qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] nbd/client: Add hint when TLS is missing

From: Daniel P . Berrangé
Subject: Re: [Qemu-devel] [PATCH] nbd/client: Add hint when TLS is missing
Date: Mon, 9 Sep 2019 10:13:22 +0100
User-agent: Mutt/1.12.1 (2019-06-15) 
On Sat, Sep 07, 2019 at 12:20:55PM -0500, Eric Blake wrote:
> I received an off-list report of failure to connect to an NBD server
> expecting an x509 certificate, when the client was attempting something
> similar to this command line:
> 
> $ ./x86_64-softmmu/qemu-system-x86_64 -name 'blah' -machine q35 -nodefaults \
>   -object tls-creds-x509,id=tls0,endpoint=client,dir=$path_to_certs \
>   -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie.0,addr=0x6 \
>   -drive 
> id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0
>  \
>   -device scsi-hd,id=image1,drive=drive_image1,bootindex=0
> qemu-system-x86_64: -drive 
> id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0:
>  TLS negotiation required before option 7 (go)
> server reported: Option 0x7 not permitted before TLS
> 
> The problem?  As specified, -drive is trying to pass tls-creds to the
> raw format driver instead of the nbd protocol driver, but before we
> get to the point where we can detect that raw doesn't know what to do
> with tls-creds, the nbd driver has already failed because the server
> complained.  The fix to the broken command line?  Pass
> '...,file.tls-creds=tls0' to ensure the tls-creds option is handed to
> nbd, not raw.  But since the error message was rather cryptic, I'm
> trying to improve the error message.
> 
> With this patch, the error message adds a line:
> 
> qemu-system-x86_64: -drive 
> id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0:
>  TLS negotiation required before option 7 (go)
> Did you forget a valid tls-creds?
> server reported: Option 0x7 not permitted before TLS
> 
> And with luck, someone grepping for that error message will find this
> commit message and figure out their command line mistake.  Sadly, the
> only mention of file.tls-creds in our docs relates to an --image-opts
> use of PSK encryption with qemu-img as the client, rather than x509
> certificate encryption with qemu-kvm as the client.
> 
> CC: Tingting Mao <address@hidden>
> CC: Daniel P. Berrangé <address@hidden>
> Signed-off-by: Eric Blake <address@hidden>
> ---
>  nbd/client.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/nbd/client.c b/nbd/client.c
> index b9dc829175f9..f6733962b49b 100644
> --- a/nbd/client.c
> +++ b/nbd/client.c
> @@ -204,6 +204,7 @@ static int nbd_handle_reply_err(QIOChannel *ioc, 
> NBDOptionReply *reply,
>      case NBD_REP_ERR_TLS_REQD:
>          error_setg(errp, "TLS negotiation required before option %" PRIu32
>                     " (%s)", reply->option, nbd_opt_lookup(reply->option));
> +        error_append_hint(errp, "Did you forget a valid tls-creds?\n");
>          break;
> 
>      case NBD_REP_ERR_UNKNOWN:

Reviewed-by: Daniel P. Berrangé <address@hidden>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
reply via email to
[Prev in Thread] Current Thread [Next in Thread]