[libvirt] "migration_address must not be the address of the local machine:"

Laszlo Ersek lersek at redhat.com
Wed Nov 25 11:29:03 UTC 2015

On 11/25/15 12:10, Daniel P. Berrange wrote:
> On Wed, Nov 25, 2015 at 12:07:00PM +0100, Laszlo Ersek wrote:
>> On 11/25/15 12:00, Daniel P. Berrange wrote:
>>> On Wed, Nov 25, 2015 at 11:52:21AM +0100, Laszlo Ersek wrote:
>>>> I recently upgraded my laptop from RHEL-7.1 to RHEL-7.2.
>>>> I always pay attention to *.rpmnew config files, and I manually diff and
>>>> merge them with the ones I have in place.
>>>> I did the same with "/etc/libvirt/qemu.conf" this time.
>>>> Now libvirtd doesn't start for me. Systemd doesn't actually notice the
>>>> startup failure (insert bitter joke about systemd being so much better
>>>> than startup scripts); it only reports the service inactive/dead (=
>>>> unstarted), rather than failed.
>>>> But, the libvirtd log file gives the reason:
>>>>     migration_address must not be the address of the local machine:
>>>> The error is easy to fix up in the config file, but my question is:
>>>> Why must migration_address not be the address of the local machine?
>>> The migration address for incoming migration over TCP needs to be
>>> a public facing IP address, otherwise the remote machine won't be
>>> able to connect to it. If you configure migration_address on the
>>> target machine to be, then obviously no migration client
>>> connection will ever succeed, hence we consider as an
>>> invalid configuration.
>>>> BTW, my purpose is not in-host migration (perhaps that's indeed
>>>> unsupported, I don't know); I just want to lock down the incoming
>>>> migration port (and not just with firewall rules).
>>> What's wrong with using firewall rules ? IMHO you are describing
>>> exactly the scenario that are intended to deal with.
>> I certainly use firewall rules.
>> But, I like to disable listeners, especially public listeners, on the
>> individual application level too, if I don't have a good use for the
>> service.
> NB, nothing will ever listen on the migration_address unless you
> actually trigger a migration to the host in question.

Ah, great. Jirka said the same. Thank you both.


> So if you
> have authentication required to connect to libvirt you'll be
> fine unless the person using libvirt asks to migrate a VM to
> that host. An authenticated connection to libvirt should be
> considered equivalent to having root access regardless, so from
> that POV having migrate_address point to a public IP is not
> opening you up to any attack vector that doesn't also exist
> when you have it set to So I still think restricting
> the address to is not adding you any actual security
> benefit.
> Regards,
> Daniel

More information about the libvir-list mailing list