You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2018/03/22 08:36:21 UTC

[GitHub] rhtyd opened a new pull request #2505: CLOUDSTACK-10333: Secure Live VM Migration for KVM

rhtyd opened a new pull request #2505: CLOUDSTACK-10333: Secure Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505
 
 
   ## Description
   
   This extends securing of KVM hosts to securing of libvirt on KVM
   host as well for TLS enabled live VM migration. To simplify implementation
   securing of host implies that both host and libvirtd processes are
   secured with management server's CA plugin issued certificates.
   
   FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM
   
   Based on whether keystore and certificates files are available at
   /etc/cloudstack/agent, the KVM agent determines whether to use TLS or
   TCP based uris for live VM migration. It is also enforced that a secured
   host will allow live VM migration to/from other secured host, and an
   unsecured hosts will allow live VM migration to/from other unsecured
   host only.
   
   Post upgrade the KVM agent on startup will expose its security state
   (secured detail is sent as true or false) to the managements server that
   gets saved in host_details for the host. This host detail can be accesed
   via the listHosts response, and in the UI unsecured KVM hosts will show
   up with the host state of ‘unsecured’. Further, a button has been added
   that allows admins to provision/renew certificates to KVM hosts and can
   be used to secure any unsecured KVM host.
   
   The `cloudstack-setup-agent` was modified to accept a new flag `-s`
   which will reconfigure libvirtd with following settings:
   
       listen_tcp=0
       listen_tls=1
       tcp_port="16509"
       tls_port="16514"
       auth_tcp="none"
       auth_tls="none"
       key_file = "/etc/pki/libvirt/private/serverkey.pem"
       cert_file = "/etc/pki/libvirt/servercert.pem"
       ca_file = "/etc/pki/CA/cacert.pem"
   
   For a connected KVM host agent, when the certificate are
   renewed/provisioned a background task is scheduled that waits until all
   of the agent tasks finish after which libvirt process is restarted and
   finally the agent is restarted via AgentShell.
   
   There are no API or DB changes.
   
   ## Types of changes
   <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
   - [ ] Breaking change (fix or feature that would cause existing functionality to change)
   - [ ] New feature (non-breaking change which adds functionality)
   - [ ] Bug fix (non-breaking change which fixes an issue)
   - [ ] Enhancement (improves an existing feature and functionality)
   - [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
   
   ## Screenshots (if appropriate):
   
   Unsecured KVM hosts when are Up and connected show up as:
   ![screenshot from 2018-03-20 19-18-42](https://user-images.githubusercontent.com/95203/37759459-b0f31564-2dd9-11e8-9fc2-9a16259c750e.png)
   
   Button to secure host, or renew/provision certificate using configured CA plugin;
   ![screenshot from 2018-03-20 19-18-49](https://user-images.githubusercontent.com/95203/37759461-b1383ba8-2dd9-11e8-8770-d8a07a52e124.png)
   ![screenshot from 2018-03-20 19-19-00](https://user-images.githubusercontent.com/95203/37759462-b184777a-2dd9-11e8-958e-d06197a5bf69.png)
   
   Error message when VM migration is between secured and unsecured hosts:
   ![screenshot from 2018-03-20 19-20-48](https://user-images.githubusercontent.com/95203/37759463-b1ca3742-2dd9-11e8-8ec7-1f866ea5d87a.png)
   
   ## How Has This Been Tested?
   
   - Tested between a pre-upgraded secured KVM host (el7 based) and post-upgrade it secures libvirtd using same certificates.
   - Tested tls enabled live vm migration between two secured and unsecured el7 kvm hosts.
   
   ## Checklist:
   <!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
   <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
   - [ ] I have read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/master/CONTRIBUTING.md) document.
   - [ ] My code follows the code style of this project.
   - [ ] My change requires a change to the documentation.
   - [ ] I have updated the documentation accordingly.
   - [ ] I have added tests to cover my changes.
   - [ ] All new and existing tests passed.
   
   <!-- The following will kick a packaging job, remove if as applicable -->
   @blueorangutan package
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services