diff options
| author | Daniel P. Berrange <berrange@redhat.com> | 2016-02-10 18:41:13 +0000 |
|---|---|---|
| committer | Timothy Pearson <tpearson@raptorengineering.com> | 2019-11-29 19:45:29 -0600 |
| commit | f5723e52572cfc467acc9160782ed4f643e1e496 (patch) | |
| tree | 02d202a6be0927b47d9ca7e0878c7de1b9041d39 /qemu-nbd.texi | |
| parent | 5a0c0d845e78adb9d14644b5cd9380b48df29cce (diff) | |
| download | hqemu-f5723e52572cfc467acc9160782ed4f643e1e496.zip hqemu-f5723e52572cfc467acc9160782ed4f643e1e496.tar.gz | |
nbd: enable use of TLS with qemu-nbd server
This modifies the qemu-nbd program so that it is possible to
request the use of TLS with the server. It simply adds a new
command line option --tls-creds which is used to provide the
ID of a QCryptoTLSCreds object previously created via the
--object command line option.
For example
qemu-nbd --object tls-creds-x509,id=tls0,endpoint=server,\
dir=/home/berrange/security/qemutls \
--tls-creds tls0 \
--exportname default
TLS requires the new style NBD protocol, so if no export name
is set (via --export-name), then we use the default NBD protocol
export name ""
TLS is only supported when using an IPv4/IPv6 socket listener.
It is not possible to use with UNIX sockets, which includes
when connecting the NBD server to a host device.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1455129674-17255-16-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'qemu-nbd.texi')
| -rw-r--r-- | qemu-nbd.texi | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/qemu-nbd.texi b/qemu-nbd.texi index 874481d..227a73c 100644 --- a/qemu-nbd.texi +++ b/qemu-nbd.texi @@ -21,9 +21,10 @@ Export a QEMU disk image using the NBD protocol. @item --object type,id=@var{id},...props... Define a new instance of the @var{type} object class identified by @var{id}. See the @code{qemu(1)} manual page for full details of the properties -supported. The common object type that it makes sense to define is the +supported. The common object types that it makes sense to define are the @code{secret} object, which is used to supply passwords and/or encryption -keys. +keys, and the @code{tls-creds} object, which is used to supply TLS +credentials for the qemu-nbd server. @item -p, --port=@var{port} The TCP port to listen on (default @samp{10809}) @item -o, --offset=@var{offset} @@ -76,6 +77,10 @@ Don't exit on the last connection @item -x NAME, --export-name=NAME Set the NBD volume export name. This switches the server to use the new style NBD protocol negotiation +@item --tls-creds=ID +Enable mandatory TLS encryption for the server by setting the ID +of the TLS credentials object previously created with the --object +option. @item -v, --verbose Display extra debugging information @item -h, --help |
