On 10/18/2016 02:27 AM, Pavel Hrdina wrote:
[...]
>
> "As default behaviour I think it is desirable that we can turn TLS on
> for every VM at once - I tend to view it as a host network integration
> task, rather than a VM configuration task. Same rationale that we use
> for TLS wth VNC/SPICE."
Don't forget this part of the same review:
"There's no reason we can't have a tri-state TLS flag against the chardev
in the XML too, to override the default behaviour of cfg->chardevTLS"
That also means to override chardev_tls = "0" by "tls='yes'".
If the default cfg behaviour is "1", then that tells us "someone" has
set up the TLS environment and thus the domain/chardev override would be
"no".
If the default cfg behaviour is "0", then that means we cannot guarantee
the environment necessary has been set up and we cannot allow the
domain/chardev setting to enable TLS.
John