aboutsummaryrefslogtreecommitdiff
path: root/qapi-schema.json
diff options
context:
space:
mode:
authorDaniel P. Berrange <berrange@redhat.com>2016-04-27 11:05:15 +0100
committerAmit Shah <amit.shah@redhat.com>2016-05-26 11:32:10 +0530
commit69ef1f36b0f882fc5ba9491fb272fa5f83ac1d3d (patch)
tree3c5250b754f77bdc0b87be419034570084fd128f /qapi-schema.json
parent2594f56d4c7ef621da5d0c21921f8fda32025623 (diff)
downloadqemu-69ef1f36b0f882fc5ba9491fb272fa5f83ac1d3d.zip
qemu-69ef1f36b0f882fc5ba9491fb272fa5f83ac1d3d.tar.gz
qemu-69ef1f36b0f882fc5ba9491fb272fa5f83ac1d3d.tar.bz2
migration: define 'tls-creds' and 'tls-hostname' migration parameters
Define two new migration parameters to be used with TLS encryption. The 'tls-creds' parameter provides the ID of an instance of the 'tls-creds' object type, or rather a subclass such as 'tls-creds-x509'. Providing these credentials will enable use of TLS on the migration data stream. If using x509 certificates, together with a migration URI that does not include a hostname, the 'tls-hostname' parameter provides the hostname to use when verifying the server's x509 certificate. This allows TLS to be used in combination with fd: and exec: protocols where a TCP connection is established by a 3rd party outside of QEMU. NB, this requires changing the migrate_set_parameter method in the HMP to accept a 's' (string) value instead of 'i' (integer). This is backwards compatible, because the parsing of strings allows the quotes to be optional, thus any integer is also a valid string. Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <1461751518-12128-26-git-send-email-berrange@redhat.com> Signed-off-by: Amit Shah <amit.shah@redhat.com>
Diffstat (limited to 'qapi-schema.json')
-rw-r--r--qapi-schema.json58
1 files changed, 55 insertions, 3 deletions
diff --git a/qapi-schema.json b/qapi-schema.json
index e8c0353..8483bdf 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -617,11 +617,28 @@
# @cpu-throttle-increment: throttle percentage increase each time
# auto-converge detects that migration is not making
# progress. The default value is 10. (Since 2.7)
+#
+# @tls-creds: ID of the 'tls-creds' object that provides credentials for
+# establishing a TLS connection over the migration data channel.
+# On the outgoing side of the migration, the credentials must
+# be for a 'client' endpoint, while for the incoming side the
+# credentials must be for a 'server' endpoint. Setting this
+# will enable TLS for all migrations. The default is unset,
+# resulting in unsecured migration at the QEMU level. (Since 2.7)
+#
+# @tls-hostname: hostname of the target host for the migration. This is
+# required when using x509 based TLS credentials and the
+# migration URI does not already include a hostname. For
+# example if using fd: or exec: based migration, the
+# hostname must be provided so that the server's x509
+# certificate identity canbe validated. (Since 2.7)
+#
# Since: 2.4
##
{ 'enum': 'MigrationParameter',
'data': ['compress-level', 'compress-threads', 'decompress-threads',
- 'cpu-throttle-initial', 'cpu-throttle-increment'] }
+ 'cpu-throttle-initial', 'cpu-throttle-increment',
+ 'tls-creds', 'tls-hostname'] }
#
# @migrate-set-parameters
@@ -641,6 +658,22 @@
# @cpu-throttle-increment: throttle percentage increase each time
# auto-converge detects that migration is not making
# progress. The default value is 10. (Since 2.7)
+#
+# @tls-creds: ID of the 'tls-creds' object that provides credentials for
+# establishing a TLS connection over the migration data channel.
+# On the outgoing side of the migration, the credentials must
+# be for a 'client' endpoint, while for the incoming side the
+# credentials must be for a 'server' endpoint. Setting this
+# will enable TLS for all migrations. The default is unset,
+# resulting in unsecured migration at the QEMU level. (Since 2.7)
+#
+# @tls-hostname: hostname of the target host for the migration. This is
+# required when using x509 based TLS credentials and the
+# migration URI does not already include a hostname. For
+# example if using fd: or exec: based migration, the
+# hostname must be provided so that the server's x509
+# certificate identity canbe validated. (Since 2.7)
+#
# Since: 2.4
##
{ 'command': 'migrate-set-parameters',
@@ -648,7 +681,9 @@
'*compress-threads': 'int',
'*decompress-threads': 'int',
'*cpu-throttle-initial': 'int',
- '*cpu-throttle-increment': 'int'} }
+ '*cpu-throttle-increment': 'int',
+ '*tls-creds': 'str',
+ '*tls-hostname': 'str'} }
#
# @MigrationParameters
@@ -667,6 +702,21 @@
# auto-converge detects that migration is not making
# progress. The default value is 10. (Since 2.7)
#
+# @tls-creds: ID of the 'tls-creds' object that provides credentials for
+# establishing a TLS connection over the migration data channel.
+# On the outgoing side of the migration, the credentials must
+# be for a 'client' endpoint, while for the incoming side the
+# credentials must be for a 'server' endpoint. Setting this
+# will enable TLS for all migrations. The default is unset,
+# resulting in unsecured migration at the QEMU level. (Since 2.6)
+#
+# @tls-hostname: hostname of the target host for the migration. This is
+# required when using x509 based TLS credentials and the
+# migration URI does not already include a hostname. For
+# example if using fd: or exec: based migration, the
+# hostname must be provided so that the server's x509
+# certificate identity canbe validated. (Since 2.6)
+#
# Since: 2.4
##
{ 'struct': 'MigrationParameters',
@@ -674,7 +724,9 @@
'compress-threads': 'int',
'decompress-threads': 'int',
'cpu-throttle-initial': 'int',
- 'cpu-throttle-increment': 'int'} }
+ 'cpu-throttle-increment': 'int',
+ 'tls-creds': 'str',
+ 'tls-hostname': 'str'} }
##
# @query-migrate-parameters
#