Re: [RFC PATCH 4/4] qemu: migration: Forbid 'nbd' migration of non-shared storage if TLS is requested

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Apr 30, 2018 at 10:08:05 +0100, Daniel Berrange wrote:
> On Mon, Apr 30, 2018 at 10:42:24AM +0200, Peter Krempa wrote:
> > On Fri, Apr 27, 2018 at 10:55:56 +0100, Daniel Berrange wrote:
> > > On Thu, Apr 26, 2018 at 04:51:49PM +0200, Peter Krempa wrote:
> > > > Since libvirt is currently not able to setup the NBD migration stream
> > > > secured by TLS we should not allow such migration since data would be
> > > > transferred unencrypted.
> > > > 
> > > > This will break compatibility of TLS migration if non-shared storage is
> > > > requested but the security implications are more severe.
> > > > 
> > > > Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
> > > > ---
> > > >  src/qemu/qemu_migration.c | 9 +++++++++
> > > >  1 file changed, 9 insertions(+)
> > > 
> > > Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> > 
> > Pushed now, thanks.
> > 
> > > IIUC, this doesn't actually require the 3 previous patches and can be
> > > pushed on its own - we should push for this immediate release.
> > 
> > The idea behind the other 3 patches was to actually implement the
> > destination side, so that we have both sides covered. If you enable TLS
> > for the NBD server it will not connect unless TLS is used. By using
> > this patch only, an older source libvirtd  will be able to migrate
> > even with newer destination libvirtd, since that will not require TLS
> > until those 3 patches will be pushed.
> 
> Oh i see, nice trick.

I've verified that everything works fine without TLS and with TLS if we
implement the transport properly and pushed these. This means that TLS
migration should for-now behave sanely.

Attachment: signature.asc
Description: PGP signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux