qemu.conf: Document options for VxHS block network protocol TLS config as ignored

qemu-5.2 dropped support for VxHS. As we now require at least qemu-6.2,
the qemu.conf option for setting up TLS for VxHS are no longer used.
Document them as such.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index bd744940d2b87e03bb85db9839cc4947f3eb5d8e..e1e479d72c75672da81bbe6563634a32b306888d 100644 (file)
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -69,6 +69,8 @@ module Libvirtd_qemu =
                  | bool_entry "backup_tls_x509_verify"
                  | str_entry "backup_tls_x509_secret_uuid"
 
+   (* support for vxhs was removed from qemu and the examples were dopped from *)
+   (* qemu.conf but these need to stay *)
    let vxhs_entry = bool_entry "vxhs_tls"
                  | str_entry "vxhs_tls_x509_cert_dir"
                  | str_entry "vxhs_tls_x509_secret_uuid"

diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 502adbf5c394ff350119a835dba4deb1e027f24f..042bb75b506f3c226f32fc93bc459aab95430070 100644 (file)
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -299,48 +299,12 @@
 #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
 
 
-# Enable use of TLS encryption for all VxHS network block devices that
-# don't specifically disable.
-#
-# When the VxHS network block device server is set up appropriately,
-# x509 certificates are required for authentication between the clients
-# (qemu processes) and the remote VxHS server.
-#
-# It is necessary to setup CA and issue the client certificate before
-# enabling this.
+# The support for VxHS network block protocol was removed in qemu-5.2 and
+# thus also dropped from libvirt's qemu driver. The following options which
+# were used to configure the TLS certificates for VxHS are thus ignored.
 #
 #vxhs_tls = 1
-
-
-# In order to override the default TLS certificate location for VxHS
-# backed storage, supply a valid path to the certificate directory.
-# This is used to authenticate the VxHS block device clients to the VxHS
-# server.
-#
-# If the provided path does not exist, libvirtd will fail to start.
-# If the path is not provided, but vxhs_tls = 1, then the
-# default_tls_x509_cert_dir path will be used.
-#
-# VxHS block device clients expect the client certificate and key to be
-# present in the certificate directory along with the CA master certificate.
-# If using the default environment, default_tls_x509_verify must be configured.
-# Since this is only a client the server-key.pem certificate is not needed.
-# Thus a VxHS directory must contain the following:
-#
-#  ca-cert.pem - the CA master certificate
-#  client-cert.pem - the client certificate signed with the ca-cert.pem
-#  client-key.pem - the client private key
-#
 #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
-
-
-# Uncomment and use the following option to override the default secret
-# UUID provided in the default_tls_x509_secret_uuid parameter.
-#
-# NB This default all-zeros UUID will not work. Replace it with the
-# output from the UUID for the TLS secret from a 'virsh secret-list'
-# command and then uncomment the entry
-#
 #vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"