From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Richard W.M. Jones" <rjones@redhat.com>
Cc: jcody@redhat.com, kwolf@redhat.com, qemu-block@nongnu.org,
qemu-devel@nongnu.org, armbru@redhat.com, mreitz@redhat.com
Subject: Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.
Date: Thu, 1 Mar 2018 15:34:38 +0000 [thread overview]
Message-ID: <20180301153438.GK14643@redhat.com> (raw)
In-Reply-To: <20180301135856.22698-3-rjones@redhat.com>
On Thu, Mar 01, 2018 at 01:58:56PM +0000, Richard W.M. Jones wrote:
> This allows a Certificate Authority bundle to be passed to the curl
> driver, allowing authentication against servers that check
> certificates. For example this allows you to access a disk on an
> oVirt node:
>
> qemu-img create -f qcow2 \
> -b 'json:{ "file.driver": "https",
> "file.url": "https://ovirt-node:54322/images/<disk-id>",
> "file.header": ["Authorization: <ticket>"] }' \
> "file.cainfo": "/tmp/ca.pem" }' \
> test.qcow2
I think we ought to be using the TLS creds object to provide this data
qemu-img create \
--object tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
-b 'json:{ "file.driver": "https",
"file.url": "https://ovirt-node:54322/images/<disk-id>",
"file.header": ["Authorization: <ticket>"] }' \
"file.tls-creds": "tls0" }' \
test.qcow2
The /path/to/certs dir would contain ca-cert.pem, and optionally also a
client-key.pem & client-cert.pem, which would let curl provide client
certs to servers that mandate that. The 'verify-peer' option lets you
control whether to ignore or enforce CA validation errors too.
Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2018-03-01 15:34 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-01 13:58 [Qemu-devel] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt Richard W.M. Jones
2018-03-01 13:58 ` [Qemu-devel] [PATCH 1/2] block: curl: Allow arbitrary HTTP request headers to be set Richard W.M. Jones
2018-03-01 15:24 ` Nir Soffer
2018-03-01 15:46 ` Richard W.M. Jones
2018-03-01 16:11 ` Daniel P. Berrangé
2018-03-01 16:29 ` Richard W.M. Jones
2018-03-01 13:58 ` [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in Richard W.M. Jones
2018-03-01 15:27 ` Nir Soffer
2018-03-01 15:34 ` Daniel P. Berrangé [this message]
2018-03-01 15:47 ` Richard W.M. Jones
2018-03-01 14:21 ` [Qemu-devel] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt no-reply
2018-03-01 14:31 ` Richard W.M. Jones
2018-03-01 14:49 ` no-reply
2018-03-01 15:38 ` no-reply
2018-03-01 16:54 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180301153438.GK14643@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=jcody@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).