[libvirt] [PATCH v3 7/7] qemu: Set up the migration TLS objects for source
John Ferlan
jferlan at redhat.com
Thu Mar 23 01:42:49 UTC 2017
On 03/22/2017 12:26 PM, Jiri Denemark wrote:
> On Fri, Mar 17, 2017 at 14:39:01 -0400, John Ferlan wrote:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1300769
>>
>> If the migration flags indicate this migration will be using TLS,
>> then while we have connection in the Begin phase check and setup the
>> TLS environment that will be used by virMigrationRun during the Perform
>> phase for the source to configure TLS.
>>
>> This creates at least an "-object tls-creds-x509,endpoint=client,..."
>> and potentially an "-object secret,..." to handle the passphrase response
>> to access the TLS credentials. The alias/id used for the TLS objects
>> will contain "libvirt_migrate" as a mechanism to signify that libvirt
>> started the migration on the source (reaping benefits possibly).
>>
>> Once the objects are created, the code will set the "tls-creds" and
>> "tls-hostname" migration parameters to signify usage of TLS.
>
> Looks like a copy&paste from the previous patch. Is it necessary?
>
I can reword
>>
>> Since qemuProcessRecoverMigrationOut will cancel outgoing migrations
>> that are still in the QEMU_MIGRATION_PHASE_PERFORM{2|3} stages, there's
>> no need to do anything special as the Perform cleanup and Cancel phases
>> will reset the environment.
>
> Sure, TLS will be reset because you added a call to
> qemuMigrationResetTLS() in qemuMigrationCancel(). Just drop this
> paragraph which contradicts what you actually did.
>
OK - so as I figured out things the RecoverMigrationOut only mattered
when certain migration phase requirements were met - that wouldn't
happen because the setting and clearing of the parameters is done in the
PrepareAny and Run phases as well as Cancel.
>>
>> Signed-off-by: John Ferlan <jferlan at redhat.com>
>> ---
>> src/qemu/qemu_migration.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 53 insertions(+)
>>
>> diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
>> index 42074f0..5acae6e 100644
>> --- a/src/qemu/qemu_migration.c
>> +++ b/src/qemu/qemu_migration.c
> ...
>> @@ -5075,6 +5086,38 @@ qemuMigrationRun(virQEMUDriverPtr driver,
>> if (qemuDomainMigrateGraphicsRelocate(driver, vm, mig, graphicsuri) < 0)
>> VIR_WARN("unable to provide data for graphics client relocation");
>>
>> + if (flags & VIR_MIGRATE_TLS) {
>> + cfg = virQEMUDriverGetConfig(driver);
>> +
>> + /* Begin/CheckSetupTLS already set up migTLSAlias, the following
>> + * assumes that and adds the TLS objects to the domain. */
>> + if (qemuMigrationAddTLSObjects(driver, vm, cfg, false,
>> + QEMU_ASYNC_JOB_MIGRATION_OUT,
>> + &tlsAlias, &secAlias, migParams) < 0)
>> + goto cleanup;
>> +
>> + /* We need to add the tls-hostname only for special circumstances,
>> + * e.g. for a fd: or exec: based migration. As it turns out the
>> + * CONNECT_HOST turns into an FD migration (see below). */
>
> Specifically, we need to add tls-hostname whenever QEMU itself does not
> connect directly to the destination, which means
> MIGRATION_DEST_CONNECT_HOST and MIGRATION_DEST_FD.
>
Sure - something that wasn't obvious on my first pass through the code.
In fact having CONNECT_HOST change into FD later on wasn't as obvious to
me until I dug through the code.
I can change the comment to:
/* We need to add tls-hostname whenever QEMU itself does not
* connect directly to the destination. NB: The CONNECT_HOST
* turns into a FD migration below in qemuMigrationConnect */
>> + if (spec->destType == MIGRATION_DEST_CONNECT_HOST ||
>> + spec->destType == MIGRATION_DEST_FD) {
>> + if (VIR_STRDUP(migParams->migrateTLSHostname,
>> + spec->dest.host.name) < 0)
>> + goto cleanup;
>> + } else {
>> + /* Be sure there's nothing from a previous migration */
>> + if (VIR_STRDUP(migParams->migrateTLSHostname, "") < 0)
>> + goto cleanup;
>> + }
>> + } else {
>> + /* If we support setting the tls-creds, be sure to always reset
>> + * the migration parameters when this migration isn't using TLS */
>> + if ((qemuMigrationCheckTLSCreds(driver, vm,
>> + QEMU_ASYNC_JOB_MIGRATION_OUT) < 0) ||
>> + (qemuMigrationSetEmptyTLSParams(priv, migParams) < 0))
and I've fixed the extra () here as well
John
>> + goto cleanup;
>> + }
>> +
>> if (migrate_flags & (QEMU_MONITOR_MIGRATE_NON_SHARED_DISK |
>> QEMU_MONITOR_MIGRATE_NON_SHARED_INC)) {
>> if (mig->nbd) {
>
> Jirka
>
More information about the libvir-list
mailing list