1544869 – RFE: add support for native TLS encryption for NBD disk access

Bug 1544869 - RFE: add support for native TLS encryption for NBD disk access

Summary: RFE: add support for native TLS encryption for NBD disk access

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Peter Krempa
QA Contact:	Han Han
Docs Contact:
URL:
Whiteboard:
Depends On:	1300770 1300772
Blocks:	1301025 1414999 1625597 1664790 1665042
TreeView+	depends on / blocked

Reported:	2018-02-13 16:29 UTC by Peter Krempa
Modified:	2019-01-10 11:34 UTC (History)
CC List:	12 users (show)
Fixed In Version:	libvirt-4.5.0-1.el7
Doc Type:	Enhancement
Doc Text:
Clone Of:	1300772
Environment:
Last Closed:	2018-10-30 09:52:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:3113	0	None	None	None	2018-10-30 09:54:42 UTC

Description Peter Krempa 2018-02-13 16:29:33 UTC

Clone of QEMU bug to track libvirt enablement tasks for native TLS encryption with NBD channel used for disk access.

+++ This bug was initially created as a clone of Bug #1300772 +++
+++ This bug was initially created as a clone of Bug #1300770 +++

Description of problem:
The NBD protocol currently runs in clear text, offering no security protection for the data transferred, unless it is tunnelled over some external transport like SSH. Such tunnelling is inefficient and inconvenient to manage, so there is a desire to add explicit support for TLS to the NBD clients & servers provided by QEMU.

A particular focus is on the need to have encryption of NBD channels used for disk copy during migration.

Latest patch series implementing TLS for NBD is

https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03440.html

Comment 2 Peter Krempa 2018-06-05 08:17:18 UTC

Added upstream by:

commit 2be3732dfb1edad9acfcaad376c9b09c80d469f5
Author: Peter Krempa <pkrempa>
Date:   Tue May 29 13:57:17 2018 +0200

    qemu: domain: Add support for TLS for NBD
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1544869
    
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Ján Tomko <jtomko>

commit bd0694bfd3c172ff907a6778d8d4ce405cecaf2c
Author: Peter Krempa <pkrempa>
Date:   Thu May 31 20:21:48 2018 +0200

    qemu: conf: Add qemu.conf knobs for setting up TLS for NBD
    
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Ján Tomko <jtomko>

Comment 3 Peter Krempa 2018-06-05 09:02:26 UTC

Oops, I've posted commit IDs from a private branch. The upstream commit IDs are:

commit 8ac9db0e5497aa0d374865c7f849bfa27e73c98b
Author: Peter Krempa <pkrempa>
Date:   Tue May 29 13:57:17 2018 +0200

    qemu: domain: Add support for TLS for NBD

commit ca108ab78949152dbc325d6874959049ad7d2acc
Author: Peter Krempa <pkrempa>
Date:   Thu May 31 20:21:48 2018 +0200

    qemu: conf: Add qemu.conf knobs for setting up TLS for NBD

Comment 5 Han Han 2018-07-09 05:48:10 UTC

Verified as:https://bugzilla.redhat.com/show_bug.cgi?id=1300772#c6

Comment 7 errata-xmlrpc 2018-10-30 09:52:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113

Note You need to log in before you can comment on or make changes to this bug.