Bug 1300772
Summary: | RFE: add support for native TLS encryption on NBD for disk migration | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Daniel Berrangé <berrange> | |
Component: | libvirt | Assignee: | Peter Krempa <pkrempa> | |
Status: | CLOSED ERRATA | QA Contact: | Han Han <hhan> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | 7.3 | CC: | dyuan, fduthill, fjin, jsuchane, kchamart, lmen, mtessun, mzhan, owalsh, rjones, virt-bugs, virt-maint, xuzhang, yafu | |
Target Milestone: | rc | Keywords: | FutureFeature | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | libvirt-4.4.0-1.el7 | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1300770 | |||
: | 1544869 (view as bug list) | Environment: | ||
Last Closed: | 2018-10-30 09:49:43 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1300770 | |||
Bug Blocks: | 1301025, 1414999, 1415007, 1544869, 1625597, 1664790, 1665042 |
Description
Daniel Berrangé
2016-01-21 16:51:46 UTC
Moving to 7.4 Reassigning to Peter as it relates to his blockdev-add work and has patches ready. The feature was added upstream with following commits (and a bunch of prequel refactors): a8dc146a4d qemu: migration: Add support for transporting NBD over TLS 89ed82646c qemu: migration: Extract code responsible for calling drive-mirror 8bad8e7bf0 qemu: migration: Rename NBD migration functions 99223c8cca test: Add status XML test for NBD tls storage migration 93a3f9844f qemu: domain: Add private data for NBD migration storage source definition 35a8487ad9 qemu: domain: Extract parsing of NBD status XML 0d6ec712d3 qemu: domain: Extract NBD disk migration private data formatting ceb151b24b qemu: block: Add helpers for hot-adding virStorageSource via blockdev d30fd1fc54 qemu: monitor: Introduce support for blockdev-mirror c7b66f2a59 qemu: monitor: Add implementation for blockdev-add and blockdev-del a6178a6610 qemu: monitor: Factor out and document code to format QMP command e969af4cec qemu: caps: Add capability for blockdev-add/blockdev-del d4e57c6f04 qemu: migration: Don't access disk members without lock 082266bf27 conf: domain: Export virDomainStorageSourceParse b8240fe704 qemu: block: Don't nest storage layer properties into format layer Verified on libvirt-4.5.0-1.el7.x86_64 qemu-kvm-rhev-2.12.0-6.el7.x86_64: Preparation: I. Create tls cert on server (target host) 1. Set up a Certificate Authority (CA) 1.1 # certtool --generate-privkey > ca-key.pem 1.2 self-sign ca-key.pem by creating a file with the signature details called ca.info containing: cn = $host1 ca cert_signing_key 1.3 # certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem 2. Create server certificates 2.1 # certtool --generate-privkey > server-key.pem 2.2 sign that key with the CA's private key by first creating a template file called server.info: organization = Red Hat cn = $host1 tls_www_server encryption_key signing_key 2.3 # certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem \ --load-ca-privkey ca-key.pem --template server.info --outfile server-cert.pem 3. Copy CA key and server key to correct directory 3.1 # mkdir -p /etc/pki/qemu 3.2 # cp ca-key.pem ca-cert.pem /etc/pki/qemu 3.3 # cp server-key.pem /etc/pki/qemu 3.4 # cp server-cert.pem /etc/pki/qemu II. Create client certs and keys 1. Copy CA cert to client(source host) 2. Create client certificates 2.1 # certtool --generate-privkey > client-key.pem 2.2 Act as CA and sign the certificate. Create client.info containing: country = GB state = London locality = London organization = Red Hat cn = $host2 tls_www_client encryption_key signing_key 2.3 # certtool --generate-certificate --load-privkey client-key.pem --load-ca-certificate /etc/pki/qemu/ca-cert.pem \ --load-ca-privkey /etc/pki/qemu/ca-key.pem --template client.info --outfile client-cert.pem 3. Copy client key to nbd tls directory 3.1 # cp client-key.pem /etc/pki/libvirt-nbd 3.2 # cp client-cert.pem /etc/pki/libvirt-nbd Test nbd with tls: 1. Set qemu.conf: nbd_tls = 1 nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd" 2. Restart libvirtd 3. On server start qemu nbd: # qemu-nbd --object tls-creds-x509,id=tls0,endpoint=server,dir=/root/server-keys --tls-creds=tls0 -p 10000 -t /tmp/c 4. On client host, prepare an VM with nbd disk: # virsh dumpxml