On Mon, Apr 30, 2018 at 10:42:24AM +0200, Peter Krempa wrote:
On Fri, Apr 27, 2018 at 10:55:56 +0100, Daniel Berrange wrote:
> On Thu, Apr 26, 2018 at 04:51:49PM +0200, Peter Krempa wrote:
> > Since libvirt is currently not able to setup the NBD migration stream
> > secured by TLS we should not allow such migration since data would be
> > transferred unencrypted.
> >
> > This will break compatibility of TLS migration if non-shared storage is
> > requested but the security implications are more severe.
> >
> > Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
> > ---
> > src/qemu/qemu_migration.c | 9 +++++++++
> > 1 file changed, 9 insertions(+)
>
> Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
Pushed now, thanks.
> IIUC, this doesn't actually require the 3 previous patches and can be
> pushed on its own - we should push for this immediate release.
The idea behind the other 3 patches was to actually implement the
destination side, so that we have both sides covered. If you enable TLS
for the NBD server it will not connect unless TLS is used. By using
this patch only, an older source libvirtd will be able to migrate
even with newer destination libvirtd, since that will not require TLS
until those 3 patches will be pushed.
Oh i see, nice trick.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|