From nobody Thu Apr 25 22:44:05 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605730222; cv=none; d=zohomail.com; s=zohoarc; b=FjFnj9+b6aWrXsURlVOWrTpz0jjJgfnxuBLA3TEN7FGlKFG9Rl2vm/naEtmuQ1psnsnDQdz1YQUOgpF84JGUZwc6QuDhPZRnUAdAC3ehKenApD+qBwarR4sRdOnTI9TrjBkEvr13aB8JvV0cvGpbV4nw+AyzkCGaMpAaE2CLHks= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605730222; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=HWveGUF9kYrEws6CFQUjkg1DTkvRX3FJynFiXtj4gfU=; b=eJvoPN85rbEwhmDSXmuH4uBm+l9gUlWr8nCbTnBlhtUchXa1ep7oIn21JbvaF1I2rtMcsnc7u1iOwTlxftuO10XpXDsudDj2g+6hH4+Rm3vLHW0vcSYyws9DrIwsPAgEwy1OjY0ZcE78ejhpvwjGpZF6+o4yiFEhsiJMHhPlKTg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1605730222293506.9769229783849; Wed, 18 Nov 2020 12:10:22 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-28-EKkqisiGP5yQdv-wx6IPAA-1; Wed, 18 Nov 2020 15:10:18 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 655398042A3; Wed, 18 Nov 2020 20:10:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0BE115D9CA; Wed, 18 Nov 2020 20:10:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B9EB88C7A0; Wed, 18 Nov 2020 20:10:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AIKA9WC024327 for ; Wed, 18 Nov 2020 15:10:09 -0500 Received: by smtp.corp.redhat.com (Postfix) id 8E38760853; Wed, 18 Nov 2020 20:10:09 +0000 (UTC) Received: from carol.localdomain (unknown [10.40.192.249]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6027D60843 for ; Wed, 18 Nov 2020 20:10:06 +0000 (UTC) Received: from carol.redhat.com (carol.k8r.cz [127.0.0.1]) by carol.localdomain (Postfix) with ESMTP id 42D50C2012B for ; Wed, 18 Nov 2020 21:10:03 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605730221; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=HWveGUF9kYrEws6CFQUjkg1DTkvRX3FJynFiXtj4gfU=; b=PsTSkvQrmxtT+3uV7kqnsaanpHwt5MIszK3jAsmAjnoUpEZFf3Hu73yc0OKmSU1W99WKeo XuvrI6BrnvSwG4w3dQQ3X+YFOZD+6CY3njjmGE+yRZSHJAcZq2H3tPjaNW0CDQTSsD6d/u nY+95Aw8sca0f9QIfpwBSURm4MglqFg= X-MC-Unique: EKkqisiGP5yQdv-wx6IPAA-1 From: Martin Kletzander To: libvir-list@redhat.com Subject: [libvirt PATCH 1/2] qemu: Disable NBD TLS migration over UNIX socket Date: Wed, 18 Nov 2020 21:10:02 +0100 Message-Id: <78cac966d4763e44b63f2f58f618af0ec178dde6.1605730200.git.mkletzan@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Clacks-Overhead: GNU Terry Pratchett X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Even though it is technically possible, when running the migrations QEMU's nbd-server-start errors out with: "TLS is only supported with IPv4/IPv6" We can always enable it when QEMU adds this feature, but for now it is safe= r to show our error message rather than rely on QEMU to error out properly. Signed-off-by: Martin Kletzander Reviewed-by: Jiri Denemark --- src/qemu/qemu_migration.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index fef0be63a1a7..dd44849b1a87 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1100,6 +1100,12 @@ qemuMigrationSrcNBDStorageCopy(virQEMUDriverPtr driv= er, if (uri->port) port =3D uri->port; } else if (STREQ(uri->scheme, "unix")) { + if (flags & VIR_MIGRATE_TLS) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("NBD migration with TLS is not supported = over UNIX socket")); + return -1; + } + if (!uri->path) { virReportError(VIR_ERR_INVALID_ARG, "%s", _("UNIX disks URI does not include path")); @@ -4330,12 +4336,12 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriverPtr = driver, =20 VIR_DEBUG("driver=3D%p, sconn=3D%p, dconn=3D%p, dconnuri=3D%s, vm=3D%p= , xmlin=3D%s, " "dname=3D%s, uri=3D%s, graphicsuri=3D%s, listenAddress=3D%s,= " - "nmigrate_disks=3D%zu, migrate_disks=3D%p, nbdPort=3D%d, " + "nmigrate_disks=3D%zu, migrate_disks=3D%p, nbdPort=3D%d, nbd= URI=3D%s, " "bandwidth=3D%llu, useParams=3D%d, flags=3D0x%lx", driver, sconn, dconn, NULLSTR(dconnuri), vm, NULLSTR(xmlin), NULLSTR(dname), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), nmigrate_disks, migrate_disks, nbdPo= rt, - bandwidth, useParams, flags); + NULLSTR(nbdURI), bandwidth, useParams, flags); =20 /* Unlike the virDomainMigrateVersion3 counterpart, we don't need * to worry about auto-setting the VIR_MIGRATE_CHANGE_PROTECTION --=20 2.29.2 From nobody Thu Apr 25 22:44:05 