diff options
author | Daniel P. Berrange <berrange@redhat.com> | 2016-04-27 11:05:15 +0100 |
---|---|---|
committer | Amit Shah <amit.shah@redhat.com> | 2016-05-26 11:32:10 +0530 |
commit | 69ef1f36b0f882fc5ba9491fb272fa5f83ac1d3d (patch) | |
tree | 3c5250b754f77bdc0b87be419034570084fd128f /qapi-schema.json | |
parent | 2594f56d4c7ef621da5d0c21921f8fda32025623 (diff) | |
download | qemu-69ef1f36b0f882fc5ba9491fb272fa5f83ac1d3d.zip qemu-69ef1f36b0f882fc5ba9491fb272fa5f83ac1d3d.tar.gz qemu-69ef1f36b0f882fc5ba9491fb272fa5f83ac1d3d.tar.bz2 |
migration: define 'tls-creds' and 'tls-hostname' migration parameters
Define two new migration parameters to be used with TLS encryption.
The 'tls-creds' parameter provides the ID of an instance of the
'tls-creds' object type, or rather a subclass such as 'tls-creds-x509'.
Providing these credentials will enable use of TLS on the migration
data stream.
If using x509 certificates, together with a migration URI that does
not include a hostname, the 'tls-hostname' parameter provides the
hostname to use when verifying the server's x509 certificate. This
allows TLS to be used in combination with fd: and exec: protocols
where a TCP connection is established by a 3rd party outside of
QEMU.
NB, this requires changing the migrate_set_parameter method in the
HMP to accept a 's' (string) value instead of 'i' (integer). This
is backwards compatible, because the parsing of strings allows the
quotes to be optional, thus any integer is also a valid string.
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1461751518-12128-26-git-send-email-berrange@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Diffstat (limited to 'qapi-schema.json')
-rw-r--r-- | qapi-schema.json | 58 |
1 files changed, 55 insertions, 3 deletions
diff --git a/qapi-schema.json b/qapi-schema.json index e8c0353..8483bdf 100644 --- a/qapi-schema.json +++ b/qapi-schema.json @@ -617,11 +617,28 @@ # @cpu-throttle-increment: throttle percentage increase each time # auto-converge detects that migration is not making # progress. The default value is 10. (Since 2.7) +# +# @tls-creds: ID of the 'tls-creds' object that provides credentials for +# establishing a TLS connection over the migration data channel. +# On the outgoing side of the migration, the credentials must +# be for a 'client' endpoint, while for the incoming side the +# credentials must be for a 'server' endpoint. Setting this +# will enable TLS for all migrations. The default is unset, +# resulting in unsecured migration at the QEMU level. (Since 2.7) +# +# @tls-hostname: hostname of the target host for the migration. This is +# required when using x509 based TLS credentials and the +# migration URI does not already include a hostname. For +# example if using fd: or exec: based migration, the +# hostname must be provided so that the server's x509 +# certificate identity canbe validated. (Since 2.7) +# # Since: 2.4 ## { 'enum': 'MigrationParameter', 'data': ['compress-level', 'compress-threads', 'decompress-threads', - 'cpu-throttle-initial', 'cpu-throttle-increment'] } + 'cpu-throttle-initial', 'cpu-throttle-increment', + 'tls-creds', 'tls-hostname'] } # # @migrate-set-parameters @@ -641,6 +658,22 @@ # @cpu-throttle-increment: throttle percentage increase each time # auto-converge detects that migration is not making # progress. The default value is 10. (Since 2.7) +# +# @tls-creds: ID of the 'tls-creds' object that provides credentials for +# establishing a TLS connection over the migration data channel. +# On the outgoing side of the migration, the credentials must +# be for a 'client' endpoint, while for the incoming side the +# credentials must be for a 'server' endpoint. Setting this +# will enable TLS for all migrations. The default is unset, +# resulting in unsecured migration at the QEMU level. (Since 2.7) +# +# @tls-hostname: hostname of the target host for the migration. This is +# required when using x509 based TLS credentials and the +# migration URI does not already include a hostname. For +# example if using fd: or exec: based migration, the +# hostname must be provided so that the server's x509 +# certificate identity canbe validated. (Since 2.7) +# # Since: 2.4 ## { 'command': 'migrate-set-parameters', @@ -648,7 +681,9 @@ '*compress-threads': 'int', '*decompress-threads': 'int', '*cpu-throttle-initial': 'int', - '*cpu-throttle-increment': 'int'} } + '*cpu-throttle-increment': 'int', + '*tls-creds': 'str', + '*tls-hostname': 'str'} } # # @MigrationParameters @@ -667,6 +702,21 @@ # auto-converge detects that migration is not making # progress. The default value is 10. (Since 2.7) # +# @tls-creds: ID of the 'tls-creds' object that provides credentials for +# establishing a TLS connection over the migration data channel. +# On the outgoing side of the migration, the credentials must +# be for a 'client' endpoint, while for the incoming side the +# credentials must be for a 'server' endpoint. Setting this +# will enable TLS for all migrations. The default is unset, +# resulting in unsecured migration at the QEMU level. (Since 2.6) +# +# @tls-hostname: hostname of the target host for the migration. This is +# required when using x509 based TLS credentials and the +# migration URI does not already include a hostname. For +# example if using fd: or exec: based migration, the +# hostname must be provided so that the server's x509 +# certificate identity canbe validated. (Since 2.6) +# # Since: 2.4 ## { 'struct': 'MigrationParameters', @@ -674,7 +724,9 @@ 'compress-threads': 'int', 'decompress-threads': 'int', 'cpu-throttle-initial': 'int', - 'cpu-throttle-increment': 'int'} } + 'cpu-throttle-increment': 'int', + 'tls-creds': 'str', + 'tls-hostname': 'str'} } ## # @query-migrate-parameters # |