cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wido den Hollander <w...@widodh.nl>
Subject Re: [DISCUSS] Enhancement: Use CA framework to enable secured live KVM VM migration
Date Wed, 21 Mar 2018 08:08:19 GMT


On 03/21/2018 08:05 AM, Rohit Yadav wrote:
> All,
> 
> 
> With the introduction of a native CA framework in CloudStack, with 4.11+ it will be used
to secure addition of KVM hosts and agents (cpvm, ssvm). However, the KVM host agent may be
secured while it communicates to the management server, the live VM migration still happens
on insecure tcp connection.
> 
> 
> It is proposed to re-use the existing mechanism introduced in 4.11 and re-use host certificates
that are used to secure a KVM host to secure libvirt for allowing secured TLS-enabled VM migration.
Further, the UI may be enhanced to discover unsecured KVM hosts and allow securing (or renewal/provisioning
of certificates) through a button. Please find the FS for the proposed enhancement:
> 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM
> 

Seems good! As long as we make sure that only cloudstack-setup-agent
touches the libvirt config files I'm good with it.

Many people (like us) have the libvirt config files managed through a
tool like Salt/Puppet/Chef and don't like it when daemons suddenly start
changing configuration files.

But this looks good to me!

Wido

> 
> - Rohit
> 
> <https://cloudstack.apache.org>
> 
> 
> 
> rohit.yadav@shapeblue.comĀ 
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>   
>  
> 
> 

Mime
View raw message