RFC for NBD protocol extension: extended headers
by Eric Blake
In response to this mail, I will be cross-posting a series of patches
to multiple projects as a proof-of-concept implementation and request
for comments on a new NBD protocol extension, called
NBD_OPT_EXTENDED_HEADERS. With this in place, it will be possible for
clients to request 64-bit zero, trim, cache, and block status
operations when supported by the server.
Not yet complete: an implementation of this in nbdkit. I also plan to
tweak libnbd's 'nbdinfo --map' and 'nbdcopy' to take advantage of the
larger block status results. Also, with 64-bit commands, we may want
to also make it easier to let servers advertise an actual maximum size
they are willing to accept for the commands in question (for example,
a server may be happy with a full 64-bit block status, but still want
to limit non-fast zero and cache to a smaller limit to avoid denial of
service).
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
2 years, 2 months
[v2v PATCH] input-xen: cover RHEL9 OpenSSL crypto settings
by Laszlo Ersek
In commit af4a0454cdd2 ("input-xen: replace "enable LEGACY crypto" advice
with targeted ssh options", 2022-07-11), we documented how the libssh /
openssh crypto settings needed to be relaxed, for connecting to RHEL5
sshd.
It turns out that in RHEL9, the non-LEGACY crypto policies disable SHA1 in
signature algorithms even at the OpenSSL level. Explain how the user can
re-enable that separately, for individual virt-v2v invocations.
The method depends on Rich's libvirt commit 45912ac399ab ("rpc: Pass
OPENSSL_CONF through to ssh invocations", 2022-07-25), which is is going
to be released in upstream libvirt v8.6.0.
Thanks: Dmitry Belyavskiy & Rich Jones
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360
Signed-off-by: Laszlo Ersek <lersek(a)redhat.com>
---
docs/virt-v2v-input-xen.pod | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod
index 789853b4d194..4a0544f8d16a 100644
--- a/docs/virt-v2v-input-xen.pod
+++ b/docs/virt-v2v-input-xen.pod
@@ -54,6 +54,26 @@ new one. Virt-v2v uses both C<libssh> and C<ssh> when converting a guest
from Xen, and on some operating systems, C<libssh> and C<ssh> may not
both accept the same option variant.)
+When connecting to RHEL 5 sshd from RHEL 9, the SHA1 algorithm's use in
+signatures has to be re-enabled at the OpenSSL level, in addition to the
+above SSH configuration. Create a file called F<$HOME/openssl-sha1.cnf>
+with the following contents:
+
+ .include /etc/ssl/openssl.cnf
+ [openssl_init]
+ alg_section = evp_properties
+ [evp_properties]
+ rh-allow-sha1-signatures = yes
+
+and export the following variable into the environment of the
+C<virt-v2v> process:
+
+ OPENSSL_CONF=$HOME/openssl-sha1.cnf
+
+Note that the C<OPENSSL_CONF> environment variable will only take effect
+if the libvirt client library used by virt-v2v is at least version
+8.6.0.
+
=head2 Test libvirt connection to remote Xen host
Use the L<virsh(1)> command to list the guests on the remote Xen host:
--
2.19.1.3.g30247aa5d201
2 years, 4 months
[PATCH libnbd 1/2] lib/crypto: Use GNUTLS_NO_SIGNAL if available
by Richard W.M. Jones
libnbd has long used MSG_NOSIGNAL to avoid receiving SIGPIPE if we
accidentally write on a closed socket, which is a nice alternative to
using a SIGPIPE signal handler. However with TLS connections, gnutls
did not use this flag and so programs using libnbd + TLS would receive
SIGPIPE in some situations, notably if the server closed the
connection abruptly while we were trying to write something.
GnuTLS 3.4.2 introduces GNUTLS_NO_SIGNAL which does the same thing.
Use this flag if available.
RHEL 7 has an older gnutls which lacks this flag. To avoid qemu-nbd
interop tests failing (rarely, but more often with a forthcoming
change to TLS shutdown behaviour), register a SIGPIPE signal handler
in the test if the flag is missing.
---
configure.ac | 15 +++++++++++++++
interop/interop.c | 10 ++++++++++
lib/crypto.c | 7 ++++++-
3 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 86c3a08690..b5bae4f1b2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -182,6 +182,21 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
gnutls_session_set_verify_cert \
gnutls_transport_is_ktls_enabled \
])
+ AC_MSG_CHECKING([if gnutls has GNUTLS_NO_SIGNAL])
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([
+ #include <gnutls/gnutls.h>
+ gnutls_session_t session;
+ ], [
+ gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_NO_SIGNAL);
+ ])
+ ], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([HAVE_GNUTLS_NO_SIGNAL], [1],
+ [GNUTLS_NO_SIGNAL found at compile time])
+ ], [
+ AC_MSG_RESULT([no])
+ ])
LIBS="$old_LIBS"
])
diff --git a/interop/interop.c b/interop/interop.c
index b41f3ca887..036545bd82 100644
--- a/interop/interop.c
+++ b/interop/interop.c
@@ -84,6 +84,16 @@ main (int argc, char *argv[])
REQUIRES
#endif
+ /* Ignore SIGPIPE. We only need this for GnuTLS < 3.4.2, since
+ * newer GnuTLS has the GNUTLS_NO_SIGNAL flag which adds
+ * MSG_NOSIGNAL to each write call.
+ */
+#if !HAVE_GNUTLS_NO_SIGNAL
+#if TLS
+ signal (SIGPIPE, SIG_IGN);
+#endif
+#endif
+
/* Create a large sparse temporary file. */
#ifdef NEEDS_TMPFILE
int fd = mkstemp (TMPFILE);
diff --git a/lib/crypto.c b/lib/crypto.c
index ffc2b4ab5f..ffba4bda9b 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -590,7 +590,12 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
gnutls_psk_client_credentials_t pskcreds = NULL;
gnutls_certificate_credentials_t xcreds = NULL;
- err = gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_NONBLOCK);
+ err = gnutls_init (&session,
+ GNUTLS_CLIENT | GNUTLS_NONBLOCK
+#if HAVE_GNUTLS_NO_SIGNAL
+ | GNUTLS_NO_SIGNAL
+#endif
+ );
if (err < 0) {
set_error (errno, "gnutls_init: %s", gnutls_strerror (err));
return NULL;
--
2.37.0.rc2
2 years, 5 months