let vxhs_entry = bool_entry "vxhs_tls"
| str_entry "vxhs_tls_x509_cert_dir"
+ let nbd_entry = bool_entry "nbd_tls"
+ | str_entry "nbd_tls_x509_cert_dir"
+
(* Each entry in the config is one of the following ... *)
let entry = default_tls_entry
| vnc_entry
| gluster_debug_level_entry
| memory_entry
| vxhs_entry
+ | nbd_entry
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
let empty = [ label "#empty" . eol ]
#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
+
+# Enable use of TLS encryption for all NBD disk devices that don't
+# specifically disable it.
+#
+# When the NBD server is set up appropriately, x509 certificates are required
+# for authentication between the client and the remote NBD server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#nbd_tls = 1
+
+
+# In order to override the default TLS certificate location for NBD
+# backed storage, supply a valid path to the certificate directory.
+# This is used to authenticate the NBD block device clients to the NBD
+# server.
+#
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but nbd_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+# NBD block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA certificate.
+# Since this is only a client the server-key.pem certificate is not needed.
+# Thus a NBD directory must contain the following:
+#
+# ca-cert.pem - the CA master certificate
+# client-cert.pem - the client certificate signed with the ca-cert.pem
+# client-key.pem - the client private key
+#
+#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
+
+
# In order to override the default TLS certificate location for migration
# certificates, supply a valid path to the certificate directory. If the
# provided path does not exist, libvirtd will fail to start. If the path is
SET_TLS_X509_CERT_DEFAULT(chardev);
SET_TLS_X509_CERT_DEFAULT(migrate);
SET_TLS_X509_CERT_DEFAULT(vxhs);
+ SET_TLS_X509_CERT_DEFAULT(nbd);
#undef SET_TLS_X509_CERT_DEFAULT
VIR_FREE(cfg->chardevTLSx509secretUUID);
VIR_FREE(cfg->vxhsTLSx509certdir);
+ VIR_FREE(cfg->nbdTLSx509certdir);
VIR_FREE(cfg->migrateTLSx509certdir);
VIR_FREE(cfg->migrateTLSx509secretUUID);
CHECK_RESET_CERT_DIR_DEFAULT(chardev);
CHECK_RESET_CERT_DIR_DEFAULT(migrate);
CHECK_RESET_CERT_DIR_DEFAULT(vxhs);
+ CHECK_RESET_CERT_DIR_DEFAULT(nbd);
return 0;
}
goto cleanup;
if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir", &cfg->vxhsTLSx509certdir) < 0)
goto cleanup;
+ if (virConfGetValueBool(conf, "nbd_tls", &cfg->nbdTLS) < 0)
+ goto cleanup;
+ if (virConfGetValueString(conf, "nbd_tls_x509_cert_dir", &cfg->nbdTLSx509certdir) < 0)
+ goto cleanup;
#define GET_CONFIG_TLS_CERTINFO(val) \
do { \
return -1;
}
+ if (STRNEQ(cfg->nbdTLSx509certdir, SYSCONFDIR "/pki/qemu") &&
+ !virFileExists(cfg->nbdTLSx509certdir)) {
+ virReportError(VIR_ERR_CONF_SYNTAX,
+ _("nbd_tls_x509_cert_dir directory '%s' does not exist"),
+ cfg->nbdTLSx509certdir);
+ return -1;
+ }
+
return 0;
}
bool vxhsTLS;
char *vxhsTLSx509certdir;
+
+ bool nbdTLS;
+ char *nbdTLSx509certdir;
};
/* Main driver state */
{ "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "vxhs_tls" = "1" }
{ "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
+{ "nbd_tls" = "1" }
+{ "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" }
{ "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
{ "migrate_tls_x509_verify" = "1" }
{ "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
projects / thirdparty / libvirt.git / commitdiff
