Here's an interdiff describing the security implications better: diff --git a/NEWS b/NEWS index e3e25bc..39bdf49 100644 --- a/NEWS +++ b/NEWS @@ -15,8 +15,10 @@ Incompatible/important changes for the xl stack of Xen required SSH to be able to migrate the instance, leading to a situation where full movement of an instance around the cluster was not possible. This version fixes the issue by using socat to transfer - instance data. As a consequence, Xen instance migrations using xl cannot - occur between nodes running 2.13.0 and 2.13.1. + instance data. While socat is less secure than SSH, it is about as secure as + xm migrations, and occurs over the secondary network if present. As a + consequence of this change, Xen instance migrations using xl cannot occur + between nodes running 2.13.0 and 2.13.1.
Version 2.13.0 On Thu, Jun 11, 2015 at 2:11 PM, Klaus Aehlig <[email protected]> wrote: > On Wed, Jun 10, 2015 at 04:05:56PM +0200, 'Hrvoje Ribicic' via > ganeti-devel wrote: > > This patch adds information about the xl migration change to the NEWS > > file. > > > > Signed-off-by: Hrvoje Ribicic <[email protected]> > > --- > > NEWS | 17 +++++++++++++++++ > > 1 file changed, 17 insertions(+) > > > +Version 2.13.1 > > +-------------- > > + > > +*(unreleased)* > > + > > +Incompatible/important changes > > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > + > > +- The SSH security changes reduced the number of nodes which can SSH > into > > + other nodes. Unfortunately enough, the Ganeti implementation of > migration > > + for the xl stack of Xen required SSH to be able to migrate the > instance, > > + leading to a situation where full movement of an instance around the > cluster > > + was not possible. This version fixes the issue by using socat to > transfer > > + instance data. > > Should we mention that the transfer goes over the secondary network, so > that users > better assess the security implications of this change and know how to > secure the > transfer if needed. > > > + As a consequence, Xen instance migrations using xl cannot > > + occur between nodes running 2.13.0 and 2.13.1. > > In any case LGTM > > -- > Klaus Aehlig > Google Germany GmbH, Dienerstr. 12, 80331 Muenchen > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschaeftsfuehrer: Graham Law, Christine Elizabeth Flores > Hrvoje Ribicic Ganeti Engineering Google Germany GmbH Dienerstr. 12, 80331, München Geschäftsführer: Graham Law, Christine Elizabeth Flores Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
