Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-76160

Meaningless error msg showed when do p2p tls live migration with wrong hostname signed destination server certificate

XMLWordPrintable

    • No
    • Moderate
    • 1
    • rhel-sst-virt-arm
    • ssg_virtualization
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • Virt ARM 25-2
    • None
    • Manual
    • aarch64
    • None

      What were you trying to do that didn't work?

      Using wrong hostname signed destination server certificate, failed p2p tls live migration shows meaningless error msg

      Please provide the package NVR for which the bug is seen:

      # rpm -q libvirt qemu-kvm
libvirt-10.10.0-4.el10.aarch64
qemu-kvm-9.1.0-11.el10.aarch64

      How reproducible is this bug?: 100%

      Steps to reproduce

      1. Setup live migration environment
      1.1 Prepare live migration environment with shared disk by nfs
      1.2 Enable selinux for virt_use_nfs on both source and dest host

      # setsebool virt_use_nfs 1 -P

      1.3 On source host set default_tls_x509_verify and migrate_tls_x509_verify to 0 in /etc/libvirt/qemu.conf
      1.4 Restart virtqemud deamon on source host

      # systemctl restart virtqemud

      1.5 On dest host set auth_tcp=”none” in config file /etc/libvirt/virtproxyd.conf
      1.6 On source host prepre certifactes for tls migration: ca-cert.pem, client-cert.pem and client-key.pem
      1.7 On dest host prepre certificates for tls migration: ca-cert.pem, server-cert.pem and server-key.pem, but set wrong hostname in server.info when generating server-cert.pem
      1.8 Restart virtproxyd and related socket

      # systemctl restart virtproxyd-tcp.socket
# systemctl restart virtproxyd

      1.9 Open tcp listen port in firewalld

      # firewall-cmd --add-port=16509/tcp
success

      2. Start the guest

      # virsh start vm1
Domain 'vm1' started

      3. Do p2p tls live migration

      # virsh migrate vm1 qemu+tcp://{dest hostname}/system --live --p2p --tls --undefinesource --persistent --verbose
error: internal error: QEMU unexpectedly closed the monitor (vm='vm1'): 2025-01-23T10:52:29.626610Z qemu-kvm: Not a migration stream
2025-01-23T10:52:29.626736Z qemu-kvm: load of migration failed: Invalid argument

      Expected results

      Give meaningful error msg like:
      error: operation failed: job 'migration out' failed: Certificate does not match the hostname {dest hostname}

      Actual results

      Meaningless error msg to end user.

       

      Additional info:
      1. if use none p2p migration then we could get error msg like below:

      # virsh migrate vm1 qemu+tcp://{dest hostname}/system --live --tls --undefinesource --persistent --verbose
error: operation failed: job 'migration out' failed: Certificate does not match the hostname {dest hostname}

      2. Tested on x86_64, p2p and none p2p can get error msg like below:
      error: operation failed: job 'migration out' failed: Certificate does not match the hostname {dest hostname}

              rh-ee-shahuang Shaoqin Huang
              lcong@redhat.com Liang Cong
              virt-maint virt-maint
              virt-bugs virt-bugs
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: