On Sat, Dec 28, 2019 at 02:18:20AM +0000, Zhangbo (Oscar) wrote: > This is an RFC request for supporting virt-admin to update cacrl without > restarting libvirtd. > > When a client wants to establish a TLS connection with libvirtd, a CRL > file is used by libvirtd to verify the client's certificate. Right now, > if the CRL file is changed, you must restart libvirtd to make it take > effect. The restart behavior of libvirtd will cause clients connecting > with libvirtd to fail. > > In a server cluster, the CRL file may be updated quite frequently due to > the large amount of certificates. If the new CRL does not take effect > in time, there are security risks. So you may need to restart libvirtd > frequently to make the CRL take effect in time. However, frequent restarts > will affect the reliability of cluster virtual machine management(such as > openstack) services. > > This RFC patch adds a virt-admin command to update the server's CRL *online*. > > This patch is not elegant enough, if this feature makes sense, I'd do more > improvements.
I agree that not being able to update the CRL without restarts is a significant problem that needs a fix. I'd suggest it is just part of an even bigger problem - we can't update the CA cert, server cert / key either. This is increasingly important as the popularity of short-expiry serve certs increases. So I think we should make the command be able to update all these TLS related PEM files. eg have a more general command "virt-admin daemon-reload-tls" to update CA cert, CA crl, server cert+key. The impl could check the timestamps on the individual PEM files, so it avoids reloading the files which haven't changed since last time. > > --- > include/libvirt/libvirt-admin.h | 4 ++ > src/admin/admin_protocol.x | 13 +++++- > src/admin/admin_server.c | 13 ++++++ > src/admin/admin_server.h | 4 ++ > src/admin/libvirt-admin.c | 33 ++++++++++++++++ > src/admin/libvirt_admin_private.syms | 1 + > src/admin/libvirt_admin_public.syms | 1 + > src/rpc/virnetserver.c | 58 +++++++++++++++++++++++++++ > src/rpc/virnetserver.h | 3 ++ > src/rpc/virnettlscontext.c | 33 ++++++++++++++++ > src/rpc/virnettlscontext.h | 3 ++ > tools/virt-admin.c | 59 ++++++++++++++++++++++++++++ docs/manpages/virt-admin.rst will need an update too. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
