2:10 p.m.
Few words about SELinux that might not be very clear to some.
Martin Kletzander (2):
qemu: Disable NBD TLS migration over UNIX socket
docs: Document SELinux caveats when migrating over UNIX sockets
docs/manpages/virsh.rst | 9 ++++++++-
docs/migration.html.in | 9 +++++++++
src/qemu/qemu_migration.c | 10 ++++++++--
3 files changed, 25 insertions(+), 3 deletions(-)
--
2.29.2
2:10 p.m.
New subject: [libvirt PATCH 1/2] qemu: Disable NBD TLS migration over UNIX socket
Even though it is technically possible, when running the migrations QEMU's
nbd-server-start errors out with:
"TLS is only supported with IPv4/IPv6"
We can always enable it when QEMU adds this feature, but for now it is safer to
show our error message rather than rely on QEMU to error out properly.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
src/qemu/qemu_migration.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index fef0be63a1a7..dd44849b1a87 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1100,6 +1100,12 @@ qemuMigrationSrcNBDStorageCopy(virQEMUDriverPtr driver,
if (uri->port)
port = uri->port;
} else if (STREQ(uri->scheme, "unix")) {
+ if (flags & VIR_MIGRATE_TLS) {
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+ _("NBD migration with TLS is not supported over UNIX
socket"));
+ return -1;
+ }
+
if (!uri->path) {
virReportError(VIR_ERR_INVALID_ARG, "%s",
_("UNIX disks URI does not include path"));
@@ -4330,12 +4336,12 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriverPtr driver,
VIR_DEBUG("driver=%p, sconn=%p, dconn=%p, dconnuri=%s, vm=%p, xmlin=%s, "
"dname=%s, uri=%s, graphicsuri=%s, listenAddress=%s, "
- "nmigrate_disks=%zu, migrate_disks=%p, nbdPort=%d, "
+ "nmigrate_disks=%zu, migrate_disks=%p, nbdPort=%d, nbdURI=%s, "
"bandwidth=%llu, useParams=%d, flags=0x%lx",
driver, sconn, dconn, NULLSTR(dconnuri), vm, NULLSTR(xmlin),
NULLSTR(dname), NULLSTR(uri), NULLSTR(graphicsuri),
NULLSTR(listenAddress), nmigrate_disks, migrate_disks, nbdPort,
- bandwidth, useParams, flags);
+ NULLSTR(nbdURI), bandwidth, useParams, flags);
/* Unlike the virDomainMigrateVersion3 counterpart, we don't need
* to worry about auto-setting the VIR_MIGRATE_CHANGE_PROTECTION
--
2.29.2
4:28 p.m.
New subject: [libvirt PATCH 1/2] qemu: Disable NBD TLS migration over UNIX socket
On Wed, Nov 18, 2020 at 21:10:02 +0100, Martin Kletzander wrote:
Even though it is technically possible, when running the migrations
QEMU's
nbd-server-start errors out with:
"TLS is only supported with IPv4/IPv6"
We can always enable it when QEMU adds this feature, but for now it is safer to
show our error message rather than rely on QEMU to error out properly.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
src/qemu/qemu_migration.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index fef0be63a1a7..dd44849b1a87 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1100,6 +1100,12 @@ qemuMigrationSrcNBDStorageCopy(virQEMUDriverPtr driver,
if (uri->port)
port = uri->port;
} else if (STREQ(uri->scheme, "unix")) {
+ if (flags & VIR_MIGRATE_TLS) {
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+ _("NBD migration with TLS is not supported over UNIX
socket"));
+ return -1;
+ }
+
if (!uri->path) {
virReportError(VIR_ERR_INVALID_ARG, "%s",
_("UNIX disks URI does not include path"));
For this patch with just the hunk above:
Reviewed-by: Jiri Denemark <jdenemar(a)redhat.com>
@@ -4330,12 +4336,12 @@
qemuMigrationSrcPerformPeer2Peer3(virQEMUDriverPtr driver,
VIR_DEBUG("driver=%p, sconn=%p, dconn=%p, dconnuri=%s, vm=%p, xmlin=%s, "
"dname=%s, uri=%s, graphicsuri=%s, listenAddress=%s, "
- "nmigrate_disks=%zu, migrate_disks=%p, nbdPort=%d, "
+ "nmigrate_disks=%zu, migrate_disks=%p, nbdPort=%d, nbdURI=%s, "
"bandwidth=%llu, useParams=%d, flags=0x%lx",
driver, sconn, dconn, NULLSTR(dconnuri), vm, NULLSTR(xmlin),
NULLSTR(dname), NULLSTR(uri), NULLSTR(graphicsuri),
NULLSTR(listenAddress), nmigrate_disks, migrate_disks, nbdPort,
- bandwidth, useParams, flags);
+ NULLSTR(nbdURI), bandwidth, useParams, flags);
/* Unlike the virDomainMigrateVersion3 counterpart, we don't need
* to worry about auto-setting the VIR_MIGRATE_CHANGE_PROTECTION
This hunk is clearly unrelated and should not be part of this patch.
