On 01/04/2021 16:13, Peter Krempa wrote:
On Thu, Apr 01, 2021 at 15:13:02 +0100, lejeczek wrote:
> Hi guys.
>
> I have KVM guests stored on glusterFS volume and I recently added TLS
> encryption to Gluster.
> What changes, tweaks are required at libvirtd/qemu's end?
Looking at the definition of the gluster backend object in qemu:
<cite>
##
# @BlockdevOptionsGluster:
#
# Driver specific block device options for Gluster
#
# @volume: name of gluster volume where VM image resides
#
# @path: absolute path to image file in gluster volume
#
# @server: gluster servers description
#
# @debug: libgfapi log level (default '4' which is Error)
# (Since 2.8)
#
# @logfile: libgfapi log file (default /dev/stderr) (Since 2.8)
#
# Since: 2.9
##
{ 'struct': 'BlockdevOptionsGluster',
'data': { 'volume': 'str',
'path': 'str',
'server': ['SocketAddress'],
'*debug': 'int',
'*logfile': 'str' } }
</cite>
it doesn't seem to yet support TLS encryption of the transport or a way
to set it in a non-implicit way (it still might be possible to trick
libgfapi to support it via a config file or such).
That means you'll probably need to submit qemu patches implementing the
support for configuring TLS for gluster to qemu first, and then do the
same for libvirt.
Libvirt already has some infrastructure for that for NBD and VXHS disks,
so you can then take inspiration there when implementing it in libvirt.
Ah, not me, no chance, I wish I could help but being a
regular admin I'd have to change profession.
I think, looking at it now, I should rephrase the issue to -
GlusterFS with TLS & libvirt/qemu with libgfapi'
I'll keep my fingers crossed devel will give this parts of
security higher priority and needed improvements,
enhancements will land in soon.
many thanks, L.