This is a workaround for existing running QEMU processes which
are susceptible to a GNUTLS crasher bug with non-multifd live
migration:

   https://gitlab.com/qemu-project/qemu/-/issues/1937

which in turn is caused by a gnutls regression

   https://gitlab.com/gnutls/gnutls/-/issues/1717

Even if gnutls is fixed, running QEMU processes are still at
risk until restarted, and that can't be done without live
migrating workloads off, which triggers the bug we're trying
to avoid. The only way to avoid this for running QEMU
processes is to change the crypto priority string. On Fedora
/ RHEL distros we can do this on the target QEMU using
/etc/crypto-policies configs, but many other distros have
now adopted this - hint: this is a very useful thing to adopt.

This series gives a more targetted workaround that is compatible
with all distros and can be configured on either the source or
dst hosts and whose impact is limited just to live migration.

Daniel P. Berrangé (3):
  qemu: fix order of VNC TLS config entries
  qemu: sanitize blank lines in config file
  qemu: add ability to set TLS priority string with QEMU

 src/conf/storage_source_conf.c                |  2 +
 src/conf/storage_source_conf.h                |  1 +
 src/qemu/libvirtd_qemu.aug                    |  8 +-
 src/qemu/qemu.conf.in                         | 99 +++++++++++++++++--
 src/qemu/qemu_backup.c                        |  5 +-
 src/qemu/qemu_blockjob.c                      |  1 +
 src/qemu/qemu_command.c                       | 15 ++-
 src/qemu/qemu_command.h                       |  1 +
 src/qemu/qemu_conf.c                          | 22 +++++
 src/qemu/qemu_conf.h                          |  6 ++
 src/qemu/qemu_domain.c                        |  3 +
 src/qemu/qemu_domain.h                        |  1 +
 src/qemu/qemu_hotplug.c                       |  4 +-
 src/qemu/qemu_hotplug.h                       |  1 +
 src/qemu/qemu_migration_params.c              |  1 +
 src/qemu/test_libvirtd_qemu.aug.in            |  8 +-
 ...rk-tlsx509-nbd-hostname.x86_64-latest.args |  2 +-
 ...graphics-vnc-tls-secret.x86_64-latest.args |  2 +-
 ...-tlsx509-secret-chardev.x86_64-latest.args |  2 +-
 tests/qemuxmlconftest.c                       |  6 ++
 20 files changed, 170 insertions(+), 20 deletions(-)

-- 
2.50.1

Reply via email to