On Mon, Aug 17, 2020 at 3:44 AM Peter Krempa <pkrempa@xxxxxxxxxx> wrote: > > On Sun, Aug 16, 2020 at 22:43:30 -0700, Vjaceslavs Klimovs wrote: > > Hey folks, > > I've been experimenting with native NBD live migration w/ TLS and have > > a couple of questions. > > > > 1) It appears that in some cases modified default_tls_x509_cert_dir > > from qemu.conf is not respected, seems like virsh always expects a > > default location and does not check default_tls_x509_cert_dir: > > > > virsh # migrate vm1 qemu+tls://ratchet.lan/system --live --persistent > > --undefinesource --copy-storage-all --verbose --tls > > error: internal error: unable to execute QEMU command 'object-add': > > Unable to access credentials /etc/pki/qemu/ca-cert.pem: No such file > > or directory > > > > It's checking /etc/pki and not the location specified in > > default_tls_x509_cert_dir. Is this a bug or am I missing something? > > It would be a bug. Please note that if you modify /etc/libvirt/qemu.conf > the settings are actually loaded at startup of the libvirt daemon, thus > changing the file will not be applied unless you restart libvirtd. > > If you manage to consistently reproduce it, please file an issue and > attach debug logs [1] so that we can see what is happening. > > [1] https://libvirt.org/kbase/debuglogs.html It appears that that was indeed the problem, one of the libvirtds instances was not restarted. > > > 2) QEMU has -object tls-cipher-suites, but there does not seem to be a > > way to specify TLS priority in libvirt's qemu conf. Solvable via > > compile time --tls-priority flag, but that's not very convenient. Is > > there a way to set TLS priority for QEMU TLS connections from libvirt > > configs? This would be equivalent to libvirtd.conf's tls_priority > > setting, but for QEMU, not for libvirt's own connections. > > Hmm, this might be useful. Please file a feature request. Thank you for the explanation, I've filed https://gitlab.com/libvirt/libvirt/-/issues/66. > > > 3) After setting up default_tls_x509_cert_dir and > > default_tls_x509_verify = 1 (and directories as required see 1), > > virsh initiated migrations with --tls flag succeed and captures show > > that it's using TLS. However, they equally succeed without the flag. > > Once you specify '--tls' both the connection for migration of the qemu > state and the NBD connection for migrating the disk storage uses TLS. > Without the --tls flag, neither of them uses it. If your tls environment > is setup properly there isn't any user visible difference, but the > traffic is encrypted only when --tls is used. > > > > Is there a way to ensure that only TLS communication is permitted > > between QEMUs? I tried nbd_tls, but that did not seem to have any > > effect. > > Unfortunately the 'nbd_tls' field is named a bit misleadingly. The > setting refers to forcing TLS for NBD connections corresponding to > <disk> device which is accessed via NBD. > > The NBD connection used for the non-shared-storage migration is > controlled by the settings for the 'migration' TLS environment. I don't > think we have a setting to always force migration using TLS and it might > not fit well with the design of the --tls flag (as it would be > impossible to disable it then). > > You can file an feature request for it though. As it is a security > focued setting and defaulting to encryption may be worthwhile in many > scenarios. Indeed. Filed https://gitlab.com/libvirt/libvirt/-/issues/67. > > Note that in somewhat old libvirt versions there was a bug that that the > NBD connection used for the disk migration was not encrypted. This is > now addressed and newer libvirt will not allow migration from/to such > libvirt: > > https://libvirt.org/news.html#v4-2-0-2018-04-01 > I've also went ahead and filed https://gitlab.com/libvirt/libvirt/-/issues/68 Issue should be self explanatory - there should be no cleartext on the network during migration, there are issues associated with doing that.
