[libvirt] [PATCH v2 00/14] Add TLS support for migration
Daniel P. Berrange
berrange at redhat.com
Tue Feb 28 13:53:59 UTC 2017
On Tue, Feb 28, 2017 at 02:48:19PM +0100, Jiri Denemark wrote:
> On Thu, Feb 23, 2017 at 13:42:02 -0500, John Ferlan wrote:
> > AFAIU - removal of the objects would remove the migration tls-creds,
> > tls-hostname settings.
>
> This would be a very strange behavior.
>
> > I left the cfg->migrateTLS in for now - it's very simple to remove, but
> > there would still need to be a key on something to ensure the migrateTLS
> > environment has been properly configured since that would mean the default
> > environment would need to be used/configured. Setting up the default
> > environment is keyed off having the migrateTLS defined. That's all part
> > of the qemu_conf reading logic.
>
> I still don't see the value in keeping migrate_tls option in qemu.conf.
> If we want to check the environment is setup correctly we should check
> the certificates are in place rather than relying on the option. The
> error reported when migrate_tls is set, but the environment is not
> prepared is:
>
> internal error: unable to execute QEMU command 'object-add': Unable
> to access credentials /etc/pki/qemu/ca-cert.pem: No such file or
> directory
>
> Not ideal but at least it names the file which is missing.
>
> > John Ferlan (14):
> > qemu: Introduce qemuDomainSecretInfoNew
> > qemu: Introduce qemuDomainSecretMigratePrepare
> > qemu: Move exit monitor calls in failure paths
> > qemu: Refactor hotplug to introduce qemuDomain{Add|Del}TLSObjects
> > qemu: Refactor qemuDomainGetChardevTLSObjects to converge code
> > qemu: Move qemuDomainSecretChardevPrepare call
> > qemu: Move qemuDomainPrepareChardevSourceTLS call
> > qemu: Introduce qemuDomainGetTLSObjects
>
> The eight patches above are mostly OK except for some small issues.
>
> But the rest of the series needs more work...
>
> > qemu: Add TLS params to _qemuMonitorMigrationParams
> > Add new migration flag VIR_MIGRATE_TLS
> > qemu: Create #define for TLS configuration setup.
> > conf: Introduce migrate_tls_x509_cert_dir
> > qemu: Set up the migrate TLS objects for target
> > qemu: Set up the migration TLS objects for source
>
> The code should check whether QEMU actually supports TLS migration,
> otherwise you will get
>
> internal error: unable to execute QEMU command
> 'migrate-set-parameters': Invalid parameter 'tls-creds'
>
> As I mentioned in my v1 review, we should always set the parameters if
> QEMU supports them to make sure they don't contain any leftovers from a
> previous migration. I also said we should properly clean the TLS stuff
> somewhere inside qemuProcessRecoverMigration*. And if we do it in
> addition to properly cleaning up everything in the Finish and Confirm
> phases, we should not need to store migrateTLS in the status XML. We can
> just always do the cleanup if QEMU supports TLS migration.
>
>
> Anyway, TLS migration doesn't work even if it is properly configured:
>
> operation failed: migration job: unexpectedly failed
>
> And the destination QEMU log contains:
>
> qemu-system-x86_64: No TLS credentials with id 'objmigrate_tls0'
>
> The reason is an interesting flow of QMP commands issued by libvirt
> during the Prepare phase:
>
> {
> "execute": "object-add",
> "arguments": {
> "qom-type": "tls-creds-x509",
> "id": "objmigrate_tls0",
> "props": {
> "dir": "/etc/pki/libvirt",
> "endpoint": "server",
> "verify-peer": false
> }
> },
> "id": "libvirt-21"
> }
>
> {
> "execute": "migrate-set-parameters",
> "arguments": {
> "tls-creds": "objmigrate_tls0"
> },
> "id": "libvirt-26"
> }
>
> {
> "execute": "migrate-incoming",
> "arguments": {
> "uri": "tcp:[::]:49152"
> },
> "id": "libvirt-27"
> }
>
> {
> "execute": "object-del",
> "arguments": {
> "id": "objmigrate_tls0"
> },
> "id": "libvirt-28"
> }
>
> The error reported after you deleted the objmigrate_tls0 object doesn't
> seem to confirm your idea about migration parameters begin unset when
> the object is removed.
The problem here is that 'migrate-incoming' merely sets up a TCP
listener, it doesn't actually initiate a connection or TLS handshake.
The object-del thus deletes the TLS creds before the src QEMU has had
a chance to even connect.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
More information about the libvir-list
mailing list