From: Peter Krempa Date: Sun, 25 May 2025 06:12:48 +0000 (+0200) Subject: qemu.conf: Document options for VxHS block network protocol TLS config as ignored X-Git-Tag: v11.5.0-rc1~109 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21dfb261d81d8cc1a25c533c8237a0aef59be917;p=thirdparty%2Flibvirt.git qemu.conf: Document options for VxHS block network protocol TLS config as ignored qemu-5.2 dropped support for VxHS. As we now require at least qemu-6.2, the qemu.conf option for setting up TLS for VxHS are no longer used. Document them as such. Signed-off-by: Peter Krempa Reviewed-by: Pavel Hrdina --- diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index bd744940d2..e1e479d72c 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -69,6 +69,8 @@ module Libvirtd_qemu = | bool_entry "backup_tls_x509_verify" | str_entry "backup_tls_x509_secret_uuid" + (* support for vxhs was removed from qemu and the examples were dopped from *) + (* qemu.conf but these need to stay *) let vxhs_entry = bool_entry "vxhs_tls" | str_entry "vxhs_tls_x509_cert_dir" | str_entry "vxhs_tls_x509_secret_uuid" diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 502adbf5c3..042bb75b50 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -299,48 +299,12 @@ #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" -# Enable use of TLS encryption for all VxHS network block devices that -# don't specifically disable. -# -# When the VxHS network block device server is set up appropriately, -# x509 certificates are required for authentication between the clients -# (qemu processes) and the remote VxHS server. -# -# It is necessary to setup CA and issue the client certificate before -# enabling this. +# The support for VxHS network block protocol was removed in qemu-5.2 and +# thus also dropped from libvirt's qemu driver. The following options which +# were used to configure the TLS certificates for VxHS are thus ignored. # #vxhs_tls = 1 - - -# In order to override the default TLS certificate location for VxHS -# backed storage, supply a valid path to the certificate directory. -# This is used to authenticate the VxHS block device clients to the VxHS -# server. -# -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but vxhs_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -# VxHS block device clients expect the client certificate and key to be -# present in the certificate directory along with the CA master certificate. -# If using the default environment, default_tls_x509_verify must be configured. -# Since this is only a client the server-key.pem certificate is not needed. -# Thus a VxHS directory must contain the following: -# -# ca-cert.pem - the CA master certificate -# client-cert.pem - the client certificate signed with the ca-cert.pem -# client-key.pem - the client private key -# #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs" - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# #vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"