schema: add configuration for host verification of ssh disks

In order to make ssh disks usable, we need to be able to validate a
remote host. To do this, add a <knownHosts> xml element for ssh disks to
allow the user to specify a location for a file that contains known host
keys. Implementation to follow.

Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>

docs/formatdomain.rst

@@ -3036,6 +3036,14 @@ paravirtualized driver is specified via the ``disk`` element.
          paused and will be rerun after a successful reconnect. After that time, any
          delayed requests and all future requests before a successful reconnect
          will immediately fail. If not set the default QEMU value is 0.
+   ``knownHosts``
+      For storage accessed via the ``ssh`` protocol, this element configures a
+      path to a file that will be used to verify the remote host. This file
+      must contain the expected host key for the remote host or the connection
+      will fail. The location of the file is specified via the ``path``
+      attribute.
+      :since:`Since 9.8.0`
+
 
    For a "file" or "volume" disk type which represents a cdrom or floppy (the
    ``device`` attribute), it is possible to define policy what to do with the

src/conf/schemas/domaincommon.rng

@@ -2173,6 +2173,14 @@
     </element>
   </define>
 
+  <define name="diskSourceNetworkProtocolSSHHostVerify">
+    <element name="knownHosts">
+      <attribute name="path">
+        <ref name="absFilePath"/>
+      </attribute>
+    </element>
+  </define>
+
   <define name="diskSourceNetworkProtocolSSH">
     <element name="source">
       <interleave>
@@ -2188,6 +2196,9 @@
           <ref name="encryption"/>
         </optional>
         <ref name="diskSourceNetworkProtocolPropsCommon"/>
+        <optional>
+          <ref name="diskSourceNetworkProtocolSSHHostVerify"/>
+        </optional>
         <optional>
           <ref name="diskAuth"/>
         </optional>