Re: [libvirt] [PATCH v2 1/6] conf: Add new default TLS X.509 certificate default directory
On Thu, Jun 16, 2016 at 06:42:22AM -0400, John Ferlan wrote:
Rather that specify perhaps multiple TLS X.509 certificate
directories,
let's create a "default" directory which can then be used if the service
(e.g. for now vnc and spice) does not supply a default directory.
Since the default for vnc and spice may have existed before without being
supplied, the default check will first check if the service specific path
exists and if so, set the cfg entry to that; otherwise, the default will
be set to the (now) new defaultTLSx509certdir.
Signed-off-by: John Ferlan <jferlan(a)redhat.com>
---
src/qemu/libvirtd_qemu.aug | 5 ++++-
src/qemu/qemu.conf | 36 ++++++++++++++++-----------------
src/qemu/qemu_conf.c | 41 ++++++++++++++++++++++++++++++++------
src/qemu/qemu_conf.h | 2 ++
src/qemu/test_libvirtd_qemu.aug.in | 1 +
5 files changed, 60 insertions(+), 25 deletions(-)
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 8bc23ba..39b3a34 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -24,6 +24,8 @@ module Libvirtd_qemu =
(* Config entry grouped by function - same order as example config *)
+ let default_tls_entry = str_entry "default_tls_x509_cert_dir"
+
let vnc_entry = str_entry "vnc_listen"
| bool_entry "vnc_auto_unix_socket"
| bool_entry "vnc_tls"
@@ -93,7 +95,8 @@ module Libvirtd_qemu =
let nvram_entry = str_array_entry "nvram"
(* Each entry in the config is one of the following ... *)
- let entry = vnc_entry
+ let entry = default_tls_entry
+ | vnc_entry
| spice_entry
| nogfx_entry
| remote_display_entry
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 7964273..72acdfb 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -2,6 +2,16 @@
# All settings described here are optional - if omitted, sensible
# defaults are used.
+# Use of TLS requires that x509 certificates be issued. The default is
+# to keep them in /etc/pki/libvirt-default. This directory must contain
+#
+# ca-cert.pem - the CA master certificate
+# server-cert.pem - the server certificate signed with ca-cert.pem
+# server-key.pem - the server private key
+#
+#default_tls_x509_cert_dir = "/etc/pki/libvirt-default"
Oh, just remembered we should add a
default_tls_x509_verify = 1|0
to control how we set the 'verify-peer' config option on the TLS
certs (ie whether we mandate the client provide a x509 cert as a
crude form of authorization, as opposed to letting any client
conncect).
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|