qemu: Forbid NBD migration with TLS

[libvirt] [RFC PATCH 3/4] qemu: migration: Use TLS environment for NBD server if requested

Posted by Peter Krempa 7 years ago

Use the TLS env for migration when starting the NBD server if TLS is
enabled for migration.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_migration.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 743ae77dbb..3b5ba4f0a1 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -369,7 +369,8 @@ qemuMigrationDstStartNBDServer(virQEMUDriverPtr driver,
                                const char *listenAddr,
                                size_t nmigrate_disks,
                                const char **migrate_disks,
-                               int nbdPort)
+                               int nbdPort,
+                               const char *tls_alias)
 {
     int ret = -1;
     qemuDomainObjPrivatePtr priv = vm->privateData;
@@ -411,7 +412,7 @@ qemuMigrationDstStartNBDServer(virQEMUDriverPtr driver,
             else if (virPortAllocatorAcquire(driver->migrationPorts, &port) < 0)
                 goto exit_monitor;

-            if (qemuMonitorNBDServerStart(priv->mon, listenAddr, port, NULL) < 0)
+            if (qemuMonitorNBDServerStart(priv->mon, listenAddr, port, tls_alias) < 0)
                 goto exit_monitor;
         }

@@ -2401,9 +2402,21 @@ qemuMigrationDstPrepareAny(virQEMUDriverPtr driver,
     if (mig->nbd &&
         flags & (VIR_MIGRATE_NON_SHARED_DISK | VIR_MIGRATE_NON_SHARED_INC) &&
         virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_NBD_SERVER)) {
+        const char *nbdTLSAlias = NULL;
+
+        if (flags & VIR_MIGRATE_TLS) {
+            if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_NBD_TLS)) {
+                virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+                               _("QEMU NBD server does not support TLS transport"));
+                goto stopjob;
+            }
+
+            nbdTLSAlias = tlsAlias;
+        }
+
         if (qemuMigrationDstStartNBDServer(driver, vm, incoming->address,
                                            nmigrate_disks, migrate_disks,
-                                           nbdPort) < 0) {
+                                           nbdPort, nbdTLSAlias) < 0) {
             goto stopjob;
         }
         cookieFlags |= QEMU_MIGRATION_COOKIE_NBD;
-- 
2.16.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [RFC PATCH 3/4] qemu: migration: Use TLS environment for NBD server if requested

Posted by Daniel P. Berrangé 7 years ago

On Thu, Apr 26, 2018 at 04:51:48PM +0200, Peter Krempa wrote:
> Use the TLS env for migration when starting the NBD server if TLS is
> enabled for migration.
> 
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
>  src/qemu/qemu_migration.c | 19 ++++++++++++++++---
>  1 file changed, 16 insertions(+), 3 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [RFC PATCH 1/4] qemu: caps: Add capability for TLS transport in the NBD server
[libvirt] [RFC PATCH 2/4] qemu: monitor: Add 'tls-creds' parameter to 'nbd-server-start' command
[libvirt] [RFC PATCH 3/4] qemu: migration: Use TLS environment for NBD server if requested
[libvirt] [RFC PATCH 4/4] qemu: migration: Forbid 'nbd' migration of non-shared storage if TLS is requested