You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Rohit Yadav <ro...@shapeblue.com> on 2017/11/16 10:32:14 UTC
[FS] Request for comments: Secure VM Live Migration for KVM
All,
Kindly review and share your thoughts and comments for a new feature - Secure VM live migration for KVM, this feature builds on top of the previous feature that brought in a new CA framework [1] for CloudStack.
Here is a rough first draft for your review:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM+VM+Live+Migration
[1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Agent+Communications
Regards.
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: [FS] Request for comments: Secure VM Live Migration for KVM
Posted by Rohit Yadav <ro...@shapeblue.com>.
Thanks everyone again for your reviews, I'll finalize the FS now and work may potentially begin after next week. Till then, if you've any feedback please do share.
Regards.
Get Outlook for Android<https://aka.ms/ghei36>
________________________________
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
From: Rohit Yadav
Sent: Tuesday, November 21, 2017 1:07:50 PM
To: dev@cloudstack.apache.org
Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM
All,
Thanks to everyone who've reviewed the FS so far - Wido, Rafael, Marc-Aurèle.
I'll summarize additional information on this feature:
- CloudStack's addHost API calls cloudstack-setup-agent on KVM hosts that already do inject configuration in libvirtd.conf file.
- The crux of this feature is to use the new CA framework's provisioned certificates for libvirtd+tls setup based on a global setting (cluster scope) and enable secure live VM migration across KVM hosts wherever applicable. Libvirtd tls setup in the conf file can be done by the existing cloudstack-setup-agent script infra.
- This feature will only use the qemu+tls:// scheme when both source and destination hosts have their libvirtd tls enabled.
Regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Tuesday, November 21, 2017 11:39:34 AM
To: dev@cloudstack.apache.org
Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM
Hi Marc,
Thanks for your comments, I'll reply to them on the cwiki page.
Briefly - CloudStack does support live VM migration already and presently on adding a KVM host using CloudStack 's addHost runs cloudstack-setup-agent and configures libvirtd by adding suitable options to enable libvirtd on tcp. I'll have another look at your PR too.
Regards.
Get Outlook for Android<https://aka.ms/ghei36>
________________________________
From: Marc-Aurèle Brothier - Exoscale <ma...@exoscale.ch>
Sent: Friday, November 17, 2017 8:06:55 PM
To: dev@cloudstack.apache.org
Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM
Working, thanks!
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
On Fri, 2017-11-17 at 11:27 -0200, Rafael Weingärtner wrote:
> Marc I added permission to you; can you test if you can make comments
> now?
>
> On Fri, Nov 17, 2017 at 11:20 AM, Marc-Aurèle Brothier - Exoscale <
> marco@exoscale.ch> wrote:
>
> > I'm not able to post comments on the wiki even when logged in so I
> > post
> > to the mailing list. I guess I'm not in any special wiki group to
> > edit
> > CS pages.
> >
> > Good news you made the live migration working (right?) on master.
> > Is it
> > really something we want to control under CS on the agent
> > installation
> > all this libvirt TLS setup? Maybe the installation could write
> > libvirtd
> > configuration file for TLS and non-TLS setup in CS and/or libvirt
> > /etc
> > directory but without overriding the normal one. I have to admit
> > I'm
> > not familiar with how things are usually done in CS for external
> > components.
> >
> > You can also add to cloudstack configuration the libvirt flags used
> > for
> > the live migration, which should be customizable in some way. On my
> > PR
> > it's in agent.properties, but it could be sent along with the
> > migration
> > command.
> >
> > I would welcome if you could setup a wiki page that I could edit on
> > the
> > KVM live migration so I could add my remark on my experience and
> > things
> > to config/consider.
> >
> > On your question: +1 on having the configuration value for TLS or
> > plain
> > tcp.
> >
> > Marc-Aurèle
> >
> > On Thu, 2017-11-16 at 10:32 +0000, Rohit Yadav wrote:
> > > All,
> > >
> > >
> > > Kindly review and share your thoughts and comments for a new
> > > feature
> > > - Secure VM live migration for KVM, this feature builds on top of
> > > the
> > > previous feature that brought in a new CA framework [1] for
> > > CloudStack.
> > >
> > >
> > > Here is a rough first draft for your review:
> > >
> > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM
> > > +VM+
> > > Live+Migration
> > >
> > >
> > > [1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure
> > > +Age
> > > nt+Communications
> > >
> > >
> > > Regards.
