[libvirt] [PATCH v9 1/4] conf: Introduce TLS options for VxHS block device clients

Peter Krempa pkrempa at redhat.com
Wed Sep 27 12:43:46 UTC 2017 

On Tue, Sep 19, 2017 at 21:32:43 -0400, John Ferlan wrote:
> From: Ashish Mittal <Ashish.Mittal at veritas.com>
> 
> Add a new TLS X.509 certificate type - "vxhs". This will handle the
> creation of a TLS certificate capability for properly configured
> VxHS network block device clients.
> 
> The following describes the behavior of TLS for VxHS block device:
> 
>   (1) Two new options have been added in /etc/libvirt/qemu.conf
>       to control TLS behavior with VxHS block devices
>       "vxhs_tls" and "vxhs_tls_x509_cert_dir".
>   (2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable
>       TLS for VxHS block devices.
>   (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the
>       TLS CA certificate and the client certificate and keys are saved.
>       If this value is missing, the "default_tls_x509_cert_dir" will be
>       used instead. If the environment is not configured properly the
>       authentication to the VxHS server will fail.
> 
> Signed-off-by: Ashish Mittal <Ashish.Mittal at veritas.com>
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
>  src/qemu/libvirtd_qemu.aug         |  4 ++++
>  src/qemu/qemu.conf                 | 34 ++++++++++++++++++++++++++++++++++
>  src/qemu/qemu_conf.c               | 16 ++++++++++++++++
>  src/qemu/qemu_conf.h               |  3 +++
>  src/qemu/test_libvirtd_qemu.aug.in |  2 ++
>  5 files changed, 59 insertions(+)

[...]

> +# Enable use of TLS encryption for all VxHS network block devices that
> +# don't specifically disable.
> +#
> +# When the VxHS network block device server is set up appropriately,
> +# x509 certificates are required for authentication between the clients
> +# (qemu processes) and the remote VxHS server.
> +#
> +# It is necessary to setup CA and issue the client certificate before
> +# enabling this.
> +#
> +#vxhs_tls = 1
> +
> +
> +# In order to override the default TLS certificate location for VxHS
> +# device TCP certificates, supply a valid path to the certificate directory.

The first part of the sentence does not make much sense.

In order to override the default TLS certificate location for VxHS
backed storage, supply a valid path to the certificate directory.


> +# This is used to authenticate the VxHS block device clients to the VxHS
> +# server.
> +#
> +# If the provided path does not exist then the default_tls_x509_cert_dir
> +# path will be used.
> +#
> +# VxHS block device clients expect the client certificate and key to be
> +# present in the certificate directory along with the CA master certificate.
> +# If using the default environment, default_tls_x509_verify must be configured.
> +# The server key as well as secret UUID that would decrypt it is not used.

What do you mean by: "UUID that would decrypt it"?

Rest looks okay, but I need clarification on the above statemet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170927/8684622c/attachment-0001.sig>

More information about the libvir-list mailing list