Re: [PATCH v2 00/14] Add TLS support for migration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 01, 2017 at 01:39:18PM +0100, Jiri Denemark wrote:
> On Wed, Mar 01, 2017 at 12:18:23 +0000, Daniel P. Berrange wrote:
> > Hmm, I see this is a limitation of the migrate-set-parameters method. You
> > can set new parameters for tls_creds / tls_hostname, but you can't fully
> > delete the old parameters.
> > 
> > The tls_hostname is only set on the source host of the migration and that
> > VM will be killed off upon successful migration. The problem only arises
> > if you have a migration that fails, and you then try to migrate that same
> > VM again later, *and* you don't have tls_hostname set. I don't think that'd
> > hit libvirt, since libvirt will always need to set tls-hostname as it uses
> > fd: migrate method. IOW, I don't see any need to be able to clear
> > tls-hostname when used with libvirt.
> 
> But we will only set it if TLS is turned on. We certainly don't want to
> use this parameter when saving a domain to a file, making a snapshot, or
> migrating without TLS.

If you don't have TLS enabled, then whether tls-hostname is set or not
is irrelevant - it'll never be used. So the fact that tls-hostname may
be still mistakenly set, when you later save to a file is harmless, as
long as tls-creds is unset.

> > For TLS creds it would be a problem if we do a TLS migration and then need
> > to migrate the target QEMU again later, but don't want TLS used, as that
> > would require us to fully clear the tls_creds parameter. At best we can
> > set it to empty string, which is not good enough. So seems we need a QEMU
> > fix here.
> 
> Another problem (I mentioned in another email in this series) is
> query-migrate-parameters does not show the tls parameters unless they
> are set. So it looks like we need to invent a special value which can be
> reported when they are unset and we could use the same special value to
> reset them. An empty string sounds like an obvious candidate.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux