[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-block] [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate
From: |
Daniel P . Berrangé |
Subject: |
Re: [Qemu-block] [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in. |
Date: |
Thu, 1 Mar 2018 15:34:38 +0000 |
User-agent: |
Mutt/1.9.2 (2017-12-15) |
On Thu, Mar 01, 2018 at 01:58:56PM +0000, Richard W.M. Jones wrote:
> This allows a Certificate Authority bundle to be passed to the curl
> driver, allowing authentication against servers that check
> certificates. For example this allows you to access a disk on an
> oVirt node:
>
> qemu-img create -f qcow2 \
> -b 'json:{ "file.driver": "https",
> "file.url": "https://ovirt-node:54322/images/<disk-id>",
> "file.header": ["Authorization: <ticket>"] }' \
> "file.cainfo": "/tmp/ca.pem" }' \
> test.qcow2
I think we ought to be using the TLS creds object to provide this data
qemu-img create \
--object
tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
-b 'json:{ "file.driver": "https",
"file.url": "https://ovirt-node:54322/images/<disk-id>",
"file.header": ["Authorization: <ticket>"] }' \
"file.tls-creds": "tls0" }' \
test.qcow2
The /path/to/certs dir would contain ca-cert.pem, and optionally also a
client-key.pem & client-cert.pem, which would let curl provide client
certs to servers that mandate that. The 'verify-peer' option lets you
control whether to ignore or enforce CA validation errors too.
Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-block] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt., Richard W.M. Jones, 2018/03/01
- [Qemu-block] [PATCH 1/2] block: curl: Allow arbitrary HTTP request headers to be set., Richard W.M. Jones, 2018/03/01
- [Qemu-block] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in., Richard W.M. Jones, 2018/03/01
- Re: [Qemu-block] [Qemu-devel] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt., no-reply, 2018/03/01
- Re: [Qemu-block] [Qemu-devel] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt., no-reply, 2018/03/01
- Re: [Qemu-block] [Qemu-devel] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt., no-reply, 2018/03/01
- Re: [Qemu-block] [Qemu-devel] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt., no-reply, 2018/03/01