Re: [libvirt PATCH 8/9] qemu: Allow migration over UNIX socket

Daniel P. Berrangé <berrange@xxxxxxxxxx> · Tue, 25 Aug 2020 17:35:52 +0100

On Tue, Aug 25, 2020 at 06:34:05PM +0200, Jiri Denemark wrote:
> On Tue, Aug 25, 2020 at 17:12:59 +0100, Daniel P. Berrangé wrote:
> > On Tue, Aug 25, 2020 at 05:53:32PM +0200, Jiri Denemark wrote:
> > > On Tue, Aug 25, 2020 at 07:47:14 +0200, Martin Kletzander wrote:
> > > > -    /* RDMA and multi-fd migration requires QEMU to connect to the destination
> > > > -     * itself.
> > > > -     */
> > > > -    if (STREQ(uribits->scheme, "rdma") || (flags & VIR_MIGRATE_PARALLEL))
> > > > -        spec.destType = MIGRATION_DEST_HOST;
> > > > -    else
> > > > -        spec.destType = MIGRATION_DEST_CONNECT_HOST;
> > > > -    spec.dest.host.protocol = uribits->scheme;
> > > > -    spec.dest.host.name = uribits->server;
> > > > -    spec.dest.host.port = uribits->port;
> > > > +    if (STREQ(uribits->scheme, "unix")) {
> > > > +        if (flags & VIR_MIGRATE_TLS) {
> > > > +            virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
> > > > +                           _("Migration over UNIX socket with TLS is not supported"));
> > > > +            return -1;
> > > > +        }
> > > > +        if (flags & VIR_MIGRATE_PARALLEL) {
> > > > +            virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
> > > > +                           _("Parallel migration over UNIX socket is not supported"));
> > > > +            return -1;
> > > > +        }
> > > 
> > > Is there a reason for not supporting TLS and multi-fd with unix sockets?
> > > >From libvirt's POV this should be fairly trivial (can be a follow-up
> > > patch, though): introduce MIGRATION_DEST_SOCKET in addition to
> > > MIGRATION_DEST_CONNECT_SOCKET and use it to instruct QEMU to connect
> > > using unix: URI (unless this support was removed from QEMU).
> > 
> > multi-fd is certainly desirable to support and I don't see any reason
> > to block that.
> > 
> > TLS is more problematic, at least if you are using x509 credentials then
> > you need to tell QEMU what hostname to use for validation. This would
> > require us to accept a hostname parameter in the URI giving the UNIX
> > socket.
> 
> We already support this generally regardless on the transport via
> VIR_MIGRATE_PARAM_TLS_DESTINATION parameter.

Ah yes, I forgot. In that case, I don't see a obvious reason to block
TLS.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|