[libvirt] [RFC PATCH 0/4] qemu: Forbid NBD migration with TLS

Peter Krempa pkrempa at redhat.com
Thu Apr 26 14:51:45 UTC 2018


Currently we can't use TLS for NBD so allowing it if TLS is requested
creates a security problem. Reject it by refusing to migrate disks and
setup TLS on destination since that is easy enough.

Note: That I've did not test this yet since my TLS setup was broken.
I'll fix it later today and reprot the findings.

Peter Krempa (4):
  qemu: caps: Add capability for TLS transport in the NBD server
  qemu: monitor: Add 'tls-creds' parameter to 'nbd-server-start' command
  qemu: migration: Use TLS environment for NBD server if requested
  qemu: migration: Forbid 'nbd' migration of non-shared storage if TLS
    is requested

 src/qemu/qemu_capabilities.c                       |  2 ++
 src/qemu/qemu_capabilities.h                       |  1 +
 src/qemu/qemu_migration.c                          | 28 +++++++++++++++++++---
 src/qemu/qemu_monitor.c                            |  7 +++---
 src/qemu/qemu_monitor.h                            |  3 ++-
 src/qemu/qemu_monitor_json.c                       |  4 +++-
 src/qemu/qemu_monitor_json.h                       |  3 ++-
 tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml |  1 +
 tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml  |  1 +
 tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  |  1 +
 tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml  |  1 +
 tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml    |  1 +
 tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml    |  1 +
 tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml    |  1 +
 tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml    |  1 +
 tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml    |  1 +
 tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml   |  1 +
 tests/qemumonitorjsontest.c                        |  2 +-
 27 files changed, 59 insertions(+), 10 deletions(-)

-- 
2.16.2




More information about the libvir-list mailing list