You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2018/03/22 08:36:21 UTC
[GitHub] rhtyd opened a new pull request #2505: CLOUDSTACK-10333: Secure Live VM Migration for KVM
rhtyd opened a new pull request #2505: CLOUDSTACK-10333: Secure Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505
## Description
This extends securing of KVM hosts to securing of libvirt on KVM
host as well for TLS enabled live VM migration. To simplify implementation
securing of host implies that both host and libvirtd processes are
secured with management server's CA plugin issued certificates.
FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM
Based on whether keystore and certificates files are available at
/etc/cloudstack/agent, the KVM agent determines whether to use TLS or
TCP based uris for live VM migration. It is also enforced that a secured
host will allow live VM migration to/from other secured host, and an
unsecured hosts will allow live VM migration to/from other unsecured
host only.
Post upgrade the KVM agent on startup will expose its security state
(secured detail is sent as true or false) to the managements server that
gets saved in host_details for the host. This host detail can be accesed
via the listHosts response, and in the UI unsecured KVM hosts will show
up with the host state of ‘unsecured’. Further, a button has been added
that allows admins to provision/renew certificates to KVM hosts and can
be used to secure any unsecured KVM host.
The `cloudstack-setup-agent` was modified to accept a new flag `-s`
which will reconfigure libvirtd with following settings:
listen_tcp=0
listen_tls=1
tcp_port="16509"
tls_port="16514"
auth_tcp="none"
auth_tls="none"
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"
For a connected KVM host agent, when the certificate are
renewed/provisioned a background task is scheduled that waits until all
of the agent tasks finish after which libvirt process is restarted and
finally the agent is restarted via AgentShell.
There are no API or DB changes.
## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
## Screenshots (if appropriate):
Unsecured KVM hosts when are Up and connected show up as:
![screenshot from 2018-03-20 19-18-42](https://user-images.githubusercontent.com/95203/37759459-b0f31564-2dd9-11e8-9fc2-9a16259c750e.png)
Button to secure host, or renew/provision certificate using configured CA plugin;
![screenshot from 2018-03-20 19-18-49](https://user-images.githubusercontent.com/95203/37759461-b1383ba8-2dd9-11e8-8770-d8a07a52e124.png)
![screenshot from 2018-03-20 19-19-00](https://user-images.githubusercontent.com/95203/37759462-b184777a-2dd9-11e8-958e-d06197a5bf69.png)
Error message when VM migration is between secured and unsecured hosts:
![screenshot from 2018-03-20 19-20-48](https://user-images.githubusercontent.com/95203/37759463-b1ca3742-2dd9-11e8-8ec7-1f866ea5d87a.png)
## How Has This Been Tested?
- Tested between a pre-upgraded secured KVM host (el7 based) and post-upgrade it secures libvirtd using same certificates.
- Tested tls enabled live vm migration between two secured and unsecured el7 kvm hosts.
## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [ ] I have read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/master/CONTRIBUTING.md) document.
- [ ] My code follows the code style of this project.
- [ ] My change requires a change to the documentation.
- [ ] I have updated the documentation accordingly.
- [ ] I have added tests to cover my changes.
- [ ] All new and existing tests passed.
<!-- The following will kick a packaging job, remove if as applicable -->
@blueorangutan package
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services