For regular migration libvirt uses the 'tls-hostname' field of 'MigrateSetParameters' QAPI struct to override the name which is used to validate the TLS certificate of the server against if the client wihes so. For non-shared-storage migration libvirt exports the disks on the destination side via the builtin NBD server. The source part then blockdev-adds the NBD exports and uses the 'mirror' job to copy over the storage. Unfortunately the NBD client used by the block code doesn't allow us to do the same override as the migration code, which breaks migration in the cases where the name can't be matched without the override. +++ This bug was initially created as a clone of Bug #1901394 +++ Description of problem: When do vm migration with copy storage and tls enabled, --tls-destination doesn't take effect for disk migration Version-Release number of selected component (if applicable): libvirt-6.6.0-8 How reproducible: 100% Steps to Reproduce: 1.Do vm migration with copy storage and tls enabled, specify the migrateuri, disksuri and tls destination: # virsh migrate avocado-vt-vm1 qemu+unix://<dest host>/system --live --p2p --migrateuri tcp://10.16.218.252:49156 --tls --tls-destination <dest hostname> --copy-storage-all --disks-uri tcp://192.168.100.6:49156 error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname 192.168.100.6 2.Do vm migration with copy storage and tls enabled, specify the migrateuri, tls destination # virsh migrate avocado-vt-vm1 qemu+unix://<dest host>/system --live ---p2p --migrateuri tcp://10.16.218.252:49156 --tls --tls-destination <dest hostname> --copy-storage-all error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname 10.16.218.252
Version: qemu-kvm-5.1.0-15
Fixing this may also be a good time to get TLS working over Unix sockets in qemu. See the following thread for the last time it was discussed: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01334.html https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01581.html
I'm having a hard-time thinking in how to prioritize this... (In reply to Eric Blake from comment #2) > Fixing this may also be a good time to get TLS working over Unix sockets in > qemu. See the following thread for the last time it was discussed: > > https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01334.html > https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01581.html Are you suggesting that this may be a dependency for this work? Are you still the right person for this to be assigned to?
Bulk update: Move RHEL-AV bugs to RHEL9. If necessary to resolve in RHEL8, then clone to the current RHEL8 release.
Dan landed the following patches into upstream 7.0, plus accompanying testsuite improvements, that should address this: Daniel P. Berrangé (5): crypto: mandate a hostname when checking x509 creds on a client block: pass desired TLS hostname through from block driver client block/nbd: support override of hostname for TLS certificate validation qemu-nbd: add --tls-hostname option for TLS certificate validation block/nbd: don't restrict TLS usage to IP sockets https://lists.gnu.org/archive/html/qemu-devel/2022-03/msg02398.html, commit fdee2c96923dfd38aa7a264abb7de6d403f81c4d
Test on qemu-kvm-6.2.0-11.el9, can reproduce this issue. #cat server.info organization = Red Hat cn = $dst_hostname tls_www_server encryption_key signing_key #virsh migrate rhel9 --desturi qemu+unix:///system?socket=/tmp/test.sock --live --verbose --copy-storage-all --tls --p2p --migrateuri tcp://$dst_hostip:49156 --tls-destination $dst_hostname error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname $dst_hostip
Test with qemu-kvm-7.0.0-1.el9 and without --disks-uri, don't hit this issue any more. In src: #virsh start rhel9 Domain 'rhel9' started # virsh list Id Name State ----------------------- 1 rhel9 running # virsh migrate rhel9 --desturi qemu+unix:///system?socket=/tmp/test.sock --live --verbose --copy-storage-all --tls --p2p --migrateuri tcp://10.73.114.14:49156 --tls-destination dell-per440-09.lab.eng.pek2.redhat.com Migration: [100 %] In dst: # virsh list Id Name State ----------------------- 1 rhel9 running
Test with qemu-kvm-7.0.0-1.el9/libvirt-8.3.0-1.el9.x86_64 and --disks-uri, don't hit this issue any more. In src: # virsh start rhel9 Domain 'rhel9' started # virsh list Id Name State ----------------------- 1 rhel9 running # virsh migrate rhel9 --desturi qemu+unix:///system?socket=/tmp/test.sock --live --verbose --copy-storage-all --tls --p2p --migrateuri tcp://10.73.114.14:49156 --tls-destination dell-per440-09.lab.eng.pek2.redhat.com --disks-uri tcp://10.73.114.14:49157 Migration: [100 %] In dst: # virsh list Id Name State ----------------------- 1 rhel9 running