qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v7 RFC] block/vxhs: Initial commit to add Verita

From: Ketan Nilangekar
Subject: Re: [Qemu-devel] [PATCH v7 RFC] block/vxhs: Initial commit to add Veritas HyperScale VxHS block device support
Date: Thu, 2 Feb 2017 20:53:02 +0000
User-agent: Microsoft-MacOutlook/f.1c.1.161117 

On 2/2/17, 2:07 AM, "Stefan Hajnoczi" <address@hidden> wrote:

    On Wed, Feb 01, 2017 at 11:59:53PM +0000, Ketan Nilangekar wrote:
    > Patch for secure implementation in libqnio is available for review here:
    > 
    > https://github.com/VeritasHyperScale/libqnio/pull/12
    > 
    > libqnio client initialization now has an option to use X.509 certificates 
to authenticate itself to the vxhs server.  
    > Also each client IO request now includes an instance id that is used by 
the vxhs server to authorize the request.
    > A test client has also been added.
    > Libqnio.so so is renamed to libvxhs.so. We will rename the repository 
once the latest patches are merged.
    > QEMU patch to use the new secure interface will follow shortly.
    
    I have left comments on specific lines of code on GitHub.
    
[Ketan] 
I have replied to your comments and will be uploading a patch shortly to cover 
some fixes.

    The server should do something based on the client X.509 certificate.
    Is the code actually verifying certificates on the client side?

    Right now the code is just going through the motions of SSL but not
    protecting against man-in-the-middle attacks.

[Ketan]
The VxHS server implementation will be verifying the client certificates.
The libqnio server implementation is just a sample to verify the client 
functionality.
VxHS does not use the libqnio server implementation.
    
    I noticed that the code uses OpenSSL.  QEMU uses GnuTLS instead of
    OpenSSL.  In practice it's hard to avoid duplication of SSL libraries:
    GlusterFS and Ceph use OpenSSL and NSS.  That means QEMU KVM may drag in
    GnuTLS, OpenSSL, and NSS!  But from a QEMU point of view it would be
    nicest to use GnuTLS to keep extra library dependencies minimal.

[Ketan]
If GlusterFS is already using OpenSSL then libqnio is not introducing anything 
new here.
From a licensing perspective there seems to be a way of adding a “GPL linking 
exception” in this case.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]