> > >
> > > rohit.yadav@shapeblue.com
> > > www.shapeblue.com<http://www.shapeblue.com>
> > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > > @shapeblue
> > >
> > >
> > >
>
>
>
Re: [FS] Request for comments: Secure VM Live Migration for KVM
Posted by Rohit Yadav <ro...@shapeblue.com>.
All,
Thanks to everyone who've reviewed the FS so far - Wido, Rafael, Marc-Aurèle.
I'll summarize additional information on this feature:
- CloudStack's addHost API calls cloudstack-setup-agent on KVM hosts that already do inject configuration in libvirtd.conf file.
- The crux of this feature is to use the new CA framework's provisioned certificates for libvirtd+tls setup based on a global setting (cluster scope) and enable secure live VM migration across KVM hosts wherever applicable. Libvirtd tls setup in the conf file can be done by the existing cloudstack-setup-agent script infra.
- This feature will only use the qemu+tls:// scheme when both source and destination hosts have their libvirtd tls enabled.
Regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Tuesday, November 21, 2017 11:39:34 AM
To: dev@cloudstack.apache.org
Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM
Hi Marc,
Thanks for your comments, I'll reply to them on the cwiki page.
Briefly - CloudStack does support live VM migration already and presently on adding a KVM host using CloudStack 's addHost runs cloudstack-setup-agent and configures libvirtd by adding suitable options to enable libvirtd on tcp. I'll have another look at your PR too.
Regards.
Get Outlook for Android<https://aka.ms/ghei36>
________________________________
From: Marc-Aurèle Brothier - Exoscale <ma...@exoscale.ch>
Sent: Friday, November 17, 2017 8:06:55 PM
To: dev@cloudstack.apache.org
Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM
Working, thanks!
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
On Fri, 2017-11-17 at 11:27 -0200, Rafael Weingärtner wrote:
> Marc I added permission to you; can you test if you can make comments
> now?
>
> On Fri, Nov 17, 2017 at 11:20 AM, Marc-Aurèle Brothier - Exoscale <
> marco@exoscale.ch> wrote:
>
> > I'm not able to post comments on the wiki even when logged in so I
> > post
> > to the mailing list. I guess I'm not in any special wiki group to
> > edit
> > CS pages.
> >
> > Good news you made the live migration working (right?) on master.
> > Is it
> > really something we want to control under CS on the agent
> > installation
> > all this libvirt TLS setup? Maybe the installation could write
> > libvirtd
> > configuration file for TLS and non-TLS setup in CS and/or libvirt
> > /etc
> > directory but without overriding the normal one. I have to admit
> > I'm
> > not familiar with how things are usually done in CS for external
> > components.
> >
> > You can also add to cloudstack configuration the libvirt flags used
> > for
> > the live migration, which should be customizable in some way. On my
> > PR
> > it's in agent.properties, but it could be sent along with the
> > migration
> > command.
> >
> > I would welcome if you could setup a wiki page that I could edit on
> > the
> > KVM live migration so I could add my remark on my experience and
> > things
> > to config/consider.
> >
> > On your question: +1 on having the configuration value for TLS or
> > plain
> > tcp.
> >
> > Marc-Aurèle
> >
> > On Thu, 2017-11-16 at 10:32 +0000, Rohit Yadav wrote:
> > > All,
> > >
> > >
> > > Kindly review and share your thoughts and comments for a new
> > > feature
> > > - Secure VM live migration for KVM, this feature builds on top of
> > > the
> > > previous feature that brought in a new CA framework [1] for
> > > CloudStack.
> > >
> > >
> > > Here is a rough first draft for your review:
> > >
> > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM
> > > +VM+
> > > Live+Migration
> > >
> > >
> > > [1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure
> > > +Age
> > > nt+Communications
> > >
> > >
> > > Regards.
> > >
> > > rohit.yadav@shapeblue.com
> > > www.shapeblue.com<http://www.shapeblue.com>
> > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > > @shapeblue
> > >
> > >
> > >
>
>
>
Re: [FS] Request for comments: Secure VM Live Migration for KVM
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Marc,
Thanks for your comments, I'll reply to them on the cwiki page.
