/qemu.conf >> +++ b/src/qemu/qemu.conf >> @@ -28,6 +28,20 @@ >> # >> #default_tls_x509_verify = 1 >> >> +# >> +# In order to provide a password to unlock the private key to be used >> +# in order to provide the TLS credentials, a libvirt secret will need >> +# to be created and then the UUID of that secret added as a configuration >> +# parameter. See the libvirt documentation for specific details regarding >> +# how to create a "tls" secret type. >> +# >> +# NB This default all-zeros UUID will not work. Replace it with the >> +# output from the UUID for the TLS secret from a 'virsh secret-list' >> +# command and then uncomment the entry >> +# >> +#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" > > We could perhaps be a little more explicit about the fact that when > this is commented out, the private key is required to be in > non-encrypted PEM format. > Fair enough - a simple enough addition, so at the end of the first paragraph (and repeated again for chardev_tls_x509_secret_uuid), how about: " A libvirt secret requires usage of a non-encrypted PEM format certificate." Or is there some other wording that is preferable?