Bug 1544869

Summary: RFE: add support for native TLS encryption for NBD disk access
Product: Red Hat Enterprise Linux 7 Reporter: Peter Krempa <pkrempa>
Component: libvirtAssignee: Peter Krempa <pkrempa>
Status: CLOSED ERRATA QA Contact: Han Han <hhan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: berrange, dyuan, jdenemar, jsuchane, lmen, mtessun, mzhan, rjones, virt-bugs, virt-maint, xuzhang, yafu
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-4.5.0-1.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1300772 Environment:
Last Closed: 2018-10-30 09:52:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1300770, 1300772    
Bug Blocks: 1301025, 1414999, 1625597, 1664790, 1665042    

Description Peter Krempa 2018-02-13 16:29:33 UTC 
Clone of QEMU bug to track libvirt enablement tasks for native TLS encryption with NBD channel used for disk access.

+++ This bug was initially created as a clone of Bug #1300772 +++
+++ This bug was initially created as a clone of Bug #1300770 +++

Description of problem:
The NBD protocol currently runs in clear text, offering no security protection for the data transferred, unless it is tunnelled over some external transport like SSH. Such tunnelling is inefficient and inconvenient to manage, so there is a desire to add explicit support for TLS to the NBD clients & servers provided by QEMU.

A particular focus is on the need to have encryption of NBD channels used for disk copy during migration.

Latest patch series implementing TLS for NBD is

https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03440.html
Comment 2 Peter Krempa 2018-06-05 08:17:18 UTC 
Added upstream by:

commit 2be3732dfb1edad9acfcaad376c9b09c80d469f5
Author: Peter Krempa <pkrempa>
Date:   Tue May 29 13:57:17 2018 +0200

    qemu: domain: Add support for TLS for NBD
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1544869
    
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Ján Tomko <jtomko>

commit bd0694bfd3c172ff907a6778d8d4ce405cecaf2c
Author: Peter Krempa <pkrempa>
Date:   Thu May 31 20:21:48 2018 +0200

    qemu: conf: Add qemu.conf knobs for setting up TLS for NBD
    
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Ján Tomko <jtomko>
Comment 3 Peter Krempa 2018-06-05 09:02:26 UTC 
Oops, I've posted commit IDs from a private branch. The upstream commit IDs are:

commit 8ac9db0e5497aa0d374865c7f849bfa27e73c98b
Author: Peter Krempa <pkrempa>
Date:   Tue May 29 13:57:17 2018 +0200

    qemu: domain: Add support for TLS for NBD

commit ca108ab78949152dbc325d6874959049ad7d2acc
Author: Peter Krempa <pkrempa>
Date:   Thu May 31 20:21:48 2018 +0200

    qemu: conf: Add qemu.conf knobs for setting up TLS for NBD
Comment 5 Han Han 2018-07-09 05:48:10 UTC 
Verified as:https://bugzilla.redhat.com/show_bug.cgi?id=1300772#c6
Comment 7 errata-xmlrpc 2018-10-30 09:52:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113