[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444699#comment-16444699
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-382863093
 
 
   Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1962


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444666#comment-16444666
 ] 

ASF subversion and git services commented on CLOUDSTACK-10333:
--

Commit 8da2462469db9656e9749ed5607635ce53e8581e in cloudstack's branch 
refs/heads/master from [~rohithsharma]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=8da2462 ]

CLOUDSTACK-10333: Secure Live VM Migration for KVM (#2505)

This extends securing of KVM hosts to securing of libvirt on KVM
host as well for TLS enabled live VM migration. To simplify implementation
securing of host implies that both host and libvirtd processes are
secured with management server's CA plugin issued certificates.

Based on whether keystore and certificates files are available at
/etc/cloudstack/agent, the KVM agent determines whether to use TLS or
TCP based uris for live VM migration. It is also enforced that a secured
host will allow live VM migration to/from other secured host, and an
unsecured hosts will allow live VM migration to/from other unsecured
host only.

Post upgrade the KVM agent on startup will expose its security state
(secured detail is sent as true or false) to the managements server that
gets saved in host_details for the host. This host detail can be accesed
via the listHosts response, and in the UI unsecured KVM hosts will show
up with the host state of ‘unsecured’. Further, a button has been added
that allows admins to provision/renew certificates to KVM hosts and can
be used to secure any unsecured KVM host.

The `cloudstack-setup-agent` was modified to accept a new flag `-s`
which will reconfigure libvirtd with following settings:

listen_tcp=0
listen_tls=1
tcp_port="16509"
tls_port="16514"
auth_tcp="none"
auth_tls="none"
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"

For a connected KVM host agent, when the certificate are
renewed/provisioned a background task is scheduled that waits until all
of the agent tasks finish after which libvirt process is restarted and
finally the agent is restarted via AgentShell.

There are no API or DB changes.

Signed-off-by: Rohit Yadav 

> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444649#comment-16444649
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-382847998
 
 
   @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted 
as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444644#comment-16444644
 ] 

ASF subversion and git services commented on CLOUDSTACK-10333:
--

Commit 8da2462469db9656e9749ed5607635ce53e8581e in cloudstack's branch 
refs/heads/4.11 from [~rohithsharma]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=8da2462 ]

CLOUDSTACK-10333: Secure Live VM Migration for KVM (#2505)

This extends securing of KVM hosts to securing of libvirt on KVM
host as well for TLS enabled live VM migration. To simplify implementation
securing of host implies that both host and libvirtd processes are
secured with management server's CA plugin issued certificates.

Based on whether keystore and certificates files are available at
/etc/cloudstack/agent, the KVM agent determines whether to use TLS or
TCP based uris for live VM migration. It is also enforced that a secured
host will allow live VM migration to/from other secured host, and an
unsecured hosts will allow live VM migration to/from other unsecured
host only.

Post upgrade the KVM agent on startup will expose its security state
(secured detail is sent as true or false) to the managements server that
gets saved in host_details for the host. This host detail can be accesed
via the listHosts response, and in the UI unsecured KVM hosts will show
up with the host state of ‘unsecured’. Further, a button has been added
that allows admins to provision/renew certificates to KVM hosts and can
be used to secure any unsecured KVM host.

The `cloudstack-setup-agent` was modified to accept a new flag `-s`
which will reconfigure libvirtd with following settings:

listen_tcp=0
listen_tls=1
tcp_port="16509"
tls_port="16514"
auth_tcp="none"
auth_tls="none"
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"

For a connected KVM host agent, when the certificate are
renewed/provisioned a background task is scheduled that waits until all
of the agent tasks finish after which libvirt process is restarted and
finally the agent is restarted via AgentShell.

There are no API or DB changes.

Signed-off-by: Rohit Yadav 

> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444643#comment-16444643
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd closed pull request #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/agent/bindir/cloud-setup-agent.in 
b/agent/bindir/cloud-setup-agent.in
index 8d2b91961ae..3c6203c2d34 100755
--- a/agent/bindir/cloud-setup-agent.in
+++ b/agent/bindir/cloud-setup-agent.in
@@ -26,6 +26,7 @@ from cloudutils.configFileOps import  configFileOps
 from cloudutils.globalEnv import globalEnv
 from cloudutils.networkConfig import networkConfig
 from cloudutils.syscfg import sysConfigFactory
+from cloudutils.serviceConfig import configureLibvirtConfig
 
 from optparse import OptionParser
 
@@ -100,6 +101,7 @@ if __name__ == '__main__':
 parser.add_option("-c", "--cluster", dest="cluster", help="cluster id")
 parser.add_option("-t", "--hypervisor", default="kvm", dest="hypervisor", 
help="hypervisor type")
 parser.add_option("-g", "--guid", dest="guid", help="guid")
+parser.add_option("-s", action="store_true", default=False, dest="secure", 
help="Secure and enable TLS for libvirtd")
 parser.add_option("--pubNic", dest="pubNic", help="Public traffic 
interface")
 parser.add_option("--prvNic", dest="prvNic", help="Private traffic 
interface")
 parser.add_option("--guestNic", dest="guestNic", help="Guest traffic 
interface")
@@ -110,6 +112,12 @@ if __name__ == '__main__':
 glbEnv.bridgeType = bridgeType
 
