All,
Thanks to everyone who've reviewed the FS so far - Wido, Rafael, Marc-Aurèle. I'll summarize additional information on this feature: - CloudStack's addHost API calls cloudstack-setup-agent on KVM hosts that already do inject configuration in libvirtd.conf file. - The crux of this feature is to use the new CA framework's provisioned certificates for libvirtd+tls setup based on a global setting (cluster scope) and enable secure live VM migration across KVM hosts wherever applicable. Libvirtd tls setup in the conf file can be done by the existing cloudstack-setup-agent script infra. - This feature will only use the qemu+tls:// scheme when both source and destination hosts have their libvirtd tls enabled. Regards. ________________________________ From: Rohit Yadav <rohit.ya...@shapeblue.com> Sent: Tuesday, November 21, 2017 11:39:34 AM To: dev@cloudstack.apache.org Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM Hi Marc, Thanks for your comments, I'll reply to them on the cwiki page. Briefly - CloudStack does support live VM migration already and presently on adding a KVM host using CloudStack 's addHost runs cloudstack-setup-agent and configures libvirtd by adding suitable options to enable libvirtd on tcp. I'll have another look at your PR too. Regards. Get Outlook for Android<https://aka.ms/ghei36> ________________________________ From: Marc-Aurèle Brothier - Exoscale <ma...@exoscale.ch> Sent: Friday, November 17, 2017 8:06:55 PM To: dev@cloudstack.apache.org Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM Working, thanks! rohit.ya...@shapeblue.com www.shapeblue.com<http://www.shapeblue.com> 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue On Fri, 2017-11-17 at 11:27 -0200, Rafael Weingärtner wrote: > Marc I added permission to you; can you test if you can make comments > now? > > On Fri, Nov 17, 2017 at 11:20 AM, Marc-Aurèle Brothier - Exoscale < > ma...@exoscale.ch> wrote: > > > I'm not able to post comments on the wiki even when logged in so I > > post > > to the mailing list. I guess I'm not in any special wiki group to > > edit > > CS pages. > > > > Good news you made the live migration working (right?) on master. > > Is it > > really something we want to control under CS on the agent > > installation > > all this libvirt TLS setup? Maybe the installation could write > > libvirtd > > configuration file for TLS and non-TLS setup in CS and/or libvirt > > /etc > > directory but without overriding the normal one. I have to admit > > I'm > > not familiar with how things are usually done in CS for external > > components. > > > > You can also add to cloudstack configuration the libvirt flags used > > for > > the live migration, which should be customizable in some way. On my > > PR > > it's in agent.properties, but it could be sent along with the > > migration > > command. > > > > I would welcome if you could setup a wiki page that I could edit on > > the > > KVM live migration so I could add my remark on my experience and > > things > > to config/consider. > > > > On your question: +1 on having the configuration value for TLS or > > plain > > tcp. > > > > Marc-Aurèle > > > > On Thu, 2017-11-16 at 10:32 +0000, Rohit Yadav wrote: > > > All, > > > > > > > > > Kindly review and share your thoughts and comments for a new > > > feature > > > - Secure VM live migration for KVM, this feature builds on top of > > > the > > > previous feature that brought in a new CA framework [1] for > > > CloudStack. > > > > > > > > > Here is a rough first draft for your review: > > > > > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM > > > +VM+ > > > Live+Migration > > > > > > > > > [1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure > > > +Age > > > nt+Communications > > > > > > > > > Regards. > > > > > > rohit.ya...@shapeblue.com > > > www.shapeblue.com<http://www.shapeblue.com> > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > > > @shapeblue > > > > > > > > > > > >
