On Mon, Apr 30, 2018 at 10:42:24AM +0200, Peter Krempa wrote: > On Fri, Apr 27, 2018 at 10:55:56 +0100, Daniel Berrange wrote: > > On Thu, Apr 26, 2018 at 04:51:49PM +0200, Peter Krempa wrote: > > > Since libvirt is currently not able to setup the NBD migration stream > > > secured by TLS we should not allow such migration since data would be > > > transferred unencrypted. > > > > > > This will break compatibility of TLS migration if non-shared storage is > > > requested but the security implications are more severe. > > > > > > Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> > > > --- > > > src/qemu/qemu_migration.c | 9 +++++++++ > > > 1 file changed, 9 insertions(+) > > > > Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > > Pushed now, thanks. > > > IIUC, this doesn't actually require the 3 previous patches and can be > > pushed on its own - we should push for this immediate release. > > The idea behind the other 3 patches was to actually implement the > destination side, so that we have both sides covered. If you enable TLS > for the NBD server it will not connect unless TLS is used. By using > this patch only, an older source libvirtd will be able to migrate > even with newer destination libvirtd, since that will not require TLS > until those 3 patches will be pushed. Oh i see, nice trick. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
