On 11/25/15 12:10, Daniel P. Berrange wrote: > On Wed, Nov 25, 2015 at 12:07:00PM +0100, Laszlo Ersek wrote: >> On 11/25/15 12:00, Daniel P. Berrange wrote: >>> On Wed, Nov 25, 2015 at 11:52:21AM +0100, Laszlo Ersek wrote: >>>> I recently upgraded my laptop from RHEL-7.1 to RHEL-7.2. >>>> >>>> I always pay attention to *.rpmnew config files, and I manually diff and >>>> merge them with the ones I have in place. >>>> >>>> I did the same with "/etc/libvirt/qemu.conf" this time. >>>> >>>> Now libvirtd doesn't start for me. Systemd doesn't actually notice the >>>> startup failure (insert bitter joke about systemd being so much better >>>> than startup scripts); it only reports the service inactive/dead (= >>>> unstarted), rather than failed. >>>> >>>> But, the libvirtd log file gives the reason: >>>> >>>> migration_address must not be the address of the local machine: >>>> 127.0.0.1 >>>> >>>> The error is easy to fix up in the config file, but my question is: >>>> >>>> Why must migration_address not be the address of the local machine? >>> >>> The migration address for incoming migration over TCP needs to be >>> a public facing IP address, otherwise the remote machine won't be >>> able to connect to it. If you configure migration_address on the >>> target machine to be 127.0.0.1, then obviously no migration client >>> connection will ever succeed, hence we consider 127.0.0.1 as an >>> invalid configuration. >>> >>>> BTW, my purpose is not in-host migration (perhaps that's indeed >>>> unsupported, I don't know); I just want to lock down the incoming >>>> migration port (and not just with firewall rules). >>> >>> What's wrong with using firewall rules ? IMHO you are describing >>> exactly the scenario that are intended to deal with. >> >> I certainly use firewall rules. >> >> But, I like to disable listeners, especially public listeners, on the >> individual application level too, if I don't have a good use for the >> service. > > NB, nothing will ever listen on the migration_address unless you > actually trigger a migration to the host in question. Ah, great. Jirka said the same. Thank you both. Cheers Laszlo > So if you > have authentication required to connect to libvirt you'll be > fine unless the person using libvirt asks to migrate a VM to > that host. An authenticated connection to libvirt should be > considered equivalent to having root access regardless, so from > that POV having migrate_address point to a public IP is not > opening you up to any attack vector that doesn't also exist > when you have it set to 127.0.0.1. So I still think restricting > the address to 127.0.0.1 is not adding you any actual security > benefit. > > Regards, > Daniel > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list