RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1901394 - --tls-destination doesn't take effect for disk migration
Summary: --tls-destination doesn't take effect for disk migration
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libvirt
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Peter Krempa
QA Contact: Han Han
URL:
Whiteboard:
Depends On: 1901448
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-25 02:09 UTC by Fangge Jin
Modified: 2023-01-12 08:32 UTC (History)
16 users (show)

Fixed In Version: libvirt-8.2.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1901448 (view as bug list)
Environment:
Last Closed: 2022-11-15 10:03:03 UTC
Type: Bug
Target Upstream Version: 8.2.0
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker LIBVIRTAT-13392 0 None None None 2022-10-31 16:55:11 UTC
Red Hat Product Errata RHSA-2022:8003 0 None None None 2022-11-15 10:03:48 UTC

Internal Links: 1845919

Description Fangge Jin 2020-11-25 02:09:13 UTC 
Description of problem:
When do vm migration with copy storage and tls enabled, --tls-destination doesn't take effect for disk migration

Version-Release number of selected component (if applicable):
libvirt-6.6.0-8

How reproducible:
100%

Steps to Reproduce:
1.Do vm migration with copy storage and tls enabled, specify the migrateuri, disksuri and tls destination:
# virsh migrate avocado-vt-vm1 qemu+unix://<dest host>/system --live --p2p --migrateuri tcp://10.16.218.252:49156 --tls --tls-destination <dest hostname> --copy-storage-all --disks-uri tcp://192.168.100.6:49156
error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname 192.168.100.6

2.Do vm migration with copy storage and tls enabled, specify the migrateuri, tls destination
# virsh migrate avocado-vt-vm1 qemu+unix://<dest host>/system --live ---p2p  --migrateuri tcp://10.16.218.252:49156 --tls --tls-destination <dest hostname> --copy-storage-all 
error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname 10.16.218.252


Actual results:


Expected results:


Additional info:
Comment 1 Peter Krempa 2020-11-25 09:28:14 UTC 
This will require additional work from qemu. I've filed https://bugzilla.redhat.com/show_bug.cgi?id=1901448 to track it. Since the qemu version used here was not mentioned, please update the qemu bug with the qemu version you've used.
Comment 2 Fangge Jin 2020-11-25 09:39:34 UTC 
(In reply to Peter Krempa from comment #1)
> This will require additional work from qemu. I've filed
> https://bugzilla.redhat.com/show_bug.cgi?id=1901448 to track it. Since the
> qemu version used here was not mentioned, please update the qemu bug with
> the qemu version you've used.

Updated qemu bug 1901448
Comment 3 John Ferlan 2021-09-08 13:31:03 UTC 
Bulk update: Move RHEL-AV bugs to RHEL9. If necessary to resolve in RHEL8, then clone to the current RHEL8 release.
Comment 4 Peter Krempa 2022-03-10 08:41:24 UTC 
Qemu implemented this feature upstream as of:

commit a0cd6d297283bedffafce939dce38f3d06f3e2cd
Author: Daniel P. Berrangé <berrange>
Date:   Fri Mar 4 19:36:01 2022 +0000

    block/nbd: support override of hostname for TLS certificate validation
    
    When connecting to an NBD server with TLS and x509 credentials,
    the client must validate the hostname it uses for the connection,
    against that published in the server's certificate. If the client
    is tunnelling its connection over some other channel, however, the
    hostname it uses may not match the info reported in the server's
    certificate. In such a case, the user needs to explicitly set an
    override for the hostname to use for certificate validation.
    
    This is achieved by adding a 'tls-hostname' property to the NBD
    block driver.
    
    Reviewed-by: Eric Blake <eblake>
    Signed-off-by: Daniel P. Berrangé <berrange>
    Message-Id: <20220304193610.3293146-4-berrange>
    Signed-off-by: Eric Blake <eblake>
Comment 5 Peter Krempa 2022-03-11 14:25:19 UTC 
Libvirt added support for the 'tls-hostname' when migrating by:

commit e8fa09d66bcb95a3f23fe5957dd203f1f341f4b5
Author: Peter Krempa <pkrempa>
Date:   Thu Mar 10 12:59:30 2022 +0100

    qemu: migration: Use 'VIR_MIGRATE_PARAM_TLS_DESTINATION' for the NBD connection
    
    The NBD connection for non-shared storage migration can have the same
    issue regarding TLS certificate name match as the migration connection
    itself.
    
    Propagate the configured name also for the NBD connections.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1901394
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Ján Tomko <jtomko>

v8.1.0-135-ge8fa09d66b
Comment 6 Han Han 2022-03-28 03:21:48 UTC 
It depends on QEMU 7.0. Wait for QEMU 7.0 build of rhel or fedora.
Comment 7 Han Han 2022-04-13 08:55:16 UTC 
Tested on libvirt-8.2.0-1.el9.x86_64 qemu-kvm-7.0.0-0.rc3.el9.preview.x86_64
1. Prepare QEMU TLS certs for src and dst hosts
2. Migrate with --tls --tls-destination --disks-uri
➜  ~ virsh migrate rhel qemu+ssh://root@hhan-rhel9--1/system --live --p2p --tls --tls-destination hhan-rhel9--1 --copy-storage-all --disks-uri tcp://hhan-rhel9--1:49156

Migration finishes.

From the qemu-monitor log of the src host. The 'tls-hostname' property is used:
  8.599 > 0x7f8e6c084740 {"execute":"blockdev-add","arguments":{"driver":"nbd","server":{"type":"inet","host":"hhan-rhel9--1","port":"49156"},"export":"drive-virtio-disk0","tls-creds":"objlibvirt_migrate_tls0","tls-hostname":"hhan-rhel9--1","node-name":"migration-vda-storage","read-only":false,"discard":"unmap"},"id":"libvirt-429"}
Comment 10 Han Han 2022-05-06 06:44:58 UTC 
Test on libvirt-8.2.0-1.el9.x86_64 libvirt-8.2.0-1.el9.x86_64 as comment7. PASS
Comment 13 errata-xmlrpc 2022-11-15 10:03:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: libvirt security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8003
Note You need to log in before you can comment on or make changes to this bug.