On 03/21/2018 10:06 AM, Rohit Yadav wrote: > Thanks Wido for your comments. > > > Yes, for any changes to libvirtd the proposal is to re-use > cloudstack-setup-agent which in fact reconfigures libvirtd config at the time > of the addition of host and also configure iptables rule. As part of > upgrading a KVM agent, the post-install script (part of deb/rpm pkg) can also > run the same to secure libvirt tls configuration only on KVM hosts that have > any existing certificates/keystore. >
Hmm, we might want to be careful with a postinst. I'm not against it being handled by a postinst, but we should watch out with overwriting config files without the user knowing. Wido > > - Rohit > > <https://cloudstack.apache.org> > > > > ________________________________ > From: Wido den Hollander <w...@widodh.nl> > Sent: Wednesday, March 21, 2018 1:38:19 PM > To: dev@cloudstack.apache.org > Subject: Re: [DISCUSS] Enhancement: Use CA framework to enable secured live > KVM VM migration > > > > On 03/21/2018 08:05 AM, Rohit Yadav wrote: >> All, >> >> >> With the introduction of a native CA framework in CloudStack, with 4.11+ it >> will be used to secure addition of KVM hosts and agents (cpvm, ssvm). >> However, the KVM host agent may be secured while it communicates to the >> management server, the live VM migration still happens on insecure tcp >> connection. >> >> >> It is proposed to re-use the existing mechanism introduced in 4.11 and >> re-use host certificates that are used to secure a KVM host to secure >> libvirt for allowing secured TLS-enabled VM migration. Further, the UI may >> be enhanced to discover unsecured KVM hosts and allow securing (or >> renewal/provisioning of certificates) through a button. Please find the FS >> for the proposed enhancement: >> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM >> > > Seems good! As long as we make sure that only cloudstack-setup-agent > touches the libvirt config files I'm good with it. > > Many people (like us) have the libvirt config files managed through a > tool like Salt/Puppet/Chef and don't like it when daemons suddenly start > changing configuration files. > > But this looks good to me! > > Wido > >> >> - Rohit >> >> <https://cloudstack.apache.org> >> >> >> >> rohit.ya...@shapeblue.com >> www.shapeblue.com<http://www.shapeblue.com> >> 53 Chandos Place, Covent Garden, London WC2N 4HSUK >> @shapeblue >> >> >> >> > > rohit.ya...@shapeblue.comĀ > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > >
