[libvirt PATCH 0/2] Add more documentation for migrations over UNIX sockets

Few words about SELinux that might not be very clear to some. Martin Kletzander (2): qemu: Disable NBD TLS migration over UNIX socket docs: Document SELinux caveats when migrating over UNIX sockets docs/manpages/virsh.rst | 9 ++++++++- docs/migration.html.in | 9 +++++++++ src/qemu/qemu_migration.c | 10 ++++++++-- 3 files changed, 25 insertions(+), 3 deletions(-) -- 2.29.2

Even though it is technically possible, when running the migrations QEMU's nbd-server-start errors out with: "TLS is only supported with IPv4/IPv6" We can always enable it when QEMU adds this feature, but for now it is safer to show our error message rather than rely on QEMU to error out properly. Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- src/qemu/qemu_migration.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index fef0be63a1a7..dd44849b1a87 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1100,6 +1100,12 @@ qemuMigrationSrcNBDStorageCopy(virQEMUDriverPtr driver, if (uri->port) port = uri->port; } else if (STREQ(uri->scheme, "unix")) { + if (flags & VIR_MIGRATE_TLS) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("NBD migration with TLS is not supported over UNIX socket")); + return -1; + } + if (!uri->path) { virReportError(VIR_ERR_INVALID_ARG, "%s", _("UNIX disks URI does not include path")); @@ -4330,12 +4336,12 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriverPtr driver, VIR_DEBUG("driver=%p, sconn=%p, dconn=%p, dconnuri=%s, vm=%p, xmlin=%s, " "dname=%s, uri=%s, graphicsuri=%s, listenAddress=%s, " - "nmigrate_disks=%zu, migrate_disks=%p, nbdPort=%d, " + "nmigrate_disks=%zu, migrate_disks=%p, nbdPort=%d, nbdURI=%s, " "bandwidth=%llu, useParams=%d, flags=0x%lx", driver, sconn, dconn, NULLSTR(dconnuri), vm, NULLSTR(xmlin), NULLSTR(dname), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), nmigrate_disks, migrate_disks, nbdPort, - bandwidth, useParams, flags); + NULLSTR(nbdURI), bandwidth, useParams, flags); /* Unlike the virDomainMigrateVersion3 counterpart, we don't need * to worry about auto-setting the VIR_MIGRATE_CHANGE_PROTECTION -- 2.29.2

On Wed, Nov 18, 2020 at 21:10:02 +0100, Martin Kletzander wrote:
Even though it is technically possible, when running the migrations QEMU's nbd-server-start errors out with:
"TLS is only supported with IPv4/IPv6"
We can always enable it when QEMU adds this feature, but for now it is safer to show our error message rather than rely on QEMU to error out properly.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- src/qemu/qemu_migration.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index fef0be63a1a7..dd44849b1a87 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1100,6 +1100,12 @@ qemuMigrationSrcNBDStorageCopy(virQEMUDriverPtr driver, if (uri->port) port = uri->port; } else if (STREQ(uri->scheme, "unix")) { + if (flags & VIR_MIGRATE_TLS) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("NBD migration with TLS is not supported over UNIX socket")); + return -1; + } + if (!uri->path) { virReportError(VIR_ERR_INVALID_ARG, "%s", _("UNIX disks URI does not include path"));
For this patch with just the hunk above: Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
@@ -4330,12 +4336,12 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriverPtr driver,
VIR_DEBUG("driver=%p, sconn=%p, dconn=%p, dconnuri=%s, vm=%p, xmlin=%s, " "dname=%s, uri=%s, graphicsuri=%s, listenAddress=%s, " - "nmigrate_disks=%zu, migrate_disks=%p, nbdPort=%d, " + "nmigrate_disks=%zu, migrate_disks=%p, nbdPort=%d, nbdURI=%s, " "bandwidth=%llu, useParams=%d, flags=0x%lx", driver, sconn, dconn, NULLSTR(dconnuri), vm, NULLSTR(xmlin), NULLSTR(dname), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), nmigrate_disks, migrate_disks, nbdPort, - bandwidth, useParams, flags); + NULLSTR(nbdURI), bandwidth, useParams, flags);
/* Unlike the virDomainMigrateVersion3 counterpart, we don't need * to worry about auto-setting the VIR_MIGRATE_CHANGE_PROTECTION
This hunk is clearly unrelated and should not be part of this patch. Jirka

