)]}'
{"security-notes/OSSN-0089":[{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"8243604461556b3df69f08d5a911e5e0ffa0492e","unresolved":true,"context_lines":[{"line_number":16,"context_line":"In the OpenStack guide to setup secure live migration with QEMU-native tls"},{"line_number":17,"context_line":"there are a few configuration options given, which have to be applied to nova"},{"line_number":18,"context_line":"compute nodes. After following the instructions and setting up everything it"},{"line_number":19,"context_line":"seems to work as expected. But after checking, that libvirt is able to use tls"},{"line_number":20,"context_line":"using tcpdump to listen on the port for tls while manually executing libvirt"},{"line_number":21,"context_line":"commands, the same check for live migration of an instance through openstack"},{"line_number":22,"context_line":"fails. Listening on the port for unencrypted tcp-traffic shows, that OpenStack"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"b3cf6ff8_ade3817a","line":19,"range":{"start_line":19,"start_character":45,"end_line":19,"end_character":46},"updated":"2021-04-03 00:45:57.000000000","message":"nit: unnecessary comma","commit_id":"18e745bb14537500a557fdd6f22413f695da7ca5"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"506f682696c7ac89944a1cf5e165b1f2b105d66c","unresolved":false,"context_lines":[{"line_number":16,"context_line":"In the OpenStack guide to setup secure live migration with QEMU-native tls"},{"line_number":17,"context_line":"there are a few configuration options given, which have to be applied to nova"},{"line_number":18,"context_line":"compute nodes. After following the instructions and setting up everything it"},{"line_number":19,"context_line":"seems to work as expected. But after checking, that libvirt is able to use tls"},{"line_number":20,"context_line":"using tcpdump to listen on the port for tls while manually executing libvirt"},{"line_number":21,"context_line":"commands, the same check for live migration of an instance through openstack"},{"line_number":22,"context_line":"fails. Listening on the port for unencrypted tcp-traffic shows, that OpenStack"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"ab3d04a2_e56a6de4","line":19,"range":{"start_line":19,"start_character":45,"end_line":19,"end_character":46},"in_reply_to":"b3cf6ff8_ade3817a","updated":"2021-04-12 07:52:48.000000000","message":"Done","commit_id":"18e745bb14537500a557fdd6f22413f695da7ca5"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"8243604461556b3df69f08d5a911e5e0ffa0492e","unresolved":true,"context_lines":[{"line_number":19,"context_line":"seems to work as expected. But after checking, that libvirt is able to use tls"},{"line_number":20,"context_line":"using tcpdump to listen on the port for tls while manually executing libvirt"},{"line_number":21,"context_line":"commands, the same check for live migration of an instance through openstack"},{"line_number":22,"context_line":"fails. Listening on the port for unencrypted tcp-traffic shows, that OpenStack"},{"line_number":23,"context_line":"still uses the unencrypted TCP path instead of the TLS one for the migration."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The reson for this is a patch from Ocata which adds the calculation of the"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"9ba3babe_ca7aca3c","line":22,"range":{"start_line":22,"start_character":62,"end_line":22,"end_character":63},"updated":"2021-04-03 00:45:57.000000000","message":"ditto","commit_id":"18e745bb14537500a557fdd6f22413f695da7ca5"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"506f682696c7ac89944a1cf5e165b1f2b105d66c","unresolved":false,"context_lines":[{"line_number":19,"context_line":"seems to work as expected. But after checking, that libvirt is able to use tls"},{"line_number":20,"context_line":"using tcpdump to listen on the port for tls while manually executing libvirt"},{"line_number":21,"context_line":"commands, the same check for live migration of an instance through openstack"},{"line_number":22,"context_line":"fails. Listening on the port for unencrypted tcp-traffic shows, that OpenStack"},{"line_number":23,"context_line":"still uses the unencrypted TCP path instead of the TLS one for the migration."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The reson for this is a patch from Ocata which adds the calculation of the"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"01df52ad_51b9dda5","line":22,"range":{"start_line":22,"start_character":62,"end_line":22,"end_character":63},"in_reply_to":"9ba3babe_ca7aca3c","updated":"2021-04-12 07:52:48.000000000","message":"Done","commit_id":"18e745bb14537500a557fdd6f22413f695da7ca5"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"8243604461556b3df69f08d5a911e5e0ffa0492e","unresolved":true,"context_lines":[{"line_number":22,"context_line":"fails. Listening on the port for unencrypted tcp-traffic shows, that OpenStack"},{"line_number":23,"context_line":"still uses the unencrypted TCP path instead of the TLS one for the migration."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The reson for this is a patch from Ocata which adds the calculation of the"},{"line_number":26,"context_line":"live-migration-uri in code:"},{"line_number":27,"context_line":"https://review.opendev.org/c/openstack/nova/+/410817/"},{"line_number":28,"context_line":"The config parameter ``live_migration_uri`` was deprecated in favor of"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"a06da8d0_e24962eb","line":25,"range":{"start_line":25,"start_character":4,"end_line":25,"end_character":9},"updated":"2021-04-03 00:45:57.000000000","message":"reason*","commit_id":"18e745bb14537500a557fdd6f22413f695da7ca5"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"506f682696c7ac89944a1cf5e165b1f2b105d66c","unresolved":false,"context_lines":[{"line_number":22,"context_line":"fails. Listening on the port for unencrypted tcp-traffic shows, that OpenStack"},{"line_number":23,"context_line":"still uses the unencrypted TCP path instead of the TLS one for the migration."