On 03/21/2018 08:05 AM, Rohit Yadav wrote: > All, > > > With the introduction of a native CA framework in CloudStack, with 4.11+ it > will be used to secure addition of KVM hosts and agents (cpvm, ssvm). > However, the KVM host agent may be secured while it communicates to the > management server, the live VM migration still happens on insecure tcp > connection. > > > It is proposed to re-use the existing mechanism introduced in 4.11 and re-use > host certificates that are used to secure a KVM host to secure libvirt for > allowing secured TLS-enabled VM migration. Further, the UI may be enhanced to > discover unsecured KVM hosts and allow securing (or renewal/provisioning of > certificates) through a button. Please find the FS for the proposed > enhancement: > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM >
Seems good! As long as we make sure that only cloudstack-setup-agent touches the libvirt config files I'm good with it. Many people (like us) have the libvirt config files managed through a tool like Salt/Puppet/Chef and don't like it when daemons suddenly start changing configuration files. But this looks good to me! Wido > > - Rohit > > <https://cloudstack.apache.org> > > > > rohit.ya...@shapeblue.comĀ > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > > >
