RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1544869 - RFE: add support for native TLS encryption for NBD disk access
Summary: RFE: add support for native TLS encryption for NBD disk access
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Peter Krempa
QA Contact: Han Han
URL:
Whiteboard:
Depends On: 1300770 1300772
Blocks: 1301025 1414999 1625597 1664790 1665042
TreeView+ depends on / blocked
 
Reported: 2018-02-13 16:29 UTC by Peter Krempa
Modified: 2019-01-10 11:34 UTC (History)
12 users (show)

Fixed In Version: libvirt-4.5.0-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of: 1300772
Environment:
Last Closed: 2018-10-30 09:52:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3113 0 None None None 2018-10-30 09:54:42 UTC

Description Peter Krempa 2018-02-13 16:29:33 UTC 
Clone of QEMU bug to track libvirt enablement tasks for native TLS encryption with NBD channel used for disk access.

+++ This bug was initially created as a clone of Bug #1300772 +++
+++ This bug was initially created as a clone of Bug #1300770 +++

Description of problem:
The NBD protocol currently runs in clear text, offering no security protection for the data transferred, unless it is tunnelled over some external transport like SSH. Such tunnelling is inefficient and inconvenient to manage, so there is a desire to add explicit support for TLS to the NBD clients & servers provided by QEMU.

A particular focus is on the need to have encryption of NBD channels used for disk copy during migration.

Latest patch series implementing TLS for NBD is

https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03440.html
Comment 2 Peter Krempa 2018-06-05 08:17:18 UTC 
Added upstream by:

commit 2be3732dfb1edad9acfcaad376c9b09c80d469f5
Author: Peter Krempa <pkrempa>
Date:   Tue May 29 13:57:17 2018 +0200

    qemu: domain: Add support for TLS for NBD
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1544869
    
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Ján Tomko <jtomko>

commit bd0694bfd3c172ff907a6778d8d4ce405cecaf2c
Author: Peter Krempa <pkrempa>
Date:   Thu May 31 20:21:48 2018 +0200

    qemu: conf: Add qemu.conf knobs for setting up TLS for NBD
    
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Ján Tomko <jtomko>
Comment 3 Peter Krempa 2018-06-05 09:02:26 UTC 
Oops, I've posted commit IDs from a private branch. The upstream commit IDs are:

commit 8ac9db0e5497aa0d374865c7f849bfa27e73c98b
Author: Peter Krempa <pkrempa>
Date:   Tue May 29 13:57:17 2018 +0200

    qemu: domain: Add support for TLS for NBD

commit ca108ab78949152dbc325d6874959049ad7d2acc
Author: Peter Krempa <pkrempa>
Date:   Thu May 31 20:21:48 2018 +0200

    qemu: conf: Add qemu.conf knobs for setting up TLS for NBD
Comment 5 Han Han 2018-07-09 05:48:10 UTC 
Verified as:https://bugzilla.redhat.com/show_bug.cgi?id=1300772#c6
Comment 7 errata-xmlrpc 2018-10-30 09:52:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113
Note You need to log in before you can comment on or make changes to this bug.