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605730222; cv=none; d=zohomail.com; s=zohoarc; b=IRaQDYFvY9TiFySl+zNWdLplfMMPij2kXL8/IEjJLUbWfJSgTeCvQMRwHDIsL+IaC6jm5VjgyNXxArjNwLXUwUeTvFNJQR9Sw9dK3w7+Vkr0QPFBvnJlmTkdwCmTFhGgjAM7NWNYb0KnrjAhfe9xEOTFHOPJ5MB0mpDa7hoS9CY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605730222; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=mITjVQuk+KL0AvWZSr5p2H2X8UNEtUEtUuspogyR8l4=; b=YdgO8zHxhLKmXTLtbqmIx7XSCi8sviWnpSe5OsHTvnpShIO2tSS41nY9TVaFNoDQUJXNf1tiPqMjmm1x89c9dMf3PpyoYr2wstWrlrYXfbb3v4vyd7B4SFtF9JXH1mwovAsEDgeMvkuSC9VaKNzVqAP7HU6Ch0d4mLO42YJDMQU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1605730222979531.3542524121553; Wed, 18 Nov 2020 12:10:22 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-281-6ixqbP-EOTevyEYXPR9YSw-1; Wed, 18 Nov 2020 15:10:19 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 430021876528; Wed, 18 Nov 2020 20:10:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 09C1C60BE2; Wed, 18 Nov 2020 20:10:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A956B18095C9; Wed, 18 Nov 2020 20:10:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AIKA9im024326 for ; Wed, 18 Nov 2020 15:10:09 -0500 Received: by smtp.corp.redhat.com (Postfix) id 8C50D5D9D5; Wed, 18 Nov 2020 20:10:09 +0000 (UTC) Received: from carol.localdomain (unknown [10.40.192.249]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5F2175D9CD for ; Wed, 18 Nov 2020 20:10:06 +0000 (UTC) Received: from carol.redhat.com (carol.k8r.cz [127.0.0.1]) by carol.localdomain (Postfix) with ESMTP id 43737C2012C for ; Wed, 18 Nov 2020 21:10:03 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605730221; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=mITjVQuk+KL0AvWZSr5p2H2X8UNEtUEtUuspogyR8l4=; b=Snse6zQpXTklAWxwgZbDeFIn9oQBgMFGJQoV4TbQfS5kd0mlxZxcoKdZ1/h+28+JsAD+HO c/31LDnqTcCh8JzfvTZXyxJ5ULVFz2NehNX3Z1U0aEOandaY/ThLgmGFFBZpb6wtYVHpId iYxZNoIWVaHjD1XPewZ9LqrrC8LoYX8= X-MC-Unique: 6ixqbP-EOTevyEYXPR9YSw-1 From: Martin Kletzander To: libvir-list@redhat.com Subject: [libvirt PATCH 2/2] docs: Document SELinux caveats when migrating over UNIX sockets Date: Wed, 18 Nov 2020 21:10:03 +0100 Message-Id: <476e4216a00d8959441e4a616b8d51549af00870.1605730200.git.mkletzan@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Clacks-Overhead: GNU Terry Pratchett X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" The information about sockets having different label than the one on the fi= le and the way it needs to be set is very difficult to find for those who did = not come across it before. Let's describe what needs to happen in order for the migration to go through rather than rely on general knowledge of others. Signed-off-by: Martin Kletzander Reviewed-by: Jiri Denemark --- docs/manpages/virsh.rst | 9 ++++++++- docs/migration.html.in | 9 +++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst index 1ae6d1a0d450..f0836b14defa 100644 --- a/docs/manpages/virsh.rst +++ b/docs/manpages/virsh.rst @@ -3340,7 +3340,14 @@ migrating disks. This can be *tcp://address:port* t= o specify a listen address UNIX socket with that specified path. In this case you need to make sure = the same socket path is accessible to both source and destination hypervisors = and connecting to the socket on the source (after hypervisor creates it on the -destination) will actually connect to the destination. +destination) will actually connect to the destination. If you are using S= ELinux +(at least on the source host) you need to make sure the socket on the sour= ce is +accessible to libvirtd/QEMU for connection. That is because libvirt cannot +change the context of the socket because it is different from the file +representation of the socket and because the context is chosen by its crea= tor +(usually by using *setsockcreatecon{,_raw}()* functions). Generally +*system_r:system_u:svirt_socket_t:s0* should do the trick, but check the S= ELinux +rules and settings of your system. =20 =20 migrate-compcache diff --git a/docs/migration.html.in b/docs/migration.html.in index 77731eeb373e..79ceed62747f 100644 --- a/docs/migration.html.in +++ b/docs/migration.html.in @@ -658,6 +658,15 @@ virsh migrate --p2p --tunnelled web1 qemu+ssh://destho= st/system qemu+ssh://10.0. virsh migrate web1 [--p2p] --copy-storage-all 'qemu+unix:///system?socket= =3D/tmp/migdir/test-sock-driver' 'unix:///tmp/migdir/test-sock-qemu' --disk= s-uri unix:///tmp/migdir/test-sock-nbd =20 +

+ One caveat is that on SELinux-enabled systems all the sockets that t= he + hypervisor is going to connect to needs to have the proper context a= nd + that is chosen before its creation by the process that creates it. = That + is usually done by using setsockcreatecon{,raw}() funct= ions. + Generally *system_r:system_u:svirt_socket_t:s0* should do the trick,= but + check the SELinux rules and settings of your system. +

+

Supported by QEMU driver

--=20 2.29.2