On Thu, Mar 01, 2018 at 01:58:56PM +0000, Richard W.M. Jones wrote:
> This allows a Certificate Authority bundle to be passed to the curl
> driver, allowing authentication against servers that check
> certificates. For example this allows you to access a disk on an
> oVirt node:
>
> qemu-img create -f qcow2 \
> -b 'json:{ "file.driver": "https",
> "file.url": "https://ovirt-node:54322/images/<disk-id>",
> "file.header": ["Authorization: <ticket>"] }' \
> "file.cainfo": "/tmp/ca.pem" }' \
> test.qcow2
I think we ought to be using the TLS creds object to provide this data
qemu-img create \
--object
tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
-b 'json:{ "file.driver": "https",
"file.url": "https://ovirt-node:54322/images/<disk-id>",
"file.header": ["Authorization: <ticket>"] }' \
"file.tls-creds": "tls0" }' \
test.qcow2
The /path/to/certs dir would contain ca-cert.pem, and optionally also a
client-key.pem & client-cert.pem, which would let curl provide client
certs to servers that mandate that. The 'verify-peer' option lets you
control whether to ignore or enforce CA validation errors too.
Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
