[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 24/27] migration: define 'tls-creds' and 'tls
Daniel P. Berrange
Re: [Qemu-devel] [PATCH v3 24/27] migration: define 'tls-creds' and 'tls-hostname' migration parameters
Thu, 10 Mar 2016 17:50:07 +0000
On Thu, Mar 10, 2016 at 05:42:45PM +0000, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrange (address@hidden) wrote:
> > Define two new migration parameters to be used with TLS encryption.
> > The 'tls-creds' parameter provides the ID of an instance of the
> > 'tls-creds' object type, or rather a subclass such as 'tls-creds-x509'.
> > Providing these credentials will enable use of TLS on the migration
> > data stream.
> > If using x509 certificates, together with a migration URI that does
> > not include a hostname, the 'tls-hostname' parameter provides the
> > hostname to use when verifying the server's x509 certificate. This
> > allows TLS to be used in combination with fd: and exec: protocols
> > where a TCP connection is established by a 3rd party outside of
> > QEMU.
> > For the HMP this sadly requires adding a new monitor command
> > 'migration_set_str_parameter', since the existing command
> > 'migration_set_parameter' is fixed to take integer values.
> Can you explain why?
> The definition of the 's' string type in monitor.c says:
> * 's' string (accept optional quote)
> and hmp_block_stream already uses 's' for an integer parameter (why?).
> So if you just changed the definition to take a :s parameter it would
> work wouldn't it as long as you did an appropriate check in
Hmm, I thought that changing migration_set_parameter from 'i' to 's'
would be a non-backwards compatible change. If that change is possible
though, its obviously preferrable to adding a new command.
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|