Bug 1430620
| Summary: | TLS encryption migration via exec failed with "TLS handshake failed: The TLS connection was non-properly terminated" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | xianwang <xianwang> |
| Component: | qemu-kvm-rhev | Assignee: | Daniel Berrangé <berrange> |
| Status: | CLOSED ERRATA | QA Contact: | xianwang <xianwang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | berrange, chayang, juzhang, knoel, michen, mrezanin, qzhang, virt-maint |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | qemu-kvm-rhev-2.9.0-6.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-02 03:39:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
xianwang
2017-03-09 06:56:28 UTC
I have communicated and confirmed with Daniel in E-mail, he suggested to report this bug and assign it to him to track this problem, so, I assigned it to Daniel and QA contact is myself. Patch posted upstream https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg03623.html Patch is now merged in upstream GIT master as
commit 062d81f0e968fe1597474735f3ea038065027372
Author: Daniel P. Berrange <berrange>
Date: Fri Apr 21 12:12:20 2017 +0100
migration: setup bi-directional I/O channel for exec: protocol
Historically the migration data channel has only needed to be
unidirectional. Thus the 'exec:' protocol was requesting an
I/O channel with O_RDONLY on incoming side, and O_WRONLY on
the outgoing side.
This is fine for classic migration, but if you then try to run
TLS over it, this fails because the TLS handshake requires a
bi-directional channel.
Signed-off-by: Daniel P. Berrange <berrange>
Reviewed-by: Juan Quintela <quintela>
Signed-off-by: Juan Quintela <quintela>
Fix included in qemu-kvm-rhev-2.9.0-6.el7 I have test two scenarios for "exec": local migration and two hosts migration, the result is that local migraion completed and the two hosts migration failed. test results are as following:
version info:
3.10.0-671.el7.ppc64le
qemu-kvm-rhev-2.9.0-6.el7.ppc64le
SLOF-20170303-4.git66d250e.el7.noarch
I.local migration
TLS server end:
# /usr/libexec/qemu-kvm -object tls-creds-x509,id=tls0,endpoint=server,dir=/root -monitor stdio -vnc :1 -incoming defer
TLS client end:
# /usr/libexec/qemu-kvm -object tls-creds-x509,id=tls0,endpoint=client,dir=/root -monitor stdio -vnc :2
server end:
(qemu) migrate_set_parameter tls-creds tls0
(qemu) migrate_set_parameter tls-hostname ibm-p8-rhevm-02
(qemu) migrate_incoming "exec:socat TCP4-LISTEN:9002 -"
client end:
(qemu) migrate_set_parameter tls-creds tls0
(qemu) migrate_set_parameter tls-hostname ibm-p8-rhevm-02
(qemu) migrate "exec:socat - TCP4:ibm-p8-rhevm-02:9002"
check the status of migration:
server end:
(qemu) info status
VM status: running
client end:
(qemu) info migrate
capabilities: xbzrle: off rdma-pin-all: off auto-converge: off zero-blocks: off compress: off events: off postcopy-ram: off x-colo: off release-ram: off
Migration status: completed
so, this scenario is pass.
II)Two hosts migration
server end:
# /usr/libexec/qemu-kvm -object tls-creds-x509,id=tls0,endpoint=server,dir=/root -monitor stdio -vnc :1 -incoming defer
client end:
# /usr/libexec/qemu-kvm -object tls-creds-x509,id=tls0,endpoint=client,dir=/root/mount_point -monitor stdio -vnc :1
server end:
(qemu) migrate_set_parameter tls-creds tls0
(qemu) migrate_set_parameter tls-hostname ibm-p8-rhevm-02
(qemu) migrate_incoming "exec:socat TCP4-LISTEN:9002 -"
client end:
(qemu) migrate_set_parameter tls-creds tls0
(qemu) migrate_set_parameter tls-hostname ibm-p8-rhevm-02
(qemu) migrate "exec:socat - TCP4:ibm-p8-rhevm-02:9002"
2017/06/01 00:50:56 socat[3264] E getaddrinfo("ibm-p8-rhevm-02", "NULL", {1,2,1,6}, {}): Name or service not known
qemu-kvm: TLS handshake failed: The TLS connection was non-properly terminated.
(qemu) info migrate
capabilities: xbzrle: off rdma-pin-all: off auto-converge: off zero-blocks: off compress: off events: off postcopy-ram: off x-colo: off release-ram: off
Migration status: failed (TLS handshake failed: The TLS connection was non-properly terminated.)
total time: 0 milliseconds
so, this scenario is failed.
In summary, this bug may still has some problem.
Daniel, could you please help to check this problem?
The 'socat' you are telling QEMU to run is failing with an error:
2017/06/01 00:50:56 socat[3264] E getaddrinfo("ibm-p8-rhevm-02", "NULL", {1,2,1,6}, {}): Name or service not known
so it is expected that QEMU migration then fails.
(In reply to Daniel Berrange from comment #10) > The 'socat' you are telling QEMU to run is failing with an error: > > 2017/06/01 00:50:56 socat[3264] E getaddrinfo("ibm-p8-rhevm-02", "NULL", > {1,2,1,6}, {}): Name or service not known > > so it is expected that QEMU migration then fails. yes, I have detected this error message, but I wonder this means my step is wrong? or, there is still some problem with this issue ? if my step is wrong, could you help to give the right steps to verify this bug? thanks (In reply to xianwang from comment #11) > (In reply to Daniel Berrange from comment #10) > > The 'socat' you are telling QEMU to run is failing with an error: > > > > 2017/06/01 00:50:56 socat[3264] E getaddrinfo("ibm-p8-rhevm-02", "NULL", > > {1,2,1,6}, {}): Name or service not known > > > > so it is expected that QEMU migration then fails. > > yes, I have detected this error message, but I wonder this means my step is > wrong? or, there is still some problem with this issue ? The hostname 'ibm-p8-rhevm-02' can't be resolved - that's either a wrong hostname or your DNS is broken. (In reply to Daniel Berrange from comment #12) > (In reply to xianwang from comment #11) > > (In reply to Daniel Berrange from comment #10) > > > The 'socat' you are telling QEMU to run is failing with an error: > > > > > > 2017/06/01 00:50:56 socat[3264] E getaddrinfo("ibm-p8-rhevm-02", "NULL", > > > {1,2,1,6}, {}): Name or service not known > > > > > > so it is expected that QEMU migration then fails. > > > > yes, I have detected this error message, but I wonder this means my step is > > wrong? or, there is still some problem with this issue ? > > The hostname 'ibm-p8-rhevm-02' can't be resolved - that's either a wrong > hostname or your DNS is broken. Yes, Daniel is right, I have test this issue on other ppc host, the test result is pass, so, maybe there is something wrong for the src host in #comment9. I have re-test this issue both on x86_64 and power pc, the result are both passedfor x86_64 and ppc,The steps are as following: I)x86_64 3.10.0-671.el7.x86_64 qemu-kvm-rhev-2.9.0-6.el7.x86_64 test steps are same as bug description. the result: migration completed, and vm works well. II)ppc64le host: 3.10.0-675.el7.ppc64le qemu-kvm-rhev-2.9.0-7.el7.ppc64le SLOF-20170303-4.git66d250e.el7.noarch test steps are same as bug description. the result: migration completed, and vm works well. So, this bug is fixed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2392 |