[ https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16413442#comment-16413442 ]
ASF GitHub Bot commented on CLOUDSTACK-10333: --------------------------------------------- rhtyd commented on a change in pull request #2505: CLOUDSTACK-10333: Secure Live VM Migration for KVM URL: https://github.com/apache/cloudstack/pull/2505#discussion_r176992386 ########## File path: debian/cloudstack-agent.postinst ########## @@ -50,6 +50,13 @@ case "$1" in mkdir /etc/libvirt/hooks fi cp -a /usr/share/cloudstack-agent/lib/libvirtqemuhook /etc/libvirt/hooks/qemu + + # Enable TLS enabled VM migration for libvirtd + if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT" > /dev/null; then + iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT + iptables-save > /etc/iptables/rules.v4 + fi + Review comment: The `cloudstack-setup-agent` reconfigures libvirtd config and also adds iptables rules for several ports, the post-install script (both rpm+deb) does a test if expected iptables rules are in place and adds the ACCEPT rule only if needed. Given not all users may use a config mgmt system such as chef/puppet/ansible, running the commands as part of post-install script will save the additional work they may need to do themselves (manually or automated). @wido I'm okay to advise users via release/admin docs, but I don't see any negative/side-effects with the change. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Secure VM Live migration for KVM > -------------------------------- > > Key: CLOUDSTACK-10333 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333 > Project: CloudStack > Issue Type: Improvement > Security Level: Public(Anyone can view this level - this is the > default.) > Reporter: Rohit Yadav > Assignee: Rohit Yadav > Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > With use of CA framework to secure hosts, the current mechanisms don't secure > libvirtd to use those certificates (used by agent to connect to mgmt server). > This causes insecure vm migration over tcp instead of tls. The aim is to use > the same framework and certificates to secure live VM migration. This could > be coupled with securing of a host and renewal/provisioning of certificates > to host. > > FS: > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM -- This message was sent by Atlassian JIRA (v7.6.3#76005)