[libvirt] [RFC PATCH 4/4] qemu: migration: Forbid 'nbd' migration of non-shared storage if TLS is requested
Daniel P. Berrangé
berrange at redhat.com
Mon Apr 30 09:08:05 UTC 2018
On Mon, Apr 30, 2018 at 10:42:24AM +0200, Peter Krempa wrote:
> On Fri, Apr 27, 2018 at 10:55:56 +0100, Daniel Berrange wrote:
> > On Thu, Apr 26, 2018 at 04:51:49PM +0200, Peter Krempa wrote:
> > > Since libvirt is currently not able to setup the NBD migration stream
> > > secured by TLS we should not allow such migration since data would be
> > > transferred unencrypted.
> > >
> > > This will break compatibility of TLS migration if non-shared storage is
> > > requested but the security implications are more severe.
> > >
> > > Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> > > ---
> > > src/qemu/qemu_migration.c | 9 +++++++++
> > > 1 file changed, 9 insertions(+)
> >
> > Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
>
> Pushed now, thanks.
>
> > IIUC, this doesn't actually require the 3 previous patches and can be
> > pushed on its own - we should push for this immediate release.
>
> The idea behind the other 3 patches was to actually implement the
> destination side, so that we have both sides covered. If you enable TLS
> for the NBD server it will not connect unless TLS is used. By using
> this patch only, an older source libvirtd will be able to migrate
> even with newer destination libvirtd, since that will not require TLS
> until those 3 patches will be pushed.
Oh i see, nice trick.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list