[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen 4.2 - Security on Live Migration

On Wed, 2013-02-27 at 12:58 +0000, Katerina Mparmpopoulou wrote:
> Hello Ian,
> 
> Thx again for your information, i'm quite unfamiliar with that and i'm
> still can't get it.
> 
> On 02/27/2013 11:40 AM, Ian Campbell wrote:
> > On Wed, 2013-02-27 at 09:29 +0000, Katerina Mparmpopoulou wrote:
> 
> >> If i want to place my own ssl key and my own certificate when
> >> i'm migrating a vm in another physical machine, how should I use
> >> the command??
> > 
> > You need to pass a command which will connect its stdin/stdout over
> > the communication channel of your choice to the stdin/stdout of
> > "xl migrate-receive" running on the target host. How you setup
> > that communication channel and arrange for that process on the
> > remote machine is up to you to arrange in that command.
> > 
> 
> you mean that everything need to be done in:
> 
>  xl migrate -s <sshcommand> <guest_vm> <target_machine>
> 
> where sshcommand is the stdin/stdout of another command?

sshcommand *is* a to be run, which has a stdin/stdout.

> > For example you could reasonably trivially build something out of
> > netcat and ssh which did secure authentication and but insecure
> > data transfer.
> > 
> > If you want to do something with SSL certs then I expect you will
> > wantto find an ssl capable netcat type thing, I think openssl has
> > such mechanisms in it. Or you could write your own client/server
> > pair, etc etc.
> 
> I have already created my client/server pairs, but i don't know in
> which file to place/save them. Namely, xl migrate-receive command from
> which file retrieves these keys? Where are the default pair (If there
> is any)?
> 
> In previous version I could create client/server pairs and I used to
> save them in etc/xen/xend-config.sxp, like this:
> 
> (xend-relocation-server-ssl-key-file   my_server.key)
> (xend-relocation-server-ssl-cert-file  my_server.crt)

I'm afraid that xl doesn't have equivalent functionality. TBH I didn't
even know xend did. However you can construct equivalent functionality
with the sshcommand thing, by writing your own simple client and server,
which is what I am talking about.

> Now do I need to run the migrate command every time along with these
> pair? For example like this?
> 
> $xl migrate -s /etc/ssh/keys/my_server.key /etc/ssh/keys/my_server.crt
> <sshcommand> <guest_vm> <target_machine>

Your sshcommand would need to encode knowledge about my_server.key
and .crt, either directly or through its own configuration file.

Ian.


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.