[libvirt] [PATCH 4/4] virsh: Add --tls-destination option for migrate command

This option can be used to override the destination host name used for TLS verification. Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com&gt; --- tools/virsh-domain.c | 11 +++++++++++ tools/virsh.pod | 8 ++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 21ea1a69ea..c2cfcf409d 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -10566,6 +10566,10 @@ static const vshCmdOptDef opts_migrate[] = { .type = VSH_OT_INT, .help = N_("migration bandwidth limit in MiB/s") }, + {.name = "tls-destination", + .type = VSH_OT_STRING, + .help = N_("override the destination host name used for TLS verification") + }, {.name = NULL} }; @@ -10789,6 +10793,13 @@ doMigrate(void *opaque) goto save_error; } + if (vshCommandOptStringReq(ctl, cmd, "tls-destination", &opt) < 0) + goto out; + if (opt && + virTypedParamsAddString(&params, &nparams, &maxparams, + VIR_MIGRATE_PARAM_TLS_DESTINATION, opt) < 0) + goto save_error; + if (vshCommandOptBool(cmd, "live")) flags |= VIR_MIGRATE_LIVE; if (vshCommandOptBool(cmd, "p2p")) diff --git a/tools/virsh.pod b/tools/virsh.pod index a8331154e1..aaf1eba825 100644 --- a/tools/virsh.pod +++ b/tools/virsh.pod @@ -2174,7 +2174,7 @@ I<domain> I<desturi> [I<migrateuri>] [I<graphicsuri>] [I<listen-address>] [I<dna [I<auto-converge-increment>] [I<--persistent-xml> B<file>] [I<--tls>] [I<--postcopy-bandwidth> B<bandwidth>] [I<--parallel> [I<--parallel-connections> B<connections>]] -[I<--bandwidth> B<bandwidth>] +[I<--bandwidth> B<bandwidth>] [I<--tls-destination> B<hostname>] Migrate domain to another host. Add I<--live> for live migration; <--p2p> for peer-2-peer migration; I<--direct> for direct migration; or I<--tunnelled> @@ -2267,7 +2267,11 @@ respectively. I<--comp-xbzrle-cache> sets size of page cache in bytes. Providing I<--tls> causes the migration to use the host configured TLS setup (see migrate_tls_x509_cert_dir in /etc/libvirt/qemu.conf) in order to perform the migration of the domain. Usage requires proper TLS setup for both source -and target. +and target. Normally the TLS certificate from the destination host must match +the host's name for TLS verification to succeed. When the certificate does not +match the destination hostname and the expected cetificate's hostname is +known, I<--tls-destination> can be used to pass the expected B<hostname> when +starting the migration. I<--parallel> option will cause migration data to be sent over multiple parallel connections. The number of such connections can be set using -- 2.24.0