Re: [libvirt] [PATCH v8 08/11] util: Add TLS attributes to virStorageSource

2017-09-19 Thread Peter Krempa 
On Thu, Sep 14, 2017 at 08:51:53 -0400, John Ferlan wrote:
> From: Ashish Mittal 
> 
> Add an optional virTristateBool haveTLS to virStorageSource to
> manage whether a storage source will be using TLS.
> 
> Sample XML for a VxHS disk:
> 
> 
>   
>tls='yes'>
> 
>   
>   
> 
> 
> Additionally add a tlsFromConfig boolean to control whether the TLS
> setting was due to domain configuration or qemu.conf global setting
> in order to decide whether to Format the haveTLS setting for either
> a live or saved domain configuration file.

I guess it's unpleasant to do it any other way...

ACK



signature.asc
Description: PGP signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH v8 08/11] util: Add TLS attributes to virStorageSource

2017-09-14 Thread John Ferlan 
From: Ashish Mittal 

Add an optional virTristateBool haveTLS to virStorageSource to
manage whether a storage source will be using TLS.

Sample XML for a VxHS disk:


  
  

  
  


Additionally add a tlsFromConfig boolean to control whether the TLS
setting was due to domain configuration or qemu.conf global setting
in order to decide whether to Format the haveTLS setting for either
a live or saved domain configuration file.

Update the qemuxml2xmltest in order to add a test to show the proper
parsing.

Also update the docs to describe the tls attribute plus clean up the
description in the surrounding area to make the information a bit more
readable rather than one winding paragraph.

Signed-off-by: Ashish Mittal 
Signed-off-by: John Ferlan 
---
 docs/formatdomain.html.in  | 40 --
 docs/schemas/domaincommon.rng  |  5 +++
 src/conf/domain_conf.c | 28 +--
 src/util/virstoragefile.c  |  2 ++
 src/util/virstoragefile.h  |  7 
 ...emuxml2argv-disk-drive-network-tlsx509-vxhs.xml | 32 +
 ...uxml2xmlout-disk-drive-network-tlsx509-vxhs.xml | 34 ++
 tests/qemuxml2xmltest.c|  1 +
 8 files changed, 137 insertions(+), 12 deletions(-)
 create mode 100644 
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-tlsx509-vxhs.xml
 create mode 100644 
tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-tlsx509-vxhs.xml

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 4464c..26c00674a 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2520,19 +2520,39 @@
   
   The protocol attribute specifies the protocol to
   access to the requested image. Possible values are "nbd",
-  "iscsi", "rbd", "sheepdog", "gluster" or "vxhs".  If the
-  protocol attribute is "rbd", "sheepdog", "gluster"
-  or "vxhs", an additional attribute name is
-  mandatory to specify which volume/image will be used. For "nbd",
-  the name attribute is optional. For "iscsi"
-  (since 1.0.4), the name
-  attribute may include a logical unit number, separated from the
-  target's name by a slash (e.g.,
+  "iscsi", "rbd", "sheepdog", "gluster" or "vxhs".
+
+  If the protocol attribute is "rbd", "sheepdog",
+  "gluster", or "vxhs", an additional attribute name
+  is mandatory to specify which volume/image will be used.
+  
+
+  For "nbd", the name attribute is optional.
+  
+
+  For "iscsi" (since 1.0.4), the
+  name attribute may include a logical unit number,
+  separated from the target's name by a slash (e.g.,
   iqn.2013-07.com.example:iscsi-pool/1). If not
   specified, the default LUN is zero.
-  For "vxhs" (since 3.8.0), the
+  
+
+  For "vxhs" (since 3.8.0), the
   name is the UUID of the volume, assigned by the
-  HyperScale server.
+  HyperScale server. Additionally, an optional attribute
+  tls (QEMU only) can be used to control whether a
+  VxHS block device would utilize a hypervisor configured TLS
+  X.509 certificate environment in order to encrypt the data
+  channel. For the QEMU hypervisor, usage of a TLS environment can
+  also be globally controlled on the host by the
+  vxhs_tls and vxhs_tls_x509_cert_dir or
+  default_tls_x509_cert_dir settings in the file
+  /etc/libvirt/qemu.conf. If vxhs_tls is enabled,
+  then unless the domain tls attribute is set to "no",
+  libvirt will use the host configured TLS environment. If the
+  tls attribute is set to "yes", then regardless of
+  the qemu.conf setting, TLS authentication will be attempted.
+  
   Since 0.8.7
   
 volume
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 76852abb3..bac371ea3 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1644,6 +1644,11 @@
 
   
   
+  
+
+  
+
+  
   
 
   
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index a43b25c31..3684454e8 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -8114,6 +8114,7 @@ virDomainDiskSourceParse(xmlNodePtr node,
 int ret = -1;
 char *protocol = NULL;
 xmlNodePtr saveNode = ctxt->node;
+char *haveTLS = NULL;
 
 ctxt->node = node;
 
@@ -8147,6 +8148,19 @@