 (options, args) = parser.parse_args()
+
+if not options.auto and options.secure:
+configureLibvirtConfig(True)
+print "Libvirtd with TLS configured"
+sys.exit(0)
+
 if options.auto is None:
 userInputs = getUserInputs()
 glbEnv.mgtSvr = userInputs[0]
@@ -138,7 +146,9 @@ if __name__ == '__main__':
 glbEnv.nics.append(options.prvNic)
 glbEnv.nics.append(options.pubNic)
 glbEnv.nics.append(options.guestNic)
-
+
+glbEnv.secure = options.secure
+
 print "Starting to configure your system:"
 syscfg = sysConfigFactory.getSysConfigFactory(glbEnv)
 try:
diff --git a/agent/src/com/cloud/agent/Agent.java 
b/agent/src/com/cloud/agent/Agent.java
index 32112540c1c..90e37909434 100644
--- a/agent/src/com/cloud/agent/Agent.java
+++ b/agent/src/com/cloud/agent/Agent.java
@@ -42,6 +42,7 @@
 import 
org.apache.cloudstack.agent.directdownload.SetupDirectDownloadCertificate;
 import org.apache.cloudstack.agent.lb.SetupMSListAnswer;
 import org.apache.cloudstack.agent.lb.SetupMSListCommand;
+import org.apache.cloudstack.ca.PostCertificateRenewalCommand;
 import org.apache.cloudstack.ca.SetupCertificateAnswer;
 import org.apache.cloudstack.ca.SetupCertificateCommand;
 import org.apache.cloudstack.ca.SetupKeyStoreCommand;
@@ -68,6 +69,7 @@
 import com.cloud.agent.transport.Request;
 import com.cloud.agent.transport.Response;
 import com.cloud.exception.AgentControlChannelException;
+import com.cloud.host.Host;
 import com.cloud.resource.ServerResource;
 import com.cloud.utils.PropertiesUtil;
 import com.cloud.utils.StringUtils;
@@ -127,6 +129,7 @@ public int value() {
 Long _id;
 
 Timer _timer = new Timer("Agent Timer");
+Timer certTimer;
 Timer hostLBTimer;
 
 List _watchList = new ArrayList();
@@ -140,9 +143,11 @@ public int value() {
 long _startupWait = _startupWaitDefault;
 boolean _reconnectAllowed = true;
 //For time sentitive task, e.g. PingTask
-private final ThreadPoolExecutor _ugentTaskPool;
+ThreadPoolExecutor _ugentTaskPool;
 ExecutorService _executor;
 
+Thread _shutdownThread = new ShutdownThread(this);
+
 private String _keystoreSetupPath;
 private String _keystoreCertImportPath;
 
@@ -153,7 +158,7 @@ public Agent(final IAgentShell shell) {
 
 _connection = new NioClient("Agent", _shell.getNextHost(), 
_shell.getPort(), _shell.getWorkers(), this);
 
-Runtime.getRuntime().addShutdownHook(new ShutdownThread(this));
+Runtime.getRuntime().addShutdownHook(_shutdownThread);
 
 _ugentTaskPool =
 new ThreadPoolExecutor(shell.getPingRetries(), 2 * 
shell.getPingRetries(), 10, TimeUnit.MINUTES, new SynchronousQueue(), 
new NamedThreadFactory(
@@ -192,7 +197,7 @@ public Agent(final IAgentShell shell, final int 
localAgentId, final ServerResour
 // ((NioClient)_connection).setBindAddress(_shell.getPrivateIp());
 
 s_logger.debug("Adding shutdown hook");
-

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444642#comment-16444642
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-382847325
 
 
   All looks good. I'll merge this based on code reviews and tests. Doc PRs 
have been merged as well.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444597#comment-16444597
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd closed pull request #36: CLOUDSTACK-10333: update docs to enable libvirtd 
tls port
URL: https://github.com/apache/cloudstack-docs-install/pull/36
 
 
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444592#comment-16444592
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd closed pull request #50: CLOUDSTACK-10333: Update docs per secure live VM 
migration
URL: https://github.com/apache/cloudstack-docs-admin/pull/50
 
 
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444585#comment-16444585
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM Migration 
for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-382838985
 
 
   Addressed code review comment, will merge this as soon as travis is green. 
Tests pass:
   ```
   Test secured VM migration ... === TestName: test_01_secured_vm_migration | 
Status : SUCCESS ===
   ok
   Test Non-secured VM Migration ... === TestName: 
test_02_not_secured_vm_migration | Status : SUCCESS ===
   ok
   Test destroy Virtual Machine ... === TestName: 
test_03_secured_to_nonsecured_vm_migration | Status : SUCCESS ===
   ok
   Test Non-secured VM Migration ... === TestName: 
test_04_nonsecured_to_secured_vm_migration | Status : SUCCESS ===
   ```


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444566#comment-16444566
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on a change in pull request #2505: WIP CLOUDSTACK-10333: Secure 
Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r182842376
 
 

 ##
 File path: packaging/centos7/cloud.spec
 ##
 @@ -437,6 +437,12 @@ if [ -f 
"%{_sysconfdir}/cloud.rpmsave/agent/agent.properties" ]; then
 mv %{_sysconfdir}/cloud.rpmsave/agent/agent.properties 
%{_sysconfdir}/cloud.rpmsave/agent/agent.properties.rpmsave
 fi
 
+# Enable TLS enabled VM migration for libvirtd
+if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT" 
> /dev/null; then
+iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+fi
 
 Review comment:
   We'll document in release notes and admin/install docs. Fixed.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444565#comment-16444565
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on a change in pull request #2505: WIP CLOUDSTACK-10333: Secure 
Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r182842350
 
 

 ##
 File path: packaging/centos63/cloud.spