Bug 1901448

Summary: nbd+tls: Allow override of name used for verification of TLS certificate
Product: Red Hat Enterprise Linux 9 Reporter: Peter Krempa <pkrempa>
Component: qemu-kvmAssignee: Eric Blake <eblake>
qemu-kvm sub component: NBD QA Contact: aihua liang <aliang>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: medium    
Priority: medium CC: coli, eblake, fjin, hhan, jinzhao, juzhang, kkiwi, lmen, ngu, smitterl, virt-bugs, virt-maint, xiaohli, yafu
Version: unspecifiedKeywords: Triaged
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1901394 Environment:
Last Closed: 2022-05-13 06:29:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1901394    

Description Peter Krempa 2020-11-25 09:26:30 UTC 
For regular migration libvirt uses the 'tls-hostname' field of 'MigrateSetParameters' QAPI struct to override the name which is used to validate the TLS certificate of the server against if the client wihes so.

For non-shared-storage migration libvirt exports the disks on the destination side via the builtin NBD server. The source part then blockdev-adds the NBD exports and uses the 'mirror' job to copy over the storage. Unfortunately the NBD client used by the block code doesn't allow us to do the same override as the migration code, which breaks migration in the cases where the name can't be matched without the override.

+++ This bug was initially created as a clone of Bug #1901394 +++

Description of problem:
When do vm migration with copy storage and tls enabled, --tls-destination doesn't take effect for disk migration

Version-Release number of selected component (if applicable):
libvirt-6.6.0-8

How reproducible:
100%

Steps to Reproduce:
1.Do vm migration with copy storage and tls enabled, specify the migrateuri, disksuri and tls destination:
# virsh migrate avocado-vt-vm1 qemu+unix://<dest host>/system --live --p2p --migrateuri tcp://10.16.218.252:49156 --tls --tls-destination <dest hostname> --copy-storage-all --disks-uri tcp://192.168.100.6:49156
error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname 192.168.100.6

2.Do vm migration with copy storage and tls enabled, specify the migrateuri, tls destination
# virsh migrate avocado-vt-vm1 qemu+unix://<dest host>/system --live ---p2p  --migrateuri tcp://10.16.218.252:49156 --tls --tls-destination <dest hostname> --copy-storage-all 
error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname 10.16.218.252
Comment 1 Fangge Jin 2020-11-25 09:39:11 UTC 
Version: qemu-kvm-5.1.0-15
Comment 2 Eric Blake 2020-11-25 21:07:25 UTC 
Fixing this may also be a good time to get TLS working over Unix sockets in qemu. See the following thread for the last time it was discussed:

https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01334.html
https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01581.html
Comment 3 Klaus Heinrich Kiwi 2021-07-13 17:15:15 UTC 
I'm having a hard-time thinking in how to prioritize this...

(In reply to Eric Blake from comment #2)
> Fixing this may also be a good time to get TLS working over Unix sockets in
> qemu. See the following thread for the last time it was discussed:
> 
> https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01334.html
> https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01581.html

Are you suggesting that this may be a dependency for this work? Are you still the right person for this to be assigned to?
Comment 4 John Ferlan 2021-09-09 11:47:34 UTC 
Bulk update: Move RHEL-AV bugs to RHEL9. If necessary to resolve in RHEL8, then clone to the current RHEL8 release.
Comment 5 Eric Blake 2022-03-09 20:15:46 UTC 
Dan landed the following patches into upstream 7.0, plus accompanying testsuite improvements, that should address this:

Daniel P. Berrangé (5):
      crypto: mandate a hostname when checking x509 creds on a client
      block: pass desired TLS hostname through from block driver client
      block/nbd: support override of hostname for TLS certificate validation
      qemu-nbd: add --tls-hostname option for TLS certificate validation
      block/nbd: don't restrict TLS usage to IP sockets

https://lists.gnu.org/archive/html/qemu-devel/2022-03/msg02398.html, commit fdee2c96923dfd38aa7a264abb7de6d403f81c4d
Comment 6 aihua liang 2022-03-18 03:46:48 UTC 
Test on qemu-kvm-6.2.0-11.el9, can reproduce this issue.

#cat server.info
organization = Red Hat
cn = $dst_hostname
tls_www_server
encryption_key
signing_key

#virsh migrate rhel9 --desturi qemu+unix:///system?socket=/tmp/test.sock --live --verbose --copy-storage-all --tls --p2p --migrateuri tcp://$dst_hostip:49156 --tls-destination $dst_hostname
error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname $dst_hostip
Comment 8 aihua liang 2022-05-13 02:35:44 UTC 
Test with qemu-kvm-7.0.0-1.el9 and without --disks-uri, don't hit this issue any more.
In src:
 #virsh start rhel9
Domain 'rhel9' started

 # virsh list
 Id   Name    State
-----------------------
 1    rhel9   running

  # virsh migrate rhel9 --desturi qemu+unix:///system?socket=/tmp/test.sock --live --verbose --copy-storage-all --tls --p2p --migrateuri tcp://10.73.114.14:49156 --tls-destination dell-per440-09.lab.eng.pek2.redhat.com
Migration: [100 %]

In dst:
 # virsh list
 Id   Name    State
-----------------------
 1    rhel9   running
Comment 10 aihua liang 2022-05-13 03:06:39 UTC 
Test with qemu-kvm-7.0.0-1.el9/libvirt-8.3.0-1.el9.x86_64 and --disks-uri, don't hit this issue any more.
In src:
 # virsh start rhel9
Domain 'rhel9' started

 # virsh list
 Id   Name    State
-----------------------
 1    rhel9   running

  # virsh migrate rhel9 --desturi qemu+unix:///system?socket=/tmp/test.sock --live --verbose --copy-storage-all --tls --p2p --migrateuri tcp://10.73.114.14:49156 --tls-destination dell-per440-09.lab.eng.pek2.redhat.com --disks-uri tcp://10.73.114.14:49157
Migration: [100 %]

In dst:
 # virsh list
 Id   Name    State
-----------------------
 1    rhel9   running