Thanks Wido for your comments.
Yes, for any changes to libvirtd the proposal is to re-use cloudstack-setup-agent which in fact reconfigures libvirtd config at the time of the addition of host and also configure iptables rule. As part of upgrading a KVM agent, the post-install script (part of deb/rpm pkg) can also run the same to secure libvirt tls configuration only on KVM hosts that have any existing certificates/keystore. - Rohit <https://cloudstack.apache.org> ________________________________ From: Wido den Hollander <w...@widodh.nl> Sent: Wednesday, March 21, 2018 1:38:19 PM To: dev@cloudstack.apache.org Subject: Re: [DISCUSS] Enhancement: Use CA framework to enable secured live KVM VM migration On 03/21/2018 08:05 AM, Rohit Yadav wrote: > All, > > > With the introduction of a native CA framework in CloudStack, with 4.11+ it > will be used to secure addition of KVM hosts and agents (cpvm, ssvm). > However, the KVM host agent may be secured while it communicates to the > management server, the live VM migration still happens on insecure tcp > connection. > > > It is proposed to re-use the existing mechanism introduced in 4.11 and re-use > host certificates that are used to secure a KVM host to secure libvirt for > allowing secured TLS-enabled VM migration. Further, the UI may be enhanced to > discover unsecured KVM hosts and allow securing (or renewal/provisioning of > certificates) through a button. Please find the FS for the proposed > enhancement: > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM > Seems good! As long as we make sure that only cloudstack-setup-agent touches the libvirt config files I'm good with it. Many people (like us) have the libvirt config files managed through a tool like Salt/Puppet/Chef and don't like it when daemons suddenly start changing configuration files. But this looks good to me! Wido > > - Rohit > > <https://cloudstack.apache.org> > > > > rohit.ya...@shapeblue.com > www.shapeblue.com<http://www.shapeblue.com> > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > > > rohit.ya...@shapeblue.comĀ www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
