Jira | ||||||
---|---|---|---|---|---|---|
|
The current VM migration is performed over unencrypted TCP port using the URI scheme qemu+tcp:// and this can allow snooping adversaries to read the VM's state (memory and states) and metadata. With the acceptance of the new CA framework in CloudStack, we can use the framework and sub-system to enable secured VM migration across KVM hosts.
After a KVM host is secured by the CA framework, the following files are created in its /etc/cloudstack/agent directory:
cloud.ca.crt: The CA certificate bundle
cloud.crt: The KVM host certificate
cloud.key: The KVM host private key
cloud.csr: The CSR file
cloud.jks: The Java keystore file (the passphrase of which is stored in agent.properties file)
These certificates can be in turn used to setup TLS forlibvirtd:
ln -s /etc/cloudstack/agent/cloud.ca.crt /etc/pki/CA/cacert.pem
mkdir -p /etc/pki/libvirt/private
ln -s /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/clientcert.pem
ln -s /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/servercert.pem
ln -s /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/clientkey.pem
ln -s /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/serverkey.pem
For reference, the following is seen by default in libvirtd.conf:
#key_file = "/etc/pki/libvirt/private/serverkey.pem"
#cert_file = "/etc/pki/libvirt/servercert.pem"
#ca_file = "/etc/pki/CA/cacert.pem"
Changes in cloudstack-setup-agent:
Changes in CloudStack management server and Libvirt computing resource:
New CloudStack environments:
After an existing environment is upgraded
- dconn = new Connect("qemu+tcp://" + cmd.getDestinationIp() + "/system");
+ try {
+ dconn = new Connect("qemu+tls://" + cmd.getDestinationIp() + "/system");
+ } catch (final LibvirtException e) {
+ s_logger.warn("Failed to perform VM migration over qemu+TLS, trying using qemu+TCP" + e.getMessage());
+ dconn = new Connect("qemu+tcp://" + cmd.getDestinationIp() + "/system");
+ }