On Wed, Nov 25, 2015 at 11:52:21AM +0100, Laszlo Ersek wrote:
I recently upgraded my laptop from RHEL-7.1 to RHEL-7.2.
I always pay attention to *.rpmnew config files, and I manually diff and
merge them with the ones I have in place.
I did the same with "/etc/libvirt/qemu.conf" this time.
Now libvirtd doesn't start for me. Systemd doesn't actually notice the
startup failure (insert bitter joke about systemd being so much better
than startup scripts); it only reports the service inactive/dead (=
unstarted), rather than failed.
But, the libvirtd log file gives the reason:
migration_address must not be the address of the local machine:
127.0.0.1
The error is easy to fix up in the config file, but my question is:
Why must migration_address not be the address of the local machine?
The migration address for incoming migration over TCP needs to be
a public facing IP address, otherwise the remote machine won't be
able to connect to it. If you configure migration_address on the
target machine to be 127.0.0.1, then obviously no migration client
connection will ever succeed, hence we consider 127.0.0.1 as an
invalid configuration.
BTW, my purpose is not in-host migration (perhaps that's indeed
unsupported, I don't know); I just want to lock down the incoming
migration port (and not just with firewall rules).
What's wrong with using firewall rules ? IMHO you are describing
exactly the scenario that are intended to deal with.
If there's a way to disable incoming migration in libvirtd,
I'd be
interested in that.
You could setup libvirt's API access control rules to deny the
"migrate" privilege to all users. Using firewall rules is a
more secure solution though IMHO
Regards,
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|