On Thu, Oct 20, 2016 at 08:51:45AM +0200, Pavel Hrdina wrote:
On Wed, Oct 19, 2016 at 04:53:54PM -0400, John Ferlan wrote:
Add an optional "tls='yes|no'" attribute for a TCP chardev.
For QEMU, this will allow for disabling the host config setting of the 'chardev_tls' for a domain chardev channel by setting the value to "no" or to attempt to use a host TLS environment when setting the value to "yes" when the host config 'chardev_tls' setting is disabled, but a TLS environment is configured via either the host config 'chardev_tls_x509_cert_dir' or 'default_tls_x509_cert_dir'
Alter qemuDomainSupportTLSChardevTCP to augment the decision points for choosing whether to try to use TLS.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- docs/formatdomain.html.in | 28 ++++++++++++ docs/schemas/domaincommon.rng | 5 +++ src/conf/domain_conf.c | 22 +++++++++- src/conf/domain_conf.h | 1 + src/qemu/qemu_command.c | 2 +- src/qemu/qemu_domain.c | 20 +++++++-- src/qemu/qemu_domain.h | 3 +- src/qemu/qemu_hotplug.c | 4 +- ...uxml2argv-serial-tcp-tlsx509-chardev-notls.args | 30 +++++++++++++ ...muxml2argv-serial-tcp-tlsx509-chardev-notls.xml | 50 ++++++++++++++++++++++ tests/qemuxml2argvtest.c | 3 ++ ...xml2xmlout-serial-tcp-tlsx509-chardev-notls.xml | 1 + tests/qemuxml2xmltest.c | 1 + 13 files changed, 162 insertions(+), 8 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev-notls.xml create mode 120000 tests/qemuxml2xmloutdata/qemuxml2xmlout-serial-tcp-tlsx509-chardev-notls.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 9051178..da6be67 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -6204,6 +6204,34 @@ qemu-kvm -net nic,model=? /dev/null </devices> ...</pre>
+ <p> + <span class="since">Since 2.4.0,</span> the optional attribute + <code>tls</code> can be used to control whether a serial chardev
Remove reference to "serial" because this is valid for all chardevs. Pavel
+ TCP communication channel would utilize a hypervisor configured + TLS X.509 certificate environment in order to encrypt the data + channel. For the QEMU hypervisor, usage of a TLS envronment can + be controlled on the host by the <code>chardev_tls</code> and + <code>chardev_tls_x509_cert_dir</code> or + <code>default_tls_x509_cert_dir</code> settings in the file + /etc/libvirt/qemu.conf. If <code>chardev_tls</code> is enabled, + then unless the <code>tls</code> attribute is set to "no", libvirt + will use the host configured TLS environment. + If <code>chardev_tls</code> is disabled, but the <code>tls</code> + attribute is set to "yes", then libvirt will attempt to use the + host TLS environment if either the <code>chardev_tls_x509_cert_dir</code> + or <code>default_tls_x509_cert_dir</code> TLS directory structure exists. + </p>
[...]