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The reson for this is a patch from Ocata which adds the calculation of the"},{"line_number":26,"context_line":"live-migration-uri in code:"},{"line_number":27,"context_line":"https://review.opendev.org/c/openstack/nova/+/410817/"},{"line_number":28,"context_line":"The config parameter ``live_migration_uri`` was deprecated in favor of"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"cbba7e98_e2731886","line":25,"range":{"start_line":25,"start_character":4,"end_line":25,"end_character":9},"in_reply_to":"a06da8d0_e24962eb","updated":"2021-04-12 07:52:48.000000000","message":"Done","commit_id":"18e745bb14537500a557fdd6f22413f695da7ca5"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"8243604461556b3df69f08d5a911e5e0ffa0492e","unresolved":true,"context_lines":[{"line_number":27,"context_line":"https://review.opendev.org/c/openstack/nova/+/410817/"},{"line_number":28,"context_line":"The config parameter ``live_migration_uri`` was deprecated in favor of"},{"line_number":29,"context_line":"``live_migration_scheme`` and the default set to tcp. This leads to the"},{"line_number":30,"context_line":"problem, that if none of these two config options are set, libvirt will"},{"line_number":31,"context_line":"always use the default tcp connection. To enable QEMU-native TLS to be used in"},{"line_number":32,"context_line":"nova one of them has to be set so that a TLS connection can be established."},{"line_number":33,"context_line":"Currently the guide does not show that this is necessary and there was no"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"d765104f_c2e699c7","line":30,"range":{"start_line":30,"start_character":7,"end_line":30,"end_character":8},"updated":"2021-04-03 00:45:57.000000000","message":"ditto","commit_id":"18e745bb14537500a557fdd6f22413f695da7ca5"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"506f682696c7ac89944a1cf5e165b1f2b105d66c","unresolved":false,"context_lines":[{"line_number":27,"context_line":"https://review.opendev.org/c/openstack/nova/+/410817/"},{"line_number":28,"context_line":"The config parameter ``live_migration_uri`` was deprecated in favor of"},{"line_number":29,"context_line":"``live_migration_scheme`` and the default set to tcp. This leads to the"},{"line_number":30,"context_line":"problem, that if none of these two config options are set, libvirt will"},{"line_number":31,"context_line":"always use the default tcp connection. To enable QEMU-native TLS to be used in"},{"line_number":32,"context_line":"nova one of them has to be set so that a TLS connection can be established."},{"line_number":33,"context_line":"Currently the guide does not show that this is necessary and there was no"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"06627928_c0642253","line":30,"range":{"start_line":30,"start_character":7,"end_line":30,"end_character":8},"in_reply_to":"d765104f_c2e699c7","updated":"2021-04-12 07:52:48.000000000","message":"Done","commit_id":"18e745bb14537500a557fdd6f22413f695da7ca5"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"8243604461556b3df69f08d5a911e5e0ffa0492e","unresolved":true,"context_lines":[{"line_number":31,"context_line":"always use the default tcp connection. To enable QEMU-native TLS to be used in"},{"line_number":32,"context_line":"nova one of them has to be set so that a TLS connection can be established."},{"line_number":33,"context_line":"Currently the guide does not show that this is necessary and there was no"},{"line_number":34,"context_line":"other documentation indicating that these config options are someway important"},{"line_number":35,"context_line":"for the usage of QEMU-native TLS."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"As there is no documentation which recognizes this and it is hard to find this"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"c373d809_225e5f7d","line":34,"range":{"start_line":34,"start_character":61,"end_line":34,"end_character":68},"updated":"2021-04-03 00:45:57.000000000","message":"not really someway important, but rather just important IMO","commit_id":"18e745bb14537500a557fdd6f22413f695da7ca5"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"506f682696c7ac89944a1cf5e165b1f2b105d66c","unresolved":false,"context_lines":[{"line_number":31,"context_line":"always use the default tcp connection. To enable QEMU-native TLS to be used in"},{"line_number":32,"context_line":"nova one of them has to be set so that a TLS connection can be established."},{"line_number":33,"context_line":"Currently the guide does not show that this is necessary and there was no"},{"line_number":34,"context_line":"other documentation indicating that these config options are someway important"},{"line_number":35,"context_line":"for the usage of QEMU-native TLS."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"As there is no documentation which recognizes this and it is hard to find this"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"1eb42c43_0eecc0cc","line":34,"range":{"start_line":34,"start_character":61,"end_line":34,"end_character":68},"in_reply_to":"c373d809_225e5f7d","updated":"2021-04-12 07:52:48.000000000","message":"Done","commit_id":"18e745bb14537500a557fdd6f22413f695da7ca5"}]}