- qemu: migration: Don't use empty string for 'tls-hostname'

NBD blockdev
2024-06-13 13:11:58 +03:00 · 2024-06-13 13:11:58 +03:00 · 4d7ffe9988
commit 4d7ffe9988
parent 53ed6e9641
2 changed files with 88 additions and 3 deletions
--- a/SOURCES/libvirt-qemu-migration-Don-t-use-empty-string-for-tls-hostname-NBD-blockdev.patch
+++ b/SOURCES/libvirt-qemu-migration-Don-t-use-empty-string-for-tls-hostname-NBD-blockdev.patch
@ -0,0 +1,80 @@
 From 5d48c5d215071526383b8fc50d81ecde62e4111b Mon Sep 17 00:00:00 2001
 From: Peter Krempa <pkrempa@redhat.com>
 Date: Fri, 19 Apr 2024 15:51:35 +0200
 Subject: [PATCH] qemu: migration: Don't use empty string for 'tls-hostname'
 NBD blockdev
 While QEMU accepts and interprets an empty string in the tls-hostname
 field in migration parametes as if it's unset, the same does not apply
 for the 'tls-hostname' field when 'blockdev-add'-ing a NBD backend for
 non-shared storage migration.
 When libvirt sets up migation with TLS in 'qemuMigrationParamsEnableTLS'
 the QEMU_MIGRATION_PARAM_TLS_HOSTNAME migration parameter will be set to
 empty string in case when the 'hostname' argument is passed as NULL.
 Later on when setting up the NBD connections for non-shared storage
 migration 'qemuMigrationParamsGetTLSHostname', which fetches the value
 of the aforementioned TLS parameter.
 This bug was mostly latent until recently as libvirt used
 MIGRATION_DEST_CONNECT_HOST mode in most cases which required the
 hostname to be passed, thus the parameter was set properly.
 This changed with 8d693d79c40 for post-copy migration, where libvirt now
 instructs qemu to connect and thus passes NULL hostname to
 qemuMigrationParamsEnableTLS, which in turn causes libvirt to try to
 add NBD connection with empty string as tls-hostname resulting in:
  error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname
 To address this modify 'qemuMigrationParamsGetTLSHostname' to undo the
 weird semantics the migration code uses to handle TLS hostname and make
 it return NULL if the hostname is an empty string.
 Fixes: e8fa09d66bc
 Resolves: https://issues.redhat.com/browse/RHEL-32880
 Signed-off-by: Peter Krempa <pkrempa@redhat.com>
 Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
 ---
 src/qemu/qemu_migration_params.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)
 diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c
 index e955822f68f..48f8657f716 100644
 --- a/src/qemu/qemu_migration_params.c
 +++ b/src/qemu/qemu_migration_params.c
@@ -1158,6 +1158,7 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver,
                                      *tlsAlias) < 0)
         return -1;
 +    /* QEMU interprets an empty string for hostname as if it is not populated */
     if (!migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].set &&
         qemuMigrationParamsSetString(migParams,
                                      QEMU_MIGRATION_PARAM_TLS_HOSTNAME,
@@ -1659,13 +1660,23 @@ qemuMigrationCapsGet(virDomainObj *vm,
  * @migParams: Migration params object
  *
  * Fetches the value of the QEMU_MIGRATION_PARAM_TLS_HOSTNAME parameter which is
 - * passed from the user as VIR_MIGRATE_PARAM_TLS_DESTINATION
 + * passed from the user as VIR_MIGRATE_PARAM_TLS_DESTINATION.
 + *
 + * In contrast with the migration parameter semantics, where an empty string
 + * is considered as if the hostname was not provided, this function will return
 + * NULL instead of an empty string as other parts of QEMU expect that the
 + * hostname is not provided at all.
  */
 const char *
 qemuMigrationParamsGetTLSHostname(qemuMigrationParams *migParams)
 {
 +    const char *hostname = migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].value.s;
 +
     if (!migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].set)
         return NULL;
 -    return migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].value.s;
 +    if (STREQ(hostname, ""))
 +        return NULL;
 +
 +    return hostname;
 }
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@ -270,7 +270,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 10.0.0
-Release: 6.2%{?dist}%{?extra_release}.alma.1
+Release: 6.3%{?dist}%{?extra_release}.alma.1
 License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
 URL: https://libvirt.org/
@ -388,9 +388,10 @@ Patch81: qemu-virtiofs-set-correct-label-when-creating-the-socket.patch
 Patch82: qemu-virtiofs-error-out-if-getting-the-group-or-user-namefails.patch
 # https://gitlab.com/redhat/centos-stream/rpms/libvirt/-/commit/89e6bcfe8fba470f675af3d3da0d85b78abc0214
 Patch83: libvirt-Fix-off-by-one-error-in-udevListInterfacesByStatus.patch
 Patch85: libvirt-remote-check-for-negative-array-lengths-before-allocation.patch
 Patch84: libvirt-qemu-Fix-migration-with-custom-XML.patch
-
+Patch85: libvirt-remote-check-for-negative-array-lengths-before-allocation.patch
 # https://github.com/libvirt/libvirt/commit/5d48c5d215071526383b8fc50d81ecde62e4111b
 Patch86: libvirt-qemu-migration-Don-t-use-empty-string-for-tls-hostname-NBD-blockdev.patch
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@ -2693,6 +2694,10 @@ exit 0
 %endif
 %changelog
 * Thu Jun 13 2024 Eduard Abdullin <eabdullin@almalinu.org> - 10.0.0-6.3.el9_4.alma.1
 - qemu: migration: Don't use empty string for 'tls-hostname'
 NBD blockdev
 * Tue Apr 30 2024 Eduard Abdullin <eabdullin@almalinu.org> - 10.0.0-6.2.el9_4.alma.1
 - Fix off-by-one error in udevListInterfacesByStatus
 - remote: check for negative array lengths before allocation