From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Laurent Vivier <lvivier@redhat.com>,
Thomas Huth <thuth@redhat.com>,
Juan Quintela <quintela@redhat.com>,
"open list:All patches CC here" <qemu-devel@nongnu.org>,
Markus Armbruster <armbru@redhat.com>,
Yury Kotov <yury-kotov@yandex-team.ru>,
yc-core@yandex-team.ru, Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/3] UUID validation during migration
Date: Tue, 3 Sep 2019 12:45:32 +0100 [thread overview]
Message-ID: <20190903114532.GC15960@redhat.com> (raw)
In-Reply-To: <20190903112140.GE2744@work-vm>
On Tue, Sep 03, 2019 at 12:21:40PM +0100, Dr. David Alan Gilbert wrote:
> * Yury Kotov (yury-kotov@yandex-team.ru) wrote:
> > Hi,
> >
> > This series adds an UUID validation at the start of the migration
> > on the target side. The idea is to identify the source of migration.
> >
> > Possible case of problem:
> > 1. There are 3 servers: A, B and C
> > 2. Server A has a VM 1, server B has a VM 2
> > 3. VM 1 and VM 2 want to migrate to the server C
> > 4. Target of VM 1 starts on the server C and dies too quickly for some reason
> > 5. Target of VM 2 starts just after that and listen the same tcp port X, which
> > the target of VM 1 wanted to use
> > 6. Source of VM 1 connects to the tcp port X, and migrates to VM 2 source
>
> That shouldn't be possible in practice; you specify the destination tcp
> port when you start the destination qemu; so unless the management code
> that starts the migration is very broken it should know which port it's
> migrating to.
> However, if it is very broken then this is a good check.
In some, but not all, cases allowing the wrong source QEMU to connect to
a target QEMU could be considered a serious security flaw.
Historically live migration security was pretty minimal, to non-existant,
but we do now have the ability todo much better with TLS.
With the way libvirt currently uses TLS for migration, we're just protecting
against a rogue host connecting, as any host with a valid cert gets allowed.
We could do better by using the new ACLs feature to whitelist just the
particular virt host that we know the source VM is on.
This still allows for an accident if libvirt is migrating 2 VMs on the
same source host at the same time.
What's needed is a unique identity for each individual migration operation.
The use of the UUID here is aiming to serve that role.
Assuming libvirt has protected its TLS certificates on the source host,
then this solution is secure. An attacker would need to become root on
the source host to access libvirt's TLS certs, at which point no other
strategy libvirt used instead of UUID would be secure either.
So I think from a security POV, the use of UUID is acceptable.
An alternative would be to not use TLS certificates, and instead use the
TLS pre-shared keys credential type, generating a new set of PSK creds
for each migration operation. In this case, UUID would not be required
at all. I don't see this as a reason to reject the UUID check though.
It is reasonable for mgmt apps to have a choice in which approach they
pick.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
prev parent reply other threads:[~2019-09-03 11:47 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-27 12:02 [Qemu-devel] [PATCH 0/3] UUID validation during migration Yury Kotov
2019-08-27 12:02 ` [Qemu-devel] [PATCH 1/3] migration: Add x-validate-uuid capability Yury Kotov
2019-08-27 14:01 ` Eric Blake
2019-08-27 15:36 ` Yury Kotov
2019-08-27 16:18 ` Eric Blake
2019-09-03 11:25 ` Dr. David Alan Gilbert
2019-09-03 16:39 ` Yury Kotov
2019-09-03 17:13 ` Dr. David Alan Gilbert
2019-09-03 11:34 ` Dr. David Alan Gilbert
2019-08-27 12:02 ` [Qemu-devel] [PATCH 2/3] tests/libqtest: Allow to set expected exit status Yury Kotov
2019-08-27 13:52 ` Marc-André Lureau
2019-08-27 15:23 ` Yury Kotov
2019-08-27 14:03 ` Eric Blake
2019-08-27 15:27 ` Yury Kotov
2019-08-27 12:02 ` [Qemu-devel] [PATCH 3/3] tests/migration: Add a test for x-validate-uuid capability Yury Kotov
2019-09-03 11:21 ` [Qemu-devel] [PATCH 0/3] UUID validation during migration Dr. David Alan Gilbert
2019-09-03 11:45 ` Daniel P. Berrangé [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190903114532.GC15960@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=thuth@redhat.com \
--cc=yc-core@yandex-team.ru \
--cc=yury-kotov@yandex-team.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).