The information about sockets having different label than the one on the file and the way it needs to be set is very difficult to find for those who did not come across it before. Let's describe what needs to happen in order for the migration to go through rather than rely on general knowledge of others. Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- docs/manpages/virsh.rst | 9 ++++++++- docs/migration.html.in | 9 +++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst index 1ae6d1a0d450..f0836b14defa 100644 --- a/docs/manpages/virsh.rst +++ b/docs/manpages/virsh.rst @@ -3340,7 +3340,14 @@ migrating disks. This can be *tcp://address:port* to specify a listen address UNIX socket with that specified path. In this case you need to make sure the same socket path is accessible to both source and destination hypervisors and connecting to the socket on the source (after hypervisor creates it on the -destination) will actually connect to the destination. +destination) will actually connect to the destination. If you are using SELinux +(at least on the source host) you need to make sure the socket on the source is +accessible to libvirtd/QEMU for connection. That is because libvirt cannot +change the context of the socket because it is different from the file +representation of the socket and because the context is chosen by its creator +(usually by using *setsockcreatecon{,_raw}()* functions). Generally +*system_r:system_u:svirt_socket_t:s0* should do the trick, but check the SELinux +rules and settings of your system. migrate-compcache diff --git a/docs/migration.html.in b/docs/migration.html.in index 77731eeb373e..79ceed62747f 100644 --- a/docs/migration.html.in +++ b/docs/migration.html.in @@ -658,6 +658,15 @@ virsh migrate --p2p --tunnelled web1 qemu+ssh://desthost/system qemu+ssh://10.0. virsh migrate web1 [--p2p] --copy-storage-all 'qemu+unix:///system?socket=/tmp/migdir/test-sock-driver' 'unix:///tmp/migdir/test-sock-qemu' --disks-uri unix:///tmp/migdir/test-sock-nbd </pre> + <p> + One caveat is that on SELinux-enabled systems all the sockets that the + hypervisor is going to connect to needs to have the proper context and + that is chosen before its creation by the process that creates it. That + is usually done by using <code>setsockcreatecon{,raw}()</code> functions. + Generally *system_r:system_u:svirt_socket_t:s0* should do the trick, but + check the SELinux rules and settings of your system. + </p> + <p> Supported by QEMU driver </p> -- 2.29.2

On Wed, Nov 18, 2020 at 21:10:03 +0100, Martin Kletzander wrote:
The information about sockets having different label than the one on the file and the way it needs to be set is very difficult to find for those who did not come across it before. Let's describe what needs to happen in order for the migration to go through rather than rely on general knowledge of others.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- docs/manpages/virsh.rst | 9 ++++++++- docs/migration.html.in | 9 +++++++++ 2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst index 1ae6d1a0d450..f0836b14defa 100644 --- a/docs/manpages/virsh.rst +++ b/docs/manpages/virsh.rst @@ -3340,7 +3340,14 @@ migrating disks. This can be *tcp://address:port* to specify a listen address UNIX socket with that specified path. In this case you need to make sure the same socket path is accessible to both source and destination hypervisors and connecting to the socket on the source (after hypervisor creates it on the -destination) will actually connect to the destination. +destination) will actually connect to the destination. If you are using SELinux +(at least on the source host) you need to make sure the socket on the source is +accessible to libvirtd/QEMU for connection. That is because libvirt cannot +change the context of the socket because it is different from the file +representation of the socket and because the context is chosen by its creator +(usually by using *setsockcreatecon{,_raw}()* functions). Generally +*system_r:system_u:svirt_socket_t:s0* should do the trick, but check the SELinux +rules and settings of your system.
ETOOMANYBECAUSE ;-) How about: ... If you are using SELinux (at least on the source host) you need to make sure the socket on the source is accessible to libvirtd/QEMU for connection. Libvirt cannot change the context of the existing socket because it is different from the file representation of the socket and the context is chosen by its creator (usually by using *setsockcreatecon{,_raw}()* functions). ... ... Even what you have is a lot better than nothing, so Reviewed-by: Jiri Denemark <jdenemar@redhat.com> but it would be nice if you could make it a little bit easier to read before pushing.
participants (2)
-
Jiri Denemark
-
Martin Kletzander