Thanks everyone again for your reviews, I'll finalize the FS now and work may potentially begin after next week. Till then, if you've any feedback please do share.
Regards. Get Outlook for Android<https://aka.ms/ghei36> ________________________________ rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue From: Rohit Yadav Sent: Tuesday, November 21, 2017 1:07:50 PM To: dev@cloudstack.apache.org Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM All, Thanks to everyone who've reviewed the FS so far - Wido, Rafael, Marc-Aurèle. I'll summarize additional information on this feature: - CloudStack's addHost API calls cloudstack-setup-agent on KVM hosts that already do inject configuration in libvirtd.conf file. - The crux of this feature is to use the new CA framework's provisioned certificates for libvirtd+tls setup based on a global setting (cluster scope) and enable secure live VM migration across KVM hosts wherever applicable. Libvirtd tls setup in the conf file can be done by the existing cloudstack-setup-agent script infra. - This feature will only use the qemu+tls:// scheme when both source and destination hosts have their libvirtd tls enabled. Regards. ________________________________ From: Rohit Yadav <rohit.ya...@shapeblue.com> Sent: Tuesday, November 21, 2017 11:39:34 AM To: dev@cloudstack.apache.org Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM Hi Marc, Thanks for your comments, I'll reply to them on the cwiki page. Briefly - CloudStack does support live VM migration already and presently on adding a KVM host using CloudStack 's addHost runs cloudstack-setup-agent and configures libvirtd by adding suitable options to enable libvirtd on tcp. I'll have another look at your PR too. Regards. Get Outlook for Android<https://aka.ms/ghei36> ________________________________ From: Marc-Aurèle Brothier - Exoscale <ma...@exoscale.ch> Sent: Friday, November 17, 2017 8:06:55 PM To: dev@cloudstack.apache.org Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM Working, thanks! rohit.ya...@shapeblue.com www.shapeblue.com<http://www.shapeblue.com> 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue On Fri, 2017-11-17 at 11:27 -0200, Rafael Weingärtner wrote: > Marc I added permission to you; can you test if you can make comments > now? > > On Fri, Nov 17, 2017 at 11:20 AM, Marc-Aurèle Brothier - Exoscale < > ma...@exoscale.ch> wrote: > > > I'm not able to post comments on the wiki even when logged in so I > > post > > to the mailing list. I guess I'm not in any special wiki group to > > edit > > CS pages. > > > > Good news you made the live migration working (right?) on master. > > Is it > > really something we want to control under CS on the agent > > installation > > all this libvirt TLS setup? Maybe the installation could write > > libvirtd > > configuration file for TLS and non-TLS setup in CS and/or libvirt > > /etc > > directory but without overriding the normal one. I have to admit > > I'm > > not familiar with how things are usually done in CS for external > > components. > > > > You can also add to cloudstack configuration the libvirt flags used > > for > > the live migration, which should be customizable in some way. On my > > PR > > it's in agent.properties, but it could be sent along with the > > migration > > command. > > > > I would welcome if you could setup a wiki page that I could edit on > > the > > KVM live migration so I could add my remark on my experience and > > things > > to config/consider. > > > > On your question: +1 on having the configuration value for TLS or > > plain > > tcp. > > > > Marc-Aurèle > > > > On Thu, 2017-11-16 at 10:32 +0000, Rohit Yadav wrote: > > > All, > > > > > > > > > Kindly review and share your thoughts and comments for a new > > > feature > > > - Secure VM live migration for KVM, this feature builds on top of > > > the > > > previous feature that brought in a new CA framework [1] for > > > CloudStack. > > > > > > > > > Here is a rough first draft for your review: > > > > > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM > > > +VM+ > > > Live+Migration > > > > > > > > > [1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure > > > +Age > > > nt+Communications > > > > > > > > > Regards. > > > > > > rohit.ya...@shapeblue.com > > > www.shapeblue.com<http://www.shapeblue.com> > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > > > @shapeblue > > > > > > > > > > > >