nbd-tls|grep disk -A 8 <disk type='network' device='disk'> <driver name='qemu' type='raw'/> <source protocol='nbd'> <host name='lab.test.me' port='10000'/> </source> <target dev='sda' bus='scsi'/> <alias name='ua-TLS'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> Start VM, check qemu cmdline, there is tls object like following: # ps aux|grep qemu|grep nbd -object tls-creds-x509,id=objua-TLS_tls0,dir=/etc/pki/libvirt-nbd,endpoint=client,verify-peer=yes -drive file.driver=nbd,file.server.type=inet,file.server.host=lab.test.me,file.server.port=10000,file.tls-creds=objua-TLS_tls0,format=raw,if=none,id=drive-ua-TLS -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-ua-TLS,id=ua-TLS Detech the nbd: # virsh detach-disk nbd-tls sda Disk detached successfully Verified on libvirt-4.5.0-6.el7.x86_64 qemu-kvm-rhev-2.12.0-10.el7.x86_64: Preparation: 1. Prepare two named hosts with libvirt and qemu-kvm-rhev installed 2. Open ports 49152-49215/tcp for the firewalls of hosts 3. Prepare a shareable storage, like glusterfs server 4. Prepare a VM. 5. Set tls env referring to https://bugzilla.redhat.com/show_bug.cgi?id=1300772#c6 Test steps SC1: Tests migration cancel with --copy-storage-inc and --tls 1. Create backing file on src host and dst host: # qemu-img create -f qcow2 -b 'json:{"file.driver":"gluster","file.volume":"gv0","file.path":"A.qcow2","file.server":[{"type":"inet","host":"XX.XX.XX.XX","port":"24007"}]}' /var/lib/libvirt/images/fuse.qcow2 Formatting '/var/lib/libvirt/images/fuse.qcow2', fmt=qcow2 size=10737418240 backing_file=json:{"file.driver":"gluster",,"file.volume":"gv0",,"file.path":"A.qcow2",,"file.server":[{"type":" inet",,"host":"XX.XX.XX.XX",,"port":"24007"}]} cluster_size=65536 lazy_refcounts=off refcount_bits=16 2. Start VM with the backing file on disk and write some data in VM: # virsh dumpxml fuse ... <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/fuse.qcow2'/> <backingStore type='network' index='1'> <format type='raw'/> <source protocol='gluster' name='gv0/A.qcow2'> <host name='XX.XX.XX.XX' port='24007'/> </source> <backingStore/> </backingStore> <target dev='vda' bus='virtio'/> <alias name='virtio-disk0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x0d' function='0x0'/> </disk> ... (in VM) # dd if=/dev/urandom of=file bs=1G count=1 0+1 records in 0+1 records out 33554431 bytes (34 MB, 32 MiB) copied, 0.155817 s, 215 MB/s 3. Migrate with --tls --copy-storage-inc and cancel it before finish # virsh migrate fuse qemu+ssh://root/system --tls --copy-storage-inc --verbose Migration: [ 32 %]^Cerror: operation aborted: migration out: canceled by client SC2: Tests migration finish with --copy-storage-inc and --tls 1. Do as the steps in step1~2 in SC1 2. Migrate with --tls --copy-storage-inc # virsh migrate fuse qemu+ssh://root/system --tls --copy-storage-inc --verbose Migration: [100 %] SC3: Tests migration cancel with --copy-storage-all and --tls 1. Prepare a local disk and an VM using it: # qemu-img info /var/lib/libvirt/images/fuse.qcow2 -U image: /var/lib/libvirt/images/fuse.qcow2 file format: qcow2 virtual size: 10G (10737418240 bytes) disk size: 1.4G cluster_size: 65536 Format specific information: compat: 1.1 lazy refcounts: false refcount bits: 16 corrupt: false # virsh dumpxml fuse ... <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/fuse.qcow2'/> <backingStore/> <target dev='vda' bus='virtio'/> <alias name='virtio-disk0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x0d' function='0x0'/> </disk> ... 2. Migrate with --copy-storage-all --tls then cancel it: # virsh migrate fuse qemu+ssh://root/system --tls --copy-storage-all --verbose Migration: [ 9 %]^Cerror: operation aborted: migration out: canceled by client SC4: Tests migration finish with --copy-storage-all and --tls 1. Do as step1 in SC3 2. Migrate with --copy-storage-all --tls: # virsh migrate fuse qemu+ssh://root/system --tls --copy-storage-all --verbose Migration: [100 %] 3.Do some write in VM (In VM) # dd if=/dev/urandom of=file bs=100M count=2 dd: warning: partial read (33554431 bytes); suggest iflag=fullblock 0+2 records in 0+2 records out 67108862 bytes (67 MB) copied, 10.8148 s, 6.2 MB/s All works well. Verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3113 |