[libvirt-users] nova-compute, libvirt and authentication

Daniel P. Berrange berrange at redhat.com
Tue Jul 2 09:40:06 UTC 2013 

On Mon, Jul 01, 2013 at 01:27:24PM +0200, Maciej Gałkiewicz wrote:
> Hello
> 
> I have a question about live migration when libvirt requires sasl
> authentication. I have managed to configure remote access for user nova
> with sasl enabled (credentials stored in auth.conf -
> https://review.openstack.org/#/c/12706/). It looks like live migration do
> not use these credentials at all. What is more it thinks that sasl is not
> not configured:
> 
> 2013-07-01 09:49:09.317+0000: 17997: error :
> virNetSASLSessionClientStart:484 : authentication failed: Failed to start
> SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs
> found)
> 2013-07-01 09:49:09.317+0000: 17997: error : doPeer2PeerMigrate:2527 :
> operation failed: Failed to connect to remote libvirt URI
> qemu+tcp://n12c1/system
> 
> I execute migration like this:
> nova live-migration  c923af69-4cb3-46dd-8bd2-871812d7d223 n12c1
> 
> Nova.conf:
> live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE
> 
> Could you please let me know whether nova/libvirt support p2p live
> migration with sasl and if so point out what might be misconfigured?
> Disabling sasl solves all my problems but I have to configure some
> authentication.

Hmm, so Nova uses  migrateToURI, which means that the source
libvirtd connects directly to the destination libvirtd. Looking
at the code though, it seems to be using virConnectOpen(), which
means that all the authentication callbacks are disabled. Since
no auth callback is present, SASL doesn't find any mechanisms,
and thus auth fails.

So I think this is a flaw in the QEMU migration code, which
should instead use virConnectOpenAuth().

The only workaround you have in the shorterm is to configure
libvirtd to use TLS + x509 certificates for security and then
setup a whitelist of TLS cert distinguished names in libvirtd.conf
to control which servers can connect to each other

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvirt-users mailing list