You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by da...@apache.org on 2023/01/25 08:29:41 UTC
[cloudstack-documentation] branch main updated: KVM: do not listen on TCP port when configure kvm host (#301)
This is an automated email from the ASF dual-hosted git repository.
dahn pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git
The following commit(s) were added to refs/heads/main by this push:
new a2a45f0 KVM: do not listen on TCP port when configure kvm host (#301)
a2a45f0 is described below
commit a2a45f00adc6a5bf90449c46d127873d07360714
Author: Wei Zhou <we...@apache.org>
AuthorDate: Wed Jan 25 09:29:35 2023 +0100
KVM: do not listen on TCP port when configure kvm host (#301)
---
source/installguide/hypervisor/kvm.rst | 43 +++++++++++++++++-----------------
1 file changed, 21 insertions(+), 22 deletions(-)
diff --git a/source/installguide/hypervisor/kvm.rst b/source/installguide/hypervisor/kvm.rst
index fedc959..eb8c2e6 100644
--- a/source/installguide/hypervisor/kvm.rst
+++ b/source/installguide/hypervisor/kvm.rst
@@ -299,8 +299,10 @@ cloudstack-agent and should already be installed.
Please note that Cloudstack will automatically perform basic configuration of the agent and libvirt when the host is added. This is relevant if you are
planning to automate the deployment and configuration of your KVM hosts.
-#. In order to have live migration working libvirt has to listen for
- unsecured TCP connections. We also need to turn off libvirts attempt
+#. To avoid potential security attack to virtual machines, We need to turn
+ off libvirt to listen on unsecure TCP port. CloudStack will automatically
+ set up cloud keystore and certificates when the host is added to cloudstack.
+ We also need to turn off libvirts attempt
to use Multicast DNS advertising. Both of these settings are in
``/etc/libvirt/libvirtd.conf``
@@ -312,7 +314,11 @@ cloudstack-agent and should already be installed.
.. parsed-literal::
- listen_tcp = 1
+ listen_tcp = 0
+
+ .. parsed-literal::
+
+ tls_port = "16514"
.. parsed-literal::
@@ -326,8 +332,7 @@ cloudstack-agent and should already be installed.
mdns_adv = 0
-#. Turning on "listen\_tcp" in libvirtd.conf is not enough, we have to
- change the parameters as well:
+#. We have to change the parameters as well:
On RHEL or CentOS or SUSE modify ``/etc/sysconfig/libvirtd``:
@@ -344,33 +349,35 @@ cloudstack-agent and should already be installed.
systemctl mask libvirtd.socket libvirtd-ro.socket libvirtd-admin.socket libvirtd-tls.socket libvirtd-tcp.socket
- On Ubuntu modify ``/etc/default/libvirt-bin``
+ On Ubuntu 20.04 or older, modify ``/etc/default/libvirtd``
Uncomment and change the following line
.. parsed-literal::
- #env libvirtd_opts=""
+ #libvirtd_opts=""
so it looks like:
.. parsed-literal::
- env libvirtd_opts="-l"
+ libvirtd_opts="-l"
-#. Restart libvirt
+ On Ubuntu 22.04 or newer version, modify ``/etc/default/libvirtd``:
- In RHEL or CentOS or SUSE :
+ Uncomment the following line:
.. parsed-literal::
- $ systemctl restart libvirtd
+ #LIBVIRTD_ARGS="--listen"
- In Ubuntu:
+#. Restart libvirt
+
+ In RHEL or CentOS or SUSE or Ubuntu:
.. parsed-literal::
- $ systemctl restart libvirt-bin
+ $ systemctl restart libvirtd
Configure the Security Policies
@@ -1289,7 +1296,7 @@ using a firewall):
#. 1798
-#. 16509, 16514 (libvirt)
+#. 16514 (libvirt)
#. 5900 - 6100 (VNC consoles)
@@ -1313,10 +1320,6 @@ extra ports by executing the following iptable commands:
$ iptables -I INPUT -p tcp -m tcp --dport 1798 -j ACCEPT
-.. parsed-literal::
-
- $ iptables -I INPUT -p tcp -m tcp --dport 16509 -j ACCEPT
-
.. parsed-literal::
$ iptables -I INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
@@ -1361,10 +1364,6 @@ To open the required ports, execute the following commands:
$ ufw allow proto tcp from any to any port 1798
-.. parsed-literal::
-
- $ ufw allow proto tcp from any to any port 16509
-
.. parsed-literal::
$ ufw allow proto tcp from any to any port 16514