[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

Sun, 25 Mar 2018 23:50:52 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16413447#comment-16413447
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
---------------------------------------------

wido commented on a change in pull request #2505: CLOUDSTACK-10333: Secure Live 
VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r176992891
 
 

 ##########
 File path: debian/cloudstack-agent.postinst
 ##########
 @@ -50,6 +50,13 @@ case "$1" in
             mkdir /etc/libvirt/hooks
         fi
         cp -a /usr/share/cloudstack-agent/lib/libvirtqemuhook 
/etc/libvirt/hooks/qemu
+
+        # Enable TLS enabled VM migration for libvirtd
+        if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j 
ACCEPT" > /dev/null; then
+            iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+            iptables-save > /etc/iptables/rules.v4
+        fi
+
 
 Review comment:
   If users are using firewalld or ufw on their CentOS/Ubuntu system this may 
break things. And like I said, /etc/iptables does not exist on Ubuntu systems 
by default, you need the iptables-persistent package for that.
   
   I wouldn't touch the firewall in a postinst of a package. The package should 
not touch parts of the system it's not configuring.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> --------------------------------
>
>                 Key: CLOUDSTACK-10333
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
>             Project: CloudStack
>          Issue Type: Improvement
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>            Priority: Major
>             Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to