From 145614a112a8e67d6c84b26faaf2b2002e17d9be Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Wed, 10 Feb 2016 18:41:13 +0000
Subject: nbd: enable use of TLS with qemu-nbd server

This modifies the qemu-nbd program so that it is possible to
request the use of TLS with the server. It simply adds a new
command line option --tls-creds which is used to provide the
ID of a QCryptoTLSCreds object previously created via the
--object command line option.

For example

  qemu-nbd --object tls-creds-x509,id=tls0,endpoint=server,\
                    dir=/home/berrange/security/qemutls \
           --tls-creds tls0 \
           --exportname default

TLS requires the new style NBD protocol, so if no export name
is set (via --export-name), then we use the default NBD protocol
export name ""

TLS is only supported when using an IPv4/IPv6 socket listener.
It is not possible to use with UNIX sockets, which includes
when connecting the NBD server to a host device.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1455129674-17255-16-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 qemu-nbd.texi | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'qemu-nbd.texi')

diff --git a/qemu-nbd.texi b/qemu-nbd.texi
index 874481dacf..227a73ca36 100644
--- a/qemu-nbd.texi
+++ b/qemu-nbd.texi
@@ -21,9 +21,10 @@ Export a QEMU disk image using the NBD protocol.
 @item --object type,id=@var{id},...props...
 Define a new instance of the @var{type} object class identified by @var{id}.
 See the @code{qemu(1)} manual page for full details of the properties
-supported. The common object type that it makes sense to define is the
+supported. The common object types that it makes sense to define are the
 @code{secret} object, which is used to supply passwords and/or encryption
-keys.
+keys, and the @code{tls-creds} object, which is used to supply TLS
+credentials for the qemu-nbd server.
 @item -p, --port=@var{port}
 The TCP port to listen on (default @samp{10809})
 @item -o, --offset=@var{offset}
@@ -76,6 +77,10 @@ Don't exit on the last connection
 @item -x NAME, --export-name=NAME
 Set the NBD volume export name. This switches the server to use
 the new style NBD protocol negotiation
+@item --tls-creds=ID
+Enable mandatory TLS encryption for the server by setting the ID
+of the TLS credentials object previously created with the --object
+option.
 @item -v, --verbose
 Display extra debugging information
 @item -h, --help
-- 
cgit v1.2.1