qemu: migration: Forbid 'nbd' migration of non-shared storage if TLS is requested

Since libvirt is currently not able to setup the NBD migration stream secured by TLS we should not allow such migration since data would be transferred unencrypted. This will break compatibility of TLS migration if non-shared storage is requested but the security implications are more severe. Signed-off-by: N Peter Krempa <pkrempa@redhat.com>

qemu: migration: Forbid 'nbd' migration of non-shared storage if TLS is requested
Since libvirt is currently not able to setup the NBD migration stream secured by TLS we should not allow such migration since data would be transferred unencrypted. This will break compatibility of TLS migration if non-shared storage is requested but the security implications are more severe. Signed-off-by: N Peter Krempa <pkrempa@redhat.com>
b2b2998a · Peter Krempa · ce5aebea · b2b2998a
隐藏空白更改
内联并排

Showing with 10 addition and 0 deletion

src/qemu/qemu_migration.c src/qemu/qemu_migration.c +10 -0

未找到文件。
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -3339,6 +3339,16 @@ qemuMigrationSrcRun(virQEMUDriverPtr driver,
    if (migrate_flags & (QEMU_MONITOR_MIGRATE_NON_SHARED_DISK |
                         QEMU_MONITOR_MIGRATE_NON_SHARED_INC)) {
        if (mig->nbd) {
+            /* Currently libvirt does not support setting up of the NBD
+             * non-shared storage migration with TLS. As we need to honour the
+             * VIR_MIGRATE_TLS flag, we need to reject such migration until
+             * we implement TLS for NBD. */
+            if (flags & VIR_MIGRATE_TLS) {
+                virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+                               _("NBD migration with TLS is not supported"));
+                goto error;
+            }
            /* This will update migrate_flags on success */
            if (qemuMigrationSrcDriveMirror(driver, vm, mig,
                                            spec->dest.host.name,