domain: Add optional 'tls' attribute for TCP chardev

Add an optional "tls='yes|no'" attribute for a TCP chardev. For QEMU, this will allow for disabling the host config setting of the 'chardev_tls' for a domain chardev channel by setting the value to "no" or to attempt to use a host TLS environment when setting the value to "yes" when the host config 'chardev_tls' setting is disabled, but a TLS environment is configured via either the host config 'chardev_tls_x509_cert_dir' or 'default_tls_x509_cert_dir' Signed-off-by: John Ferlan <jferlan@redhat.com> Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2025-02-25 18:55:26 -06:00 · 2016-10-24 14:05:54 +02:00
parent e4501244a0
commit 0298531b29
14 changed files with 227 additions and 4 deletions
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6202,6 +6202,34 @@ qemu-kvm -net nic,model=? /dev/null
      &lt;target port="1"/&gt;
    &lt;/serial&gt;
  &lt;/devices&gt;
+  ...</pre>
+
+    <p>
+      <span class="since">Since 2.4.0,</span> the optional attribute
+      <code>tls</code> can be used to control whether a chardev
+      TCP communication channel would utilize a hypervisor configured
+      TLS X.509 certificate environment in order to encrypt the data
+      channel. For the QEMU hypervisor, usage of a TLS environment can
+      be controlled on the host by the <code>chardev_tls</code> and
+      <code>chardev_tls_x509_cert_dir</code> or
+      <code>default_tls_x509_cert_dir</code> settings in the file
+      /etc/libvirt/qemu.conf. If <code>chardev_tls</code> is enabled,
+      then unless the <code>tls</code> attribute is set to "no", libvirt
+      will use the host configured TLS environment.
+      If <code>chardev_tls</code> is disabled, but the <code>tls</code>
+      attribute is set to "yes", then libvirt will attempt to use the
+      host TLS environment if either the <code>chardev_tls_x509_cert_dir</code>
+      or <code>default_tls_x509_cert_dir</code> TLS directory structure exists.
+    </p>
+<pre>
+  ...
+  &lt;devices&gt;
+    &lt;serial type="tcp"&gt;
+      &lt;source mode='connect' host="127.0.0.1" service="5555" tls="yes"/&gt;
+      &lt;protocol type="raw"/&gt;
+      &lt;target port="0"/&gt;
+    &lt;/serial&gt;
+  &lt;/devices&gt;
  ...</pre>

    <h6><a name="elementsCharUDP">UDP network console</a></h6>
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3453,6 +3453,11 @@
            <ref name="virOnOff"/>
          </attribute>
        </optional>
+        <optional>
+          <attribute name="tls">
+            <ref name="virYesNo"/>
+          </attribute>
+        </optional>
        <zeroOrMore>
          <ref name='devSeclabel'/>
        </zeroOrMore>