This is a workaround for existing running QEMU processes which are susceptible to a GNUTLS crasher bug with non-multifd live migration:
https://gitlab.com/qemu-project/qemu/-/issues/1937 which in turn is caused by a gnutls regression https://gitlab.com/gnutls/gnutls/-/issues/1717 Even if gnutls is fixed, running QEMU processes are still at risk until restarted, and that can't be done without live migrating workloads off, which triggers the bug we're trying to avoid. The only way to avoid this for running QEMU processes is to change the crypto priority string. On Fedora / RHEL distros we can do this on the target QEMU using /etc/crypto-policies configs, but many other distros have now adopted this - hint: this is a very useful thing to adopt. This series gives a more targetted workaround that is compatible with all distros and can be configured on either the source or dst hosts and whose impact is limited just to live migration. Daniel P. Berrangé (3): qemu: fix order of VNC TLS config entries qemu: sanitize blank lines in config file qemu: add ability to set TLS priority string with QEMU src/conf/storage_source_conf.c | 2 + src/conf/storage_source_conf.h | 1 + src/qemu/libvirtd_qemu.aug | 8 +- src/qemu/qemu.conf.in | 99 +++++++++++++++++-- src/qemu/qemu_backup.c | 5 +- src/qemu/qemu_blockjob.c | 1 + src/qemu/qemu_command.c | 15 ++- src/qemu/qemu_command.h | 1 + src/qemu/qemu_conf.c | 22 +++++ src/qemu/qemu_conf.h | 6 ++ src/qemu/qemu_domain.c | 3 + src/qemu/qemu_domain.h | 1 + src/qemu/qemu_hotplug.c | 4 +- src/qemu/qemu_hotplug.h | 1 + src/qemu/qemu_migration_params.c | 1 + src/qemu/test_libvirtd_qemu.aug.in | 8 +- ...rk-tlsx509-nbd-hostname.x86_64-latest.args | 2 +- ...graphics-vnc-tls-secret.x86_64-latest.args | 2 +- ...-tlsx509-secret-chardev.x86_64-latest.args | 2 +- tests/qemuxmlconftest.c | 6 ++ 20 files changed, 170 insertions(+), 20 deletions(-) -- 2.50.1
