Until now libvirt didn't allow using encrypted TLS key for disk clients.
Add fields for configuring the secret and propagate defaults.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
let vxhs_entry = bool_entry "vxhs_tls"
| str_entry "vxhs_tls_x509_cert_dir"
+ | str_entry "vxhs_tls_x509_secret_uuid"
let nbd_entry = bool_entry "nbd_tls"
| str_entry "nbd_tls_x509_cert_dir"
+ | str_entry "nbd_tls_x509_secret_uuid"
let nogfx_entry = bool_entry "nographics_allow_host_audio"
#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
# Enable use of TLS encryption for all NBD disk devices that don't
# specifically disable it.
#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
# In order to override the default TLS certificate location for migration
# certificates, supply a valid path to the certificate directory. If the
# provided path does not exist, libvirtd will fail to start. If the path is
VIR_FREE(cfg->chardevTLSx509secretUUID);
VIR_FREE(cfg->vxhsTLSx509certdir);
+ VIR_FREE(cfg->vxhsTLSx509secretUUID);
+
VIR_FREE(cfg->nbdTLSx509certdir);
+ VIR_FREE(cfg->nbdTLSx509secretUUID);
VIR_FREE(cfg->migrateTLSx509certdir);
VIR_FREE(cfg->migrateTLSx509secretUUID);
if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0)
return -1;
- if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir", &cfg->vxhsTLSx509certdir) < 0)
- return -1;
if (virConfGetValueBool(conf, "nbd_tls", &cfg->nbdTLS) < 0)
return -1;
- if (virConfGetValueString(conf, "nbd_tls_x509_cert_dir", &cfg->nbdTLSx509certdir) < 0)
- return -1;
if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0)
return -1;
GET_CONFIG_TLS_CERTINFO_COMMON(migrate);
GET_CONFIG_TLS_CERTINFO_SERVER(migrate);
+ GET_CONFIG_TLS_CERTINFO_COMMON(vxhs);
+
+ GET_CONFIG_TLS_CERTINFO_COMMON(nbd);
+
#undef GET_CONFIG_TLS_CERTINFO_COMMON
#undef GET_CONFIG_TLS_CERTINFO_SERVER
return 0;
SET_TLS_SECRET_UUID_DEFAULT(vnc);
SET_TLS_SECRET_UUID_DEFAULT(chardev);
SET_TLS_SECRET_UUID_DEFAULT(migrate);
+ SET_TLS_SECRET_UUID_DEFAULT(vxhs);
+ SET_TLS_SECRET_UUID_DEFAULT(nbd);
#undef SET_TLS_SECRET_UUID_DEFAULT
bool vxhsTLS;
char *vxhsTLSx509certdir;
+ char *vxhsTLSx509secretUUID;
bool nbdTLS;
char *nbdTLSx509certdir;
+ char *nbdTLSx509secretUUID;
unsigned int remotePortMin;
unsigned int remotePortMax;
{ "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "vxhs_tls" = "1" }
{ "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
+{ "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "nbd_tls" = "1" }
{ "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" }
+{ "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
{ "migrate_tls_x509_verify" = "1" }
{ "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
projects / thirdparty / libvirt.git / commitdiff
