From: Peter Krempa <pkrempa(a)redhat.com>
qemu-5.2 dropped support for VxHS. As we now require at least qemu-6.2,
the qemu.conf option for setting up TLS for VxHS are no longer used.
Document them as such.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/libvirtd_qemu.aug | 2 ++
src/qemu/qemu.conf.in | 42 +++-----------------------------------
2 files changed, 5 insertions(+), 39 deletions(-)
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index bd744940d2..e1e479d72c 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -69,6 +69,8 @@ module Libvirtd_qemu =
| bool_entry "backup_tls_x509_verify"
| str_entry "backup_tls_x509_secret_uuid"
+ (* support for vxhs was removed from qemu and the examples were dopped from *)
+ (* qemu.conf but these need to stay *)
let vxhs_entry = bool_entry "vxhs_tls"
| str_entry "vxhs_tls_x509_cert_dir"
| str_entry "vxhs_tls_x509_secret_uuid"
diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 502adbf5c3..042bb75b50 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -299,48 +299,12 @@
#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
-# Enable use of TLS encryption for all VxHS network block devices that
-# don't specifically disable.
-#
-# When the VxHS network block device server is set up appropriately,
-# x509 certificates are required for authentication between the clients
-# (qemu processes) and the remote VxHS server.
-#
-# It is necessary to setup CA and issue the client certificate before
-# enabling this.
+# The support for VxHS network block protocol was removed in qemu-5.2 and
+# thus also dropped from libvirt's qemu driver. The following options which
+# were used to configure the TLS certificates for VxHS are thus ignored.
#
#vxhs_tls = 1
-
-
-# In order to override the default TLS certificate location for VxHS
-# backed storage, supply a valid path to the certificate directory.
-# This is used to authenticate the VxHS block device clients to the VxHS
-# server.
-#
-# If the provided path does not exist, libvirtd will fail to start.
-# If the path is not provided, but vxhs_tls = 1, then the
-# default_tls_x509_cert_dir path will be used.
-#
-# VxHS block device clients expect the client certificate and key to be
-# present in the certificate directory along with the CA master certificate.
-# If using the default environment, default_tls_x509_verify must be configured.
-# Since this is only a client the server-key.pem certificate is not needed.
-# Thus a VxHS directory must contain the following:
-#
-# ca-cert.pem - the CA master certificate
-# client-cert.pem - the client certificate signed with the ca-cert.pem
-# client-key.pem - the client private key
-#
#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
-
-
-# Uncomment and use the following option to override the default secret
-# UUID provided in the default_tls_x509_secret_uuid parameter.
-#
-# NB This default all-zeros UUID will not work. Replace it with the
-# output from the UUID for the TLS secret from a 'virsh secret-list'
-# command and then uncomment the entry
-#
#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
--
2.49.0