couple of questions

Mon Aug 24 05:46:17 UTC 2020

On Mon, Aug 17, 2020 at 3:44 AM Peter Krempa <pkrempa at redhat.com> wrote:
>
> On Sun, Aug 16, 2020 at 22:43:30 -0700, Vjaceslavs Klimovs wrote:
> > Hey folks,
> > I've been experimenting with native NBD live migration w/ TLS and have
> > a couple of questions.
> >
> > 1) It appears that in some cases modified default_tls_x509_cert_dir
> > from qemu.conf is not respected, seems like virsh always expects a
> > default location and does not check default_tls_x509_cert_dir:
> >
> > virsh # migrate vm1 qemu+tls://ratchet.lan/system --live --persistent
> > --undefinesource --copy-storage-all --verbose --tls
> > error: internal error: unable to execute QEMU command 'object-add':
> > Unable to access credentials /etc/pki/qemu/ca-cert.pem: No such file
> > or directory
> >
> > It's checking /etc/pki and not the location specified in
> > default_tls_x509_cert_dir. Is this a bug or am I missing something?
>
> It would be a bug. Please note that if you modify /etc/libvirt/qemu.conf
> the settings are actually loaded at startup of the libvirt daemon, thus
> changing the file will not be applied unless you restart libvirtd.
>
> If you manage to consistently reproduce it, please file an issue and
> attach debug logs [1] so that we can see what is happening.
>
> [1] https://libvirt.org/kbase/debuglogs.html

It appears that that was indeed the problem, one of the libvirtds
instances was not restarted.

>
> > 2) QEMU has -object tls-cipher-suites, but there does not seem to be a
> > way to specify TLS priority in libvirt's qemu conf. Solvable via
> > compile time --tls-priority flag, but that's not very convenient. Is
> > there a way to set TLS priority for QEMU TLS connections from libvirt
> > configs? This would be equivalent to libvirtd.conf's tls_priority
> > setting, but for QEMU, not for libvirt's own connections.
>
> Hmm, this might be useful. Please file a feature request.

Thank you for the explanation, I've filed
https://gitlab.com/libvirt/libvirt/-/issues/66.

>
> > 3) After setting up default_tls_x509_cert_dir and
> > default_tls_x509_verify =  1 (and directories as required see 1),
> > virsh initiated migrations with --tls flag succeed and captures show
> > that it's using TLS. However, they equally succeed without the flag.
>
> Once you specify '--tls' both the connection for migration of the qemu
> state and the NBD connection for migrating the disk storage uses TLS.
> Without the --tls flag, neither of them uses it. If your tls environment
> is setup properly there isn't any user visible difference, but the
> traffic is encrypted only when --tls is used.
>
>
> > Is there a way to ensure that only TLS communication is permitted
> > between QEMUs? I tried nbd_tls, but that did not seem to have any
> > effect.
>
> Unfortunately the 'nbd_tls' field is named a bit misleadingly. The
> setting refers to forcing TLS for NBD connections corresponding to
> <disk> device which is accessed via NBD.
>
> The NBD connection used for the non-shared-storage migration is
> controlled by the settings for the 'migration' TLS environment. I don't
> think we have a setting to always force migration using TLS and it might
> not fit well with the design of the --tls flag (as it would be
> impossible to disable it then).
>
> You can file an feature request for it though. As it is a security
> focued setting and defaulting to encryption may be worthwhile in many
> scenarios.

Indeed. Filed https://gitlab.com/libvirt/libvirt/-/issues/67.

>
> Note that in somewhat old libvirt versions there was a bug that that the
> NBD connection used for the disk migration was not encrypted. This is
> now addressed and newer libvirt will not allow migration from/to such
> libvirt:
>
> https://libvirt.org/news.html#v4-2-0-2018-04-01
>

I've also went ahead and filed
https://gitlab.com/libvirt/libvirt/-/issues/68

Issue should be self explanatory - there should be no cleartext on the
network during migration, there are issues associated with doing that.