Re: [Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets

From:	Daniel P . Berrangé
Subject:	Re: [Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets
Date:	Thu, 27 Jun 2019 15:58:50 +0100
User-agent:	Mutt/1.11.4 (2019-03-13)

On Thu, Jun 27, 2019 at 09:49:13AM -0500, Eric Blake wrote:
> On 6/26/19 3:22 AM, Daniel P. Berrangé wrote:
> > On Tue, Jun 25, 2019 at 09:49:42PM -0500, Eric Blake wrote:
> >> Although you generally won't use encryption with a Unix socket (after
> >> all, everything is local, so why waste the CPU power), there are
> >> situations in testsuites where Unix sockets are much nicer than TCP
> >> sockets.  Since nbdkit allows encryption over both types of sockets,
> >> it makes sense for qemu-nbd to do likewise.
> >>
> >> Signed-off-by: Eric Blake <address@hidden>
> >> ---
> >>  qemu-nbd.c | 4 ----
> >>  1 file changed, 4 deletions(-)
> > 
> > Reviewed-by: Daniel P. Berrangé <address@hidden>
> > 
> > 
> > Do you need something on the client side too ?
> 
> The proposal that Rich is working on for standardized NBD URIs [1] says
> that we need a patch to support nbds://host/export and
> nbds+unix://export?socket=/path as ways to request an encrypted client
> connection with default encryption parameters. For anything more
> complex, we have to use --imageopts and request an encrypted connection
> by parts - but the QAPI schema already permits us to pass in an
> 'tls-creds' parameter for both TCP and Unix sockets, so no, I don't
> think we need any client side changes at this point.

The QAPI schema isn't what I was thinking about....  in block/nbd.c
we have the same restriction you lifted here

        tlscreds = nbd_get_tls_creds(s->tlscredsid, errp);
        if (!tlscreds) {
            goto error;
        }

        /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */
        if (s->saddr->type != SOCKET_ADDRESS_TYPE_INET) {
            error_setg(errp, "TLS only supported over IP sockets");
            goto error;
        }

For client side we would also need to allow a 'tls-hostname' parameter
in BlockdevOptionsNbd, so that the client can pass a hostname to use
for validating the x509 certificate, the same way we allow for live
migration.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets, Eric Blake, 2019/06/25
- Re: [Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets, Daniel P . Berrangé, 2019/06/26
  - Re: [Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets, Eric Blake, 2019/06/27
    - Re: [Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets, Daniel P . Berrangé <=
    - Re: [Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets, Eric Blake, 2019/06/27
- Re: [Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets, Richard W.M. Jones, 2019/06/26

Prev by Date: Re: [Qemu-devel] [PATCH v4 04/13] vfio: Add migration region initialization and finalize function
Next by Date: Re: [Qemu-devel] [PATCH v2 10/14] target/arm/kvm64: Add kvm_arch_get/put_sve
Previous by thread: Re: [Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets
Next by thread: Re: [Qemu-devel] [PATCH] qemu-nbd: Permit TLS with Unix sockets
Index(es):
- Date
- Thread