Page History

Bug Reference

Overview

The current VM migration is performed over unencrypted TCP port using the URI scheme qemu+tcp:// and this can allow snooping adversaries to read the VM's state (memory and states) and metadata. With the acceptance of the new CA framework in CloudStack, we can use the framework and sub-system to enable secured VM migration across KVM hosts.

Feature Specification

After a KVM host is secured by the CA framework, the following files are created in its /etc/cloudstack/agent directory:

cloud.ca.crt: The CA certificate bundle

cloud.crt: The KVM host certificate

cloud.key: The KVM host private key

cloud.csr: The CSR file

cloud.jks: The Java keystore file (the passphrase of which is stored in agent.properties file)

These certificates can be in turn used to setup TLS  forlibvirtd:

• In the /etc/libvirt/libvirtd.conf file, the paths to CA, server/client, key files are already assumed to perform minimal changes to the config file we can create some symlinks:

ln -s /etc/cloudstack/agent/cloud.ca.crt /etc/pki/CA/cacert.pem

mkdir -p /etc/pki/libvirt/private
ln -s /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/clientcert.pem
ln -s /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/servercert.pem
ln -s /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/clientkey.pem
ln -s /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/serverkey.pem

For reference, the following is seen by default in libvirtd.conf:

#key_file = "/etc/pki/libvirt/private/serverkey.pem"

#cert_file = "/etc/pki/libvirt/servercert.pem"

#ca_file = "/etc/pki/CA/cacert.pem"

• In addition to these changes, remove "listen_tls=0" set by cloudstack-setup-agent. Also set no auth plugin for both tcp and tls authentication, set auth_tcp="none" and auth_tls="none" in libvirtd.conf
• Port 16514 needs to be allowed/enabled by firewall/iptables rules

Changes in cloudstack-setup-agent:

• Add a new flag such as "-s" that automates the symlinking and additional setup of parameters in libvirtd.conf file.

Changes in CloudStack management server and Libvirt computing resource:

• Introduce a new global setting "kvm.host.tls.enabled" with Scope.Cluster to enable TLS for KVM hosts (for live migration etc), this will be disabled by default. However, when this setting is enabled for a cluster or globally, new hosts when added will call cloudstack-setup-agent with a "-s" flag will enable TLS in libvirtd.
• When a KVM agent connects to the management server, it will share whether it has its libvirtd TLS enabled by using StartupRoutingCommand. And this information will be persisted in host_details.
• When a VM migration is requested, the MigrateCommand will contain information about the destination host whether it is TLS enabled or not.
• Between TLS enabled KVM hosts, VM migration can use the 'qemu+tls://' URI scheme. However, this can fail (with errors such as CA.pem not found etc) when one of the hosts is not TLS enabled.

New CloudStack environments:

• New CloudStack environments will have kvm.host.tls.enabled set to true, to enforce usage of secured KVM hosts.

Compatibility

After an existing environment is upgraded

- dconn = new Connect("qemu+tcp://" + cmd.getDestinationIp() + "/system");
+ try {
+ dconn = new Connect("qemu+tls://" + cmd.getDestinationIp() + "/system");
+ } catch (final LibvirtException e) {
+ s_logger.warn("Failed to perform VM migration over qemu+TLS, trying using qemu+TCP" + e.getMessage());
+ dconn = new Connect("qemu+tcp://" + cmd.getDestinationIp() + "/system");
+ }

References

https://wiki.libvirt.org/page/TLSSetup

https://wiki.libvirt.org/page/VNCTLSSetup