What were you trying to do that didn't work?

Running a live migration, with the data channel protected by TLS, if the pre-copy phase lasts long enough that a TLS re-key is performed, then after switching to post-copy mode the TLS session will often fail

 

What is the impact of this issue to you?

The live migration will fail due to TLS errors

Please provide the package NVR for which the bug is seen:

qemu-kvm-9.1.0-23.el9.x86_64
gnutls-3.8.3-6.el9.x86_64

How reproducible is this bug?:

non-deterministic, it relies on a TLS 1.3 rekey operation taking place while in pre-copy mode which will sometimes corrupt gnutls state, leading to errors when switching to post-copy

Steps to reproduce

Launch the target QEMU

$ /usr/libexec/qemu-kvm  -display none -m 6000 -smp 8 -accel kvm  -qmp stdio -cdrom ~/memtest.iso -incoming defer

 

{{

{ "execute": "qmp_capabilities"}

{ "execute": "object-add", "arguments":{ "id": "tls0", "qom-type": "tls-creds-x509", "dir": "/home/berrange/tls", "endpoint": "server" }}
{ "execute": "migrate-set-capabilities" , "arguments": { "capabilities": [

{ "capability": "postcopy-ram", "state": true }

] } }
{ "execute": "migrate-set-parameters", "arguments":

{ "tls-creds": "tls0" }

}
{ "execute": "migrate-incoming" , "arguments":

{ "uri": "tcp:localhost:9000" }

}

{ "execute": "query-migrate" }

}}
 

1.  
2.  

Expected results

Actual results