Jirka
2:10 p.m.
New subject: [libvirt PATCH 2/2] docs: Document SELinux caveats when migrating over UNIX sockets
The information about sockets having different label than the one on the file
and the way it needs to be set is very difficult to find for those who did not
come across it before. Let's describe what needs to happen in order for the
migration to go through rather than rely on general knowledge of others.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
docs/manpages/virsh.rst | 9 ++++++++-
docs/migration.html.in | 9 +++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
index 1ae6d1a0d450..f0836b14defa 100644
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@@ -3340,7 +3340,14 @@ migrating disks. This can be *tcp://address:port* to specify a
listen address
UNIX socket with that specified path. In this case you need to make sure the
same socket path is accessible to both source and destination hypervisors and
connecting to the socket on the source (after hypervisor creates it on the
-destination) will actually connect to the destination.
+destination) will actually connect to the destination. If you are using SELinux
+(at least on the source host) you need to make sure the socket on the source is
+accessible to libvirtd/QEMU for connection. That is because libvirt cannot
+change the context of the socket because it is different from the file
+representation of the socket and because the context is chosen by its creator
+(usually by using *setsockcreatecon{,_raw}()* functions). Generally
+*system_r:system_u:svirt_socket_t:s0* should do the trick, but check the SELinux
+rules and settings of your system.
migrate-compcache
diff --git a/docs/migration.html.in b/docs/migration.html.in
index 77731eeb373e..79ceed62747f 100644
--- a/docs/migration.html.in
+++ b/docs/migration.html.in
@@ -658,6 +658,15 @@ virsh migrate --p2p --tunnelled web1 qemu+ssh://desthost/system
qemu+ssh://10.0.
virsh migrate web1 [--p2p] --copy-storage-all
'qemu+unix:///system?socket=/tmp/migdir/test-sock-driver'
'unix:///tmp/migdir/test-sock-qemu' --disks-uri unix:///tmp/migdir/test-sock-nbd
</pre>
+ <p>
+ One caveat is that on SELinux-enabled systems all the sockets that the
+ hypervisor is going to connect to needs to have the proper context and
+ that is chosen before its creation by the process that creates it. That
+ is usually done by using <code>setsockcreatecon{,raw}()</code>
functions.
+ Generally *system_r:system_u:svirt_socket_t:s0* should do the trick, but
+ check the SELinux rules and settings of your system.
+ </p>
+
<p>
Supported by QEMU driver
</p>
--
2.29.2
4:40 p.m.
New subject: [libvirt PATCH 2/2] docs: Document SELinux caveats when migrating over UNIX sockets
On Wed, Nov 18, 2020 at 21:10:03 +0100, Martin Kletzander wrote:
The information about sockets having different label than the one on
the file
and the way it needs to be set is very difficult to find for those who did not
come across it before. Let's describe what needs to happen in order for the
migration to go through rather than rely on general knowledge of others.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
docs/manpages/virsh.rst | 9 ++++++++-
docs/migration.html.in | 9 +++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
index 1ae6d1a0d450..f0836b14defa 100644
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@@ -3340,7 +3340,14 @@ migrating disks. This can be *tcp://address:port* to specify a
listen address
UNIX socket with that specified path. In this case you need to make sure the
same socket path is accessible to both source and destination hypervisors and
connecting to the socket on the source (after hypervisor creates it on the
-destination) will actually connect to the destination.
+destination) will actually connect to the destination. If you are using SELinux
+(at least on the source host) you need to make sure the socket on the source is
+accessible to libvirtd/QEMU for connection. That is because libvirt cannot
+change the context of the socket because it is different from the file
+representation of the socket and because the context is chosen by its creator
+(usually by using *setsockcreatecon{,_raw}()* functions). Generally
+*system_r:system_u:svirt_socket_t:s0* should do the trick, but check the SELinux
+rules and settings of your system.
ETOOMANYBECAUSE ;-)
How about:
... If you are using SELinux (at least on the source host) you need to
make sure the socket on the source is accessible to libvirtd/QEMU for
connection. Libvirt cannot change the context of the existing socket
because it is different from the file representation of the socket and
the context is chosen by its creator (usually by using
*setsockcreatecon{,_raw}()* functions). ...
...
Even what you have is a lot better than nothing, so
Reviewed-by: Jiri Denemark <jdenemar(a)redhat.com>
but it would be nice if you could make it a little bit easier to read
before pushing.
1440
days inactive
1446
days old
4 comments
2 participants
participants (2)
-
Jiri Denemark -
Martin Kletzander