Briefly - CloudStack does support live VM migration already and presently on adding a KVM host using CloudStack 's addHost runs cloudstack-setup-agent and configures libvirtd by adding suitable options to enable libvirtd on tcp. I'll have another look at your PR too.
Regards.
Get Outlook for Android<https://aka.ms/ghei36>
________________________________
From: Marc-Aurèle Brothier - Exoscale <ma...@exoscale.ch>
Sent: Friday, November 17, 2017 8:06:55 PM
To: dev@cloudstack.apache.org
Subject: Re: [FS] Request for comments: Secure VM Live Migration for KVM
Working, thanks!
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
On Fri, 2017-11-17 at 11:27 -0200, Rafael Weingärtner wrote:
> Marc I added permission to you; can you test if you can make comments
> now?
>
> On Fri, Nov 17, 2017 at 11:20 AM, Marc-Aurèle Brothier - Exoscale <
> marco@exoscale.ch> wrote:
>
> > I'm not able to post comments on the wiki even when logged in so I
> > post
> > to the mailing list. I guess I'm not in any special wiki group to
> > edit
> > CS pages.
> >
> > Good news you made the live migration working (right?) on master.
> > Is it
> > really something we want to control under CS on the agent
> > installation
> > all this libvirt TLS setup? Maybe the installation could write
> > libvirtd
> > configuration file for TLS and non-TLS setup in CS and/or libvirt
> > /etc
> > directory but without overriding the normal one. I have to admit
> > I'm
> > not familiar with how things are usually done in CS for external
> > components.
> >
> > You can also add to cloudstack configuration the libvirt flags used
> > for
> > the live migration, which should be customizable in some way. On my
> > PR
> > it's in agent.properties, but it could be sent along with the
> > migration
> > command.
> >
> > I would welcome if you could setup a wiki page that I could edit on
> > the
> > KVM live migration so I could add my remark on my experience and
> > things
> > to config/consider.
> >
> > On your question: +1 on having the configuration value for TLS or
> > plain
> > tcp.
> >
> > Marc-Aurèle
> >
> > On Thu, 2017-11-16 at 10:32 +0000, Rohit Yadav wrote:
> > > All,
> > >
> > >
> > > Kindly review and share your thoughts and comments for a new
> > > feature
> > > - Secure VM live migration for KVM, this feature builds on top of
> > > the
> > > previous feature that brought in a new CA framework [1] for
> > > CloudStack.
> > >
> > >
> > > Here is a rough first draft for your review:
> > >
> > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM
> > > +VM+
> > > Live+Migration
> > >
> > >
> > > [1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure
> > > +Age
> > > nt+Communications
> > >
> > >
> > > Regards.
> > >
> > > rohit.yadav@shapeblue.com
> > > www.shapeblue.com<http://www.shapeblue.com>
> > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > > @shapeblue
> > >
> > >
> > >
>
>
>
Re: [FS] Request for comments: Secure VM Live Migration for KVM
Posted by Marc-Aurèle Brothier - Exoscale <ma...@exoscale.ch>.
Working, thanks!
On Fri, 2017-11-17 at 11:27 -0200, Rafael Weingärtner wrote:
> Marc I added permission to you; can you test if you can make comments
> now?
>
> On Fri, Nov 17, 2017 at 11:20 AM, Marc-Aurèle Brothier - Exoscale <
> marco@exoscale.ch> wrote:
>
> > I'm not able to post comments on the wiki even when logged in so I
> > post
> > to the mailing list. I guess I'm not in any special wiki group to
> > edit
> > CS pages.
> >
> > Good news you made the live migration working (right?) on master.
> > Is it
> > really something we want to control under CS on the agent
> > installation
> > all this libvirt TLS setup? Maybe the installation could write
> > libvirtd
> > configuration file for TLS and non-TLS setup in CS and/or libvirt
> > /etc
> > directory but without overriding the normal one. I have to admit
> > I'm
> > not familiar with how things are usually done in CS for external
> > components.
> >
> > You can also add to cloudstack configuration the libvirt flags used
> > for
> > the live migration, which should be customizable in some way. On my
> > PR
> > it's in agent.properties, but it could be sent along with the
> > migration
> > command.
> >
> > I would welcome if you could setup a wiki page that I could edit on
> > the
> > KVM live migration so I could add my remark on my experience and
> > things
> > to config/consider.
> >
> > On your question: +1 on having the configuration value for TLS or
> > plain
> > tcp.
> >
> > Marc-Aurèle
> >
> > On Thu, 2017-11-16 at 10:32 +0000, Rohit Yadav wrote:
> > > All,
> > >
> > >
> > > Kindly review and share your thoughts and comments for a new
> > > feature
> > > - Secure VM live migration for KVM, this feature builds on top of
> > > the
> > > previous feature that brought in a new CA framework [1] for
> > > CloudStack.
> > >
> > >
> > > Here is a rough first draft for your review:
> > >
> > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM
> > > +VM+
> > > Live+Migration
> > >
> > >
> > > [1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure
> > > +Age
> > > nt+Communications
> > >
> > >
> > > Regards.
> > >
> > > rohit.yadav@shapeblue.com
> > > www.shapeblue.com
> > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > > @shapeblue
> > >
> > >
> > >
>
>
>
Re: [FS] Request for comments: Secure VM Live Migration for KVM
Posted by Rafael Weingärtner <ra...@gmail.com>.
Marc I added permission to you; can you test if you can make comments now?
On Fri, Nov 17, 2017 at 11:20 AM, Marc-Aurèle Brothier - Exoscale <
marco@exoscale.ch> wrote:
> I'm not able to post comments on the wiki even when logged in so I post
> to the mailing list. I guess I'm not in any special wiki group to edit
> CS pages.
>
> Good news you made the live migration working (right?) on master. Is it
> really something we want to control under CS on the agent installation
> all this libvirt TLS setup? Maybe the installation could write libvirtd
> configuration file for TLS and non-TLS setup in CS and/or libvirt /etc
> directory but without overriding the normal one. I have to admit I'm
> not familiar with how things are usually done in CS for external
> components.
>
> You can also add to cloudstack configuration the libvirt flags used for
> the live migration, which should be customizable in some way. On my PR
> it's in agent.properties, but it could be sent along with the migration
> command.
>
> I would welcome if you could setup a wiki page that I could edit on the
> KVM live migration so I could add my remark on my experience and things
> to config/consider.
>
> On your question: +1 on having the configuration value for TLS or plain
> tcp.
>
> Marc-Aurèle
>
> On Thu, 2017-11-16 at 10:32 +0000, Rohit Yadav wrote:
> > All,
> >
> >
> > Kindly review and share your thoughts and comments for a new feature
> > - Secure VM live migration for KVM, this feature builds on top of the
> > previous feature that brought in a new CA framework [1] for
> > CloudStack.
> >
> >
> > Here is a rough first draft for your review:
> >
> > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM+VM+
> > Live+Migration
> >
> >
> > [1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Age
> > nt+Communications
> >
> >
> > Regards.
> >
> > rohit.yadav@shapeblue.com
> > www.shapeblue.com
> > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > @shapeblue
> >
> >
> >
>
--
Rafael Weingärtner
Re: [FS] Request for comments: Secure VM Live Migration for KVM
Posted by Marc-Aurèle Brothier - Exoscale <ma...@exoscale.ch>.
I'm not able to post comments on the wiki even when logged in so I post
to the mailing list. I guess I'm not in any special wiki group to edit
CS pages.
Good news you made the live migration working (right?) on master. Is it
really something we want to control under CS on the agent installation
all this libvirt TLS setup? Maybe the installation could write libvirtd
configuration file for TLS and non-TLS setup in CS and/or libvirt /etc
directory but without overriding the normal one. I have to admit I'm
not familiar with how things are usually done in CS for external
components.
You can also add to cloudstack configuration the libvirt flags used for
the live migration, which should be customizable in some way. On my PR
it's in agent.properties, but it could be sent along with the migration
command.
I would welcome if you could setup a wiki page that I could edit on the
KVM live migration so I could add my remark on my experience and things
to config/consider.
On your question: +1 on having the configuration value for TLS or plain
tcp.
Marc-Aurèle
On Thu, 2017-11-16 at 10:32 +0000, Rohit Yadav wrote:
> All,
>
>
> Kindly review and share your thoughts and comments for a new feature
> - Secure VM live migration for KVM, this feature builds on top of the
> previous feature that brought in a new CA framework [1] for
> CloudStack.
>
>
> Here is a rough first draft for your review:
>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM+VM+
> Live+Migration
>
>
> [1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Age
> nt+Communications
>
>
> Regards.
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>