On 06/30/2017 04:56 AM, Peter Krempa wrote:
On Fri, Jun 30, 2017 at 10:44:39 +0200, Peter Krempa wrote:
> On Thu, Jun 29, 2017 at 19:02:41 -0700, Ashish Mittal wrote:
>> From: Ashish Mittal <ashish.mittal(a)veritas.com>
[...]
>> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
>> index 7525a2a..909af50 100644
>> --- a/docs/schemas/domaincommon.rng
>> +++ b/docs/schemas/domaincommon.rng
>> @@ -1622,6 +1622,11 @@
>> </attribute>
>> <attribute name="name"/>
>> <ref name="diskSourceNetworkHost"/>
>> + <optional>
>> + <attribute name="tls">
>> + <ref name="virYesNo"/>
>> + </attribute>
>
> Make this a definition for future reuse. Additionally I think that the
> TLS part should be a separate element here. Something like
>
> <disk>
> <source>
I forgot to finish my thought before sending. I think we want a separate
element with an attribute at this point. This allows adding other TLS
related stuff to it if such need arises.
<disk type='network' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source protocol='vxhs'
name='eb90327c-8302-4725-9e1b-4e85ed4dc251'>
<host name='192.168.0.1' port='9999'/>
<tls enabled='yes'/>
</source>
[...]
</disk>
I don't like a separate <tls ...> element. What do you mean by other TLS
related stuff such as 'verify' or 'secret'? Those would be qemu.conf
type settings - they wouldn't change on a disk by disk or domain by
domain basis.
Why not as a <source> or perhaps more precisely a <host> attribute? If
you compare with others it's related to the port as I would assume would
be the case for storage as well. If my understanding from the cover
letter is valid, then this is how QEMU is going to communicate with some
remote host/server in order to provide TLS credentials.
John
For comparison, other consumers of TLS and their XML:
VNC:
<devices>
...
<graphics type='vnc' port='5904' .../>
...
Configured only via qemu.conf AFAICT
Spice:
<devices>
...
<graphics type='spice' port='-1' tlsPort='-1'
autoport='yes'>
...
Chardev:
...
<devices>
<serial type="tcp">
<source mode='connect' host="127.0.0.1"
service="5555" tls="yes"/>
...
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list