[libvirt] [RFC PATCH 4/4] qemu: migration: Forbid 'nbd' migration of non-shared storage if TLS is requested
Peter Krempa
pkrempa at redhat.com
Mon Apr 30 08:42:24 UTC 2018
On Fri, Apr 27, 2018 at 10:55:56 +0100, Daniel Berrange wrote:
> On Thu, Apr 26, 2018 at 04:51:49PM +0200, Peter Krempa wrote:
> > Since libvirt is currently not able to setup the NBD migration stream
> > secured by TLS we should not allow such migration since data would be
> > transferred unencrypted.
> >
> > This will break compatibility of TLS migration if non-shared storage is
> > requested but the security implications are more severe.
> >
> > Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> > ---
> > src/qemu/qemu_migration.c | 9 +++++++++
> > 1 file changed, 9 insertions(+)
>
> Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
Pushed now, thanks.
> IIUC, this doesn't actually require the 3 previous patches and can be
> pushed on its own - we should push for this immediate release.
The idea behind the other 3 patches was to actually implement the
destination side, so that we have both sides covered. If you enable TLS
for the NBD server it will not connect unless TLS is used. By using
this patch only, an older source libvirtd will be able to migrate
even with newer destination libvirtd, since that will not require TLS
until those 3 patches will be pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180430/3ae52832/attachment-0001.sig>
More information about the libvir-list
mailing list