Bug 1544869 - RFE: add support for native TLS encryption for NBD disk access
Summary: RFE: add support for native TLS encryption for NBD disk access
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Peter Krempa
QA Contact: Han Han
URL:
Whiteboard:
Depends On: 1300770 1300772
Blocks: 1414999 1301025 1625597 1664790 1665042
TreeView+ depends on / blocked
 
Reported: 2018-02-13 16:29 UTC by Peter Krempa
Modified: 2019-01-10 11:34 UTC (History)
12 users (show)

Fixed In Version: libvirt-4.5.0-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of: 1300772
Environment:
Last Closed: 2018-10-30 09:52:39 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3113 None None None 2018-10-30 09:54:42 UTC

Description Peter Krempa 2018-02-13 16:29:33 UTC 
Clone of QEMU bug to track libvirt enablement tasks for native TLS encryption with NBD channel used for disk access.

+++ This bug was initially created as a clone of Bug #1300772 +++
+++ This bug was initially created as a clone of Bug #1300770 +++

Description of problem:
The NBD protocol currently runs in clear text, offering no security protection for the data transferred, unless it is tunnelled over some external transport like SSH. Such tunnelling is inefficient and inconvenient to manage, so there is a desire to add explicit support for TLS to the NBD clients & servers provided by QEMU.

A particular focus is on the need to have encryption of NBD channels used for disk copy during migration.

Latest patch series implementing TLS for NBD is

https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03440.html
Comment 2 Peter Krempa 2018-06-05 08:17:18 UTC 
Added upstream by:

commit 2be3732dfb1edad9acfcaad376c9b09c80d469f5
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Tue May 29 13:57:17 2018 +0200

    qemu: domain: Add support for TLS for NBD
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1544869
    
    Signed-off-by: Peter Krempa <pkrempa@redhat.com>
    Reviewed-by: Ján Tomko <jtomko@redhat.com>

commit bd0694bfd3c172ff907a6778d8d4ce405cecaf2c
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Thu May 31 20:21:48 2018 +0200

    qemu: conf: Add qemu.conf knobs for setting up TLS for NBD
    
    Signed-off-by: Peter Krempa <pkrempa@redhat.com>
    Reviewed-by: Ján Tomko <jtomko@redhat.com>
Comment 3 Peter Krempa 2018-06-05 09:02:26 UTC 
Oops, I've posted commit IDs from a private branch. The upstream commit IDs are:

commit 8ac9db0e5497aa0d374865c7f849bfa27e73c98b
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Tue May 29 13:57:17 2018 +0200

    qemu: domain: Add support for TLS for NBD

commit ca108ab78949152dbc325d6874959049ad7d2acc
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Thu May 31 20:21:48 2018 +0200

    qemu: conf: Add qemu.conf knobs for setting up TLS for NBD
Comment 5 Han Han 2018-07-09 05:48:10 UTC 
Verified as:https://bugzilla.redhat.com/show_bug.cgi?id=1300772#c6
Comment 7 errata-xmlrpc 2018-10-30 09:52:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113
Note You need to log in before you can comment on or make changes to this bug.