From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Richard W.M. Jones" <rjones@redhat.com>
Cc: jcody@redhat.com, kwolf@redhat.com, qemu-block@nongnu.org,
qemu-devel@nongnu.org, armbru@redhat.com, mreitz@redhat.com
Subject: Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.
Date: Thu, 1 Mar 2018 15:34:38 +0000 [thread overview]
Message-ID: <20180301153438.GK14643@redhat.com> (raw)
In-Reply-To: <20180301135856.22698-3-rjones@redhat.com>
On Thu, Mar 01, 2018 at 01:58:56PM +0000, Richard W.M. Jones wrote:
> This allows a Certificate Authority bundle to be passed to the curl
> driver, allowing authentication against servers that check
> certificates. For example this allows you to access a disk on an
> oVirt node:
>
> qemu-img create -f qcow2 \
> -b 'json:{ "file.driver": "https",
> "file.url": "https://ovirt-node:54322/images/<disk-id>",
> "file.header": ["Authorization: <ticket>"] }' \
> "file.cainfo": "/tmp/ca.pem" }' \
> test.qcow2
I think we ought to be using the TLS creds object to provide this data
qemu-img create \
--object tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
-b 'json:{ "file.driver": "https",
"file.url": "https://ovirt-node:54322/images/<disk-id>",
"file.header": ["Authorization: <ticket>"] }' \
"file.tls-creds": "tls0" }' \
test.qcow2
The /path/to/certs dir would contain ca-cert.pem, and optionally also a
client-key.pem & client-cert.pem, which would let curl provide client
certs to servers that mandate that. The 'verify-peer' option lets you
control whether to ignore or enforce CA validation errors too.
Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2018-03-01 15:34 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-01 13:58 [Qemu-devel] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt Richard W.M. Jones
2018-03-01 13:58 ` [Qemu-devel] [PATCH 1/2] block: curl: Allow arbitrary HTTP request headers to be set Richard W.M. Jones
2018-03-01 15:24 ` Nir Soffer
2018-03-01 15:46 ` Richard W.M. Jones
2018-03-01 16:11 ` Daniel P. Berrangé
2018-03-01 16:29 ` Richard W.M. Jones
2018-03-01 13:58 ` [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in Richard W.M. Jones
2018-03-01 15:27 ` Nir Soffer
2018-03-01 15:34 ` Daniel P. Berrangé [this message]
2018-03-01 15:47 ` Richard W.M. Jones
2018-03-01 14:21 ` [Qemu-devel] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt no-reply
2018-03-01 14:31 ` Richard W.M. Jones
2018-03-01 14:49 ` no-reply
2018-03-01 15:38 ` no-reply
2018-03-01 16:54 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180301153438.GK14643@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=jcody@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.