1901448 – nbd+tls: Allow override of name used for verification of TLS certificate

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1901448 - nbd+tls: Allow override of name used for verification of TLS certificate

Summary: nbd+tls: Allow override of name used for verification of TLS certificate

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Eric Blake
QA Contact:	aihua liang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1901394
TreeView+	depends on / blocked

Reported:	2020-11-25 09:26 UTC by Peter Krempa
Modified:	2022-11-30 01:24 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1901394
Environment:
Last Closed:	2022-05-13 06:29:22 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Description Peter Krempa 2020-11-25 09:26:30 UTC

For regular migration libvirt uses the 'tls-hostname' field of 'MigrateSetParameters' QAPI struct to override the name which is used to validate the TLS certificate of the server against if the client wihes so.

For non-shared-storage migration libvirt exports the disks on the destination side via the builtin NBD server. The source part then blockdev-adds the NBD exports and uses the 'mirror' job to copy over the storage. Unfortunately the NBD client used by the block code doesn't allow us to do the same override as the migration code, which breaks migration in the cases where the name can't be matched without the override.

+++ This bug was initially created as a clone of Bug #1901394 +++

Description of problem:
When do vm migration with copy storage and tls enabled, --tls-destination doesn't take effect for disk migration

Version-Release number of selected component (if applicable):
libvirt-6.6.0-8

How reproducible:
100%

Steps to Reproduce:
1.Do vm migration with copy storage and tls enabled, specify the migrateuri, disksuri and tls destination:
# virsh migrate avocado-vt-vm1 qemu+unix://<dest host>/system --live --p2p --migrateuri tcp://10.16.218.252:49156 --tls --tls-destination <dest hostname> --copy-storage-all --disks-uri tcp://192.168.100.6:49156
error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname 192.168.100.6

2.Do vm migration with copy storage and tls enabled, specify the migrateuri, tls destination
# virsh migrate avocado-vt-vm1 qemu+unix://<dest host>/system --live ---p2p  --migrateuri tcp://10.16.218.252:49156 --tls --tls-destination <dest hostname> --copy-storage-all 
error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname 10.16.218.252

Comment 1 Fangge Jin 2020-11-25 09:39:11 UTC

Version: qemu-kvm-5.1.0-15

Comment 2 Eric Blake 2020-11-25 21:07:25 UTC

Fixing this may also be a good time to get TLS working over Unix sockets in qemu. See the following thread for the last time it was discussed:

https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01334.html
https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01581.html

Comment 3 Klaus Heinrich Kiwi 2021-07-13 17:15:15 UTC

I'm having a hard-time thinking in how to prioritize this...

(In reply to Eric Blake from comment #2)
> Fixing this may also be a good time to get TLS working over Unix sockets in
> qemu. See the following thread for the last time it was discussed:
> 
> https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01334.html
> https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01581.html

Are you suggesting that this may be a dependency for this work? Are you still the right person for this to be assigned to?

Comment 4 John Ferlan 2021-09-09 11:47:34 UTC

Bulk update: Move RHEL-AV bugs to RHEL9. If necessary to resolve in RHEL8, then clone to the current RHEL8 release.

Comment 5 Eric Blake 2022-03-09 20:15:46 UTC

Dan landed the following patches into upstream 7.0, plus accompanying testsuite improvements, that should address this:

Daniel P. Berrangé (5):
      crypto: mandate a hostname when checking x509 creds on a client
      block: pass desired TLS hostname through from block driver client
      block/nbd: support override of hostname for TLS certificate validation
      qemu-nbd: add --tls-hostname option for TLS certificate validation
      block/nbd: don't restrict TLS usage to IP sockets

https://lists.gnu.org/archive/html/qemu-devel/2022-03/msg02398.html, commit fdee2c96923dfd38aa7a264abb7de6d403f81c4d

Comment 6 aihua liang 2022-03-18 03:46:48 UTC

Test on qemu-kvm-6.2.0-11.el9, can reproduce this issue.

#cat server.info
organization = Red Hat
cn = $dst_hostname
tls_www_server
encryption_key
signing_key

#virsh migrate rhel9 --desturi qemu+unix:///system?socket=/tmp/test.sock --live --verbose --copy-storage-all --tls --p2p --migrateuri tcp://$dst_hostip:49156 --tls-destination $dst_hostname
error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname $dst_hostip

Comment 8 aihua liang 2022-05-13 02:35:44 UTC

Test with qemu-kvm-7.0.0-1.el9 and without --disks-uri, don't hit this issue any more.
In src:
 #virsh start rhel9
Domain 'rhel9' started

 # virsh list
 Id   Name    State
-----------------------
 1    rhel9   running

  # virsh migrate rhel9 --desturi qemu+unix:///system?socket=/tmp/test.sock --live --verbose --copy-storage-all --tls --p2p --migrateuri tcp://10.73.114.14:49156 --tls-destination dell-per440-09.lab.eng.pek2.redhat.com
Migration: [100 %]

In dst:
 # virsh list
 Id   Name    State
-----------------------
 1    rhel9   running

Comment 10 aihua liang 2022-05-13 03:06:39 UTC

Test with qemu-kvm-7.0.0-1.el9/libvirt-8.3.0-1.el9.x86_64 and --disks-uri, don't hit this issue any more.
In src:
 # virsh start rhel9
Domain 'rhel9' started

 # virsh list
 Id   Name    State
-----------------------
 1    rhel9   running

  # virsh migrate rhel9 --desturi qemu+unix:///system?socket=/tmp/test.sock --live --verbose --copy-storage-all --tls --p2p --migrateuri tcp://10.73.114.14:49156 --tls-destination dell-per440-09.lab.eng.pek2.redhat.com --disks-uri tcp://10.73.114.14:49157
Migration: [100 %]

In dst:
 # virsh list
 Id   Name    State
-----------------------
 1    rhel9   running

Note You need to log in before you can comment on or make changes to this bug.