On Thu, Mar 01, 2018 at 03:34:38PM +0000, Daniel P. Berrangé wrote:
> On Thu, Mar 01, 2018 at 01:58:56PM +0000, Richard W.M. Jones wrote:
> > This allows a Certificate Authority bundle to be passed to the curl
> > driver, allowing authentication against servers that check
> > certificates. For example this allows you to access a disk on an
> > oVirt node:
> >
> > qemu-img create -f qcow2 \
> > -b 'json:{ "file.driver": "https",
> > "file.url": "https://ovirt-node:54322/images/<disk-id>",
> > "file.header": ["Authorization: <ticket>"] }' \
> > "file.cainfo": "/tmp/ca.pem" }' \
> > test.qcow2
>
> I think we ought to be using the TLS creds object to provide this data
>
> qemu-img create \
> --object
> tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
> -b 'json:{ "file.driver": "https",
> "file.url": "https://ovirt-node:54322/images/<disk-id>",
> "file.header": ["Authorization: <ticket>"] }' \
> "file.tls-creds": "tls0" }' \
> test.qcow2
>
> The /path/to/certs dir would contain ca-cert.pem, and optionally also a
> client-key.pem & client-cert.pem, which would let curl provide client
> certs to servers that mandate that. The 'verify-peer' option lets you
> control whether to ignore or enforce CA validation errors too.
>
> Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.
Thanks, I'll have a look into this for the second revision. It seems
like a better way to do it.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
