necessary to set up an NBD server that exposes the content of each disk at
the time the backup is started.
+ Note that for the QEMU hypervisor the TLS environment in controlled using
+ ``backup_tls_x509_cert_dir``, ``backup_tls_x509_verify``, and
+ ``backup_tls_x509_secret_uuid`` properties in ``/etc/libvirt/qemu.conf``.
+
``disks``
An optional listing of instructions for disks participating in the backup (if
omitted, all disks participate and libvirt attempts to generate filenames by
| bool_entry "migrate_tls_x509_verify"
| str_entry "migrate_tls_x509_secret_uuid"
+ let backup_entry = str_entry "backup_tls_x509_cert_dir"
+ | bool_entry "backup_tls_x509_verify"
+ | str_entry "backup_tls_x509_secret_uuid"
+
let vxhs_entry = bool_entry "vxhs_tls"
| str_entry "vxhs_tls_x509_cert_dir"
| str_entry "vxhs_tls_x509_secret_uuid"
| spice_entry
| chardev_entry
| migrate_entry
+ | backup_entry
| nogfx_entry
| remote_display_entry
| security_entry
#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# In order to override the default TLS certificate location for backup NBD
+# server certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist, libvirtd will fail to start. If the path is
+# not provided, but TLS-encrypted backup is requested, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the backup_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#backup_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
# By default, if no graphical front end is configured, libvirt will disable
# QEMU audio output since directly talking to alsa/pulseaudio may not work
# with various security settings. If you know what you're doing, enable
VIR_FREE(cfg->migrateTLSx509certdir);
VIR_FREE(cfg->migrateTLSx509secretUUID);
+ VIR_FREE(cfg->backupTLSx509certdir);
+ VIR_FREE(cfg->backupTLSx509secretUUID);
+
while (cfg->nhugetlbfs) {
cfg->nhugetlbfs--;
VIR_FREE(cfg->hugetlbfs[cfg->nhugetlbfs].mnt_dir);
GET_CONFIG_TLS_CERTINFO_COMMON(migrate);
GET_CONFIG_TLS_CERTINFO_SERVER(migrate);
+ GET_CONFIG_TLS_CERTINFO_COMMON(backup);
+ GET_CONFIG_TLS_CERTINFO_SERVER(backup);
+
GET_CONFIG_TLS_CERTINFO_COMMON(vxhs);
GET_CONFIG_TLS_CERTINFO_COMMON(nbd);
return -1;
}
+ if (cfg->backupTLSx509certdir &&
+ !virFileExists(cfg->backupTLSx509certdir)) {
+ virReportError(VIR_ERR_CONF_SYNTAX,
+ _("backup_tls_x509_cert_dir directory '%s' does not exist"),
+ cfg->backupTLSx509certdir);
+ return -1;
+ }
+
if (cfg->vxhsTLSx509certdir &&
!virFileExists(cfg->vxhsTLSx509certdir)) {
virReportError(VIR_ERR_CONF_SYNTAX,
SET_TLS_SECRET_UUID_DEFAULT(vnc);
SET_TLS_SECRET_UUID_DEFAULT(chardev);
SET_TLS_SECRET_UUID_DEFAULT(migrate);
+ SET_TLS_SECRET_UUID_DEFAULT(backup);
SET_TLS_SECRET_UUID_DEFAULT(vxhs);
SET_TLS_SECRET_UUID_DEFAULT(nbd);
SET_TLS_X509_CERT_DEFAULT(spice);
SET_TLS_X509_CERT_DEFAULT(chardev);
SET_TLS_X509_CERT_DEFAULT(migrate);
+ SET_TLS_X509_CERT_DEFAULT(backup);
SET_TLS_X509_CERT_DEFAULT(vxhs);
SET_TLS_X509_CERT_DEFAULT(nbd);
SET_TLS_VERIFY_DEFAULT(vnc);
SET_TLS_VERIFY_DEFAULT(chardev);
SET_TLS_VERIFY_DEFAULT(migrate);
+ SET_TLS_VERIFY_DEFAULT(backup);
#undef SET_TLS_VERIFY_DEFAULT
bool migrateTLSx509verifyPresent;
char *migrateTLSx509secretUUID;
+ char *backupTLSx509certdir;
+ bool backupTLSx509verify;
+ bool backupTLSx509verifyPresent;
+ char *backupTLSx509secretUUID;
+
bool vxhsTLS;
char *vxhsTLSx509certdir;
char *vxhsTLSx509secretUUID;
{ "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
{ "migrate_tls_x509_verify" = "1" }
{ "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" }
+{ "backup_tls_x509_verify" = "1" }
+{ "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "nographics_allow_host_audio" = "1" }
{ "remote_display_port_min" = "5900" }
{ "remote_display_port_max" = "65535" }
projects / libvirt.git / commitdiff