On Mon, Feb 20, 2017 at 03:30:26PM +0000, Daniel P. Berrange wrote:
On Mon, Feb 20, 2017 at 10:26:16AM -0500, John Ferlan wrote:
On 02/20/2017 10:13 AM, Jiri Denemark wrote:
On Fri, Feb 17, 2017 at 14:39:19 -0500, John Ferlan wrote:
Add a new TLS X.509 certificate type - "migrate". This will handle the creation of a TLS certificate capability (and possibly repository) to be used for migrations. Similar to chardev's, credentials will be handled via a libvirt secrets.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/libvirtd_qemu.aug | 6 ++++++ src/qemu/qemu.conf | 39 ++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_conf.c | 2 ++ src/qemu/qemu_conf.h | 5 +++++ src/qemu/test_libvirtd_qemu.aug.in | 4 ++++ 5 files changed, 56 insertions(+)
I'm not a big fan of setting up two sets of X.509 environments, but I guess it could be useful to someone a we could always set both to the same values, right?
Jirka
Cannot disagree... setting up one is daunting enough ;-)!
With this there's going to be 4 and could be 5 if NBD needed it's own (the other 3 being VNC, Spice, and Chardev)... I do have a patch beyond this series "in process" which would do the same for NBD (but I keep thinking it'd be overkill).
BTW, we should *not* add certs for NBD - logically the NBD connections we're managing are just part of the migration data flow - they just happen to be separate TCP connections. IOW the 'migration' certs should always be used for the NBD channels too. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|