I pushed some preliminary patches for this series already since they
were all neutral refactorings. These three patches are the guts of
it. They pass tests, I would push them ... but is this secure?
I can't imagine a way that it's not secure, but maybe there's
something about copying file locations from the nbdkit command line
into the --run script which is problematic.
Anyway ...
The first patch modifies $uri in the --run script to add
&tls-certificates=... or &tls-psk-file=... so that TLS connections
work (with libnbd anyway, I didn't check qemu).
The second patch adds these as variables as well.
The third patch updates a test to use this.
A final point is that this doesn't work well with PSK. PSK has an
implicit username (passed in the URI as nbds://user@...). The same
username has to appear in the PSK file. We don't set a username at
all right now, so libnbd uses the LOGNAME, which may or may not be
what you want. The way to fix this would be to add a --tls-username
parameter to nbdkit, but it would only be useful for URIs and might
confuse things otherwise (eg. it could be used with --tls-psk but
would have no apparent effect, thus confusing users).
Rich.