Hey folks,
I've been experimenting with native NBD live migration w/ TLS and have
a couple of questions.
1) It appears that in some cases modified default_tls_x509_cert_dir
from qemu.conf is not respected, seems like virsh always expects a
default location and does not check default_tls_x509_cert_dir:
virsh # migrate vm1 qemu+tls://ratchet.lan/system --live --persistent
--undefinesource --copy-storage-all --verbose --tls
error: internal error: unable to execute QEMU command 'object-add':
Unable to access credentials /etc/pki/qemu/ca-cert.pem: No such file
or directory
It's checking /etc/pki and not the location specified in
default_tls_x509_cert_dir. Is this a bug or am I missing something?
2) QEMU has -object tls-cipher-suites, but there does not seem to be a
way to specify TLS priority in libvirt's qemu conf. Solvable via
compile time --tls-priority flag, but that's not very convenient. Is
there a way to set TLS priority for QEMU TLS connections from libvirt
configs? This would be equivalent to libvirtd.conf's tls_priority
setting, but for QEMU, not for libvirt's own connections.
3) After setting up default_tls_x509_cert_dir and
default_tls_x509_verify = 1 (and directories as required see 1),
virsh initiated migrations with --tls flag succeed and captures show
that it's using TLS. However, they equally succeed without the flag.
Is there a way to ensure that only TLS communication is permitted
between QEMUs? I tried nbd_tls, but that did not seem to have any
effect.
Thanks a lot for your help!