Re: [Qemu-block] [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.

[Richard W.M. Jones]

On Thu, Mar 01, 2018 at 03:34:38PM +0000, Daniel P. Berrangé wrote:
> On Thu, Mar 01, 2018 at 01:58:56PM +0000, Richard W.M. Jones wrote:
> > This allows a Certificate Authority bundle to be passed to the curl
> > driver, allowing authentication against servers that check
> > certificates.  For example this allows you to access a disk on an
> > oVirt node:
> > 
> >   qemu-img create -f qcow2 \
> >       -b 'json:{ "file.driver": "https",
> >                  "file.url": "https://ovirt-node:54322/images/<disk-id>",
> >                   "file.header": ["Authorization: <ticket>"] }' \
> >                   "file.cainfo": "/tmp/ca.pem" }' \
> >       test.qcow2
> 
> I think we ought to be using the TLS creds object to provide this data
> 
>    qemu-img create \
>        --object 
> tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
>        -b 'json:{ "file.driver": "https",
>                   "file.url": "https://ovirt-node:54322/images/<disk-id>",
>                    "file.header": ["Authorization: <ticket>"] }' \
>                    "file.tls-creds": "tls0" }' \
>        test.qcow2
> 
> The /path/to/certs dir would contain ca-cert.pem, and optionally also a
> client-key.pem & client-cert.pem, which would let curl provide client
> certs to servers that mandate that. The 'verify-peer' option lets you
> control whether to ignore or enforce CA validation errors too.
> 
> Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.

Thanks, I'll have a look into this for the second revision.  It seems
like a better way to do it.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org