When a TLS migration is requested, the destination host certificate is checked for the destination host name or IP address given in the migration URI. This works well in simple cases but not in more complex networking environments. Hosts can have multiple networks and the networks may be added, removed or their corresponding IP addresses may get changed. An IP address, rather than a host name, is used in the migration URI to specify the network to use for the given migration. It's complicated to infeasible to make sure the right IP addresses are present in the right certificates and to update host/migration certificates on each related network change. A similar problem exists with SPICE connections. The solution provided by remote-viewer is `host-subject' connection option that specifies the subject to match on certificate verification. A similar solution could be provided by libvirt. A migration parameter specifying the host name to expect in the destination certificate verification would allow to specify just the host name in the certificate, regardless of the currently used IP addresses, to check we are connecting to the right host. Please define a new migration parameter that can be used for this purpose in virDomainMigrateToURI3. See https://www.redhat.com/archives/libvirt-users/2019-September/msg00004.html for related discussion.
Patches sent upstream for review: https://www.redhat.com/archives/libvir-list/2019-December/msg00116.html
This feature is now implemented upstream by commit cc023b33bb3d06a55aec84b071c31ee096e281c0 Refs: v5.10.0-83-gcc023b33bb Author: Jiri Denemark <jdenemar> AuthorDate: Tue Dec 3 14:58:32 2019 +0100 Commit: Jiri Denemark <jdenemar> CommitDate: Mon Dec 9 10:11:58 2019 +0100 qemu: Add support for setting string migration params The functions for converting migration typed parameters to QEMU migration parameters and back were only implemented for integer types. This patch adds support for string parameters. Signed-off-by: Jiri Denemark <jdenemar> Reviewed-by: Pavel Hrdina <phrdina> commit 1b8af37213ebdb3d12c6c8ac9c7aff0621941d89 Refs: v5.10.0-84-g1b8af37213 Author: Jiri Denemark <jdenemar> AuthorDate: Tue Dec 3 16:12:41 2019 +0100 Commit: Jiri Denemark <jdenemar> CommitDate: Mon Dec 9 10:11:58 2019 +0100 Introduce VIR_MIGRATE_PARAM_TLS_DESTINATION migration param Normally the TLS certificate from the destination host must match the host's name for TLS verification to succeed. When the certificate does not match the destination hostname and the expected cetificate's hostname is known, this parameter can be used to pass this expected hostname when starting the migration. Signed-off-by: Jiri Denemark <jdenemar> Reviewed-by: Pavel Hrdina <phrdina> commit c11706cc25f33648c64b7b1b7d435a9f1283e6b5 Refs: v5.10.0-85-gc11706cc25 Author: Jiri Denemark <jdenemar> AuthorDate: Tue Dec 3 16:20:35 2019 +0100 Commit: Jiri Denemark <jdenemar> CommitDate: Mon Dec 9 10:11:58 2019 +0100 qemu: Implement VIR_MIGRATE_PARAM_TLS_DESTINATION Signed-off-by: Jiri Denemark <jdenemar> Reviewed-by: Pavel Hrdina <phrdina> commit 5c7cd74a520693a4f1cf49ad4a6d4730a5c5d76a Refs: v5.10.0-86-g5c7cd74a52 Author: Jiri Denemark <jdenemar> AuthorDate: Tue Dec 3 16:20:57 2019 +0100 Commit: Jiri Denemark <jdenemar> CommitDate: Mon Dec 9 10:11:58 2019 +0100 virsh: Add --tls-destination option for migrate command This option can be used to override the destination host name used for TLS verification. Signed-off-by: Jiri Denemark <jdenemar> Reviewed-by: Pavel Hrdina <phrdina>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0404