On (Wed) 27 Apr 2016 [11:05:15], Daniel P. Berrange wrote: > Define two new migration parameters to be used with TLS encryption. > The 'tls-creds' parameter provides the ID of an instance of the > 'tls-creds' object type, or rather a subclass such as 'tls-creds-x509'. > Providing these credentials will enable use of TLS on the migration > data stream. > > If using x509 certificates, together with a migration URI that does > not include a hostname, the 'tls-hostname' parameter provides the > hostname to use when verifying the server's x509 certificate. This > allows TLS to be used in combination with fd: and exec: protocols > where a TCP connection is established by a 3rd party outside of > QEMU. > > NB, this requires changing the migrate_set_parameter method in the > HMP to accept a 's' (string) value instead of 'i' (integer). This > is backwards compatible, because the parsing of strings allows the > quotes to be optional, thus any integer is also a valid string. > > Reviewed-by: Dr. David Alan Gilbert <dgilb...@redhat.com> > Signed-off-by: Daniel P. Berrange <berra...@redhat.com>
> diff --git a/qapi-schema.json b/qapi-schema.json > index 9aa14b4..12be303 100644 > --- a/qapi-schema.json > +++ b/qapi-schema.json > @@ -617,11 +617,28 @@ > # @x-cpu-throttle-increment: throttle percentage increase each time > # auto-converge detects that migration is not > making > # progress. The default value is 10. (Since 2.5) > +# > +# @tls-creds: ID of the 'tls-creds' object that provides credentials for > +# establishing a TLS connection over the migration data channel. > +# On the outgoing side of the migration, the credentials must > +# be for a 'client' endpoint, while for the incoming side the > +# credentials must be for a 'server' endpoint. Setting this > +# will enable TLS for all migrations. The default is unset, > +# resulting in unsecured migration at the QEMU level. (Since 2.6) All these need to be "Since 2.7" I've updated these in my branch, no respin required for this. Amit