From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38688) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b5XNv-0000Nh-Rs for qemu-devel@nongnu.org; Wed, 25 May 2016 07:54:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b5XNr-00081o-IO for qemu-devel@nongnu.org; Wed, 25 May 2016 07:53:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59039) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b5XNr-00080p-Cw for qemu-devel@nongnu.org; Wed, 25 May 2016 07:53:55 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5F6E885364 for ; Wed, 25 May 2016 11:53:54 +0000 (UTC) Date: Wed, 25 May 2016 17:23:51 +0530 From: Amit Shah Message-ID: <20160525115351.GC4456@grmbl.mre> References: <1461751518-12128-1-git-send-email-berrange@redhat.com> <1461751518-12128-26-git-send-email-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1461751518-12128-26-git-send-email-berrange@redhat.com> Subject: Re: [Qemu-devel] [PATCH v6 for-2.7 25/28] migration: define 'tls-creds' and 'tls-hostname' migration parameters List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: qemu-devel@nongnu.org, "Dr. David Alan Gilbert" , Juan Quintela On (Wed) 27 Apr 2016 [11:05:15], Daniel P. Berrange wrote: > Define two new migration parameters to be used with TLS encryption. > The 'tls-creds' parameter provides the ID of an instance of the > 'tls-creds' object type, or rather a subclass such as 'tls-creds-x509'. > Providing these credentials will enable use of TLS on the migration > data stream. > > If using x509 certificates, together with a migration URI that does > not include a hostname, the 'tls-hostname' parameter provides the > hostname to use when verifying the server's x509 certificate. This > allows TLS to be used in combination with fd: and exec: protocols > where a TCP connection is established by a 3rd party outside of > QEMU. > > NB, this requires changing the migrate_set_parameter method in the > HMP to accept a 's' (string) value instead of 'i' (integer). This > is backwards compatible, because the parsing of strings allows the > quotes to be optional, thus any integer is also a valid string. > > Reviewed-by: Dr. David Alan Gilbert > Signed-off-by: Daniel P. Berrange > diff --git a/qapi-schema.json b/qapi-schema.json > index 9aa14b4..12be303 100644 > --- a/qapi-schema.json > +++ b/qapi-schema.json > @@ -617,11 +617,28 @@ > # @x-cpu-throttle-increment: throttle percentage increase each time > # auto-converge detects that migration is not making > # progress. The default value is 10. (Since 2.5) > +# > +# @tls-creds: ID of the 'tls-creds' object that provides credentials for > +# establishing a TLS connection over the migration data channel. > +# On the outgoing side of the migration, the credentials must > +# be for a 'client' endpoint, while for the incoming side the > +# credentials must be for a 'server' endpoint. Setting this > +# will enable TLS for all migrations. The default is unset, > +# resulting in unsecured migration at the QEMU level. (Since 2.6) All these need to be "Since 2.7" I've updated these in my branch, no respin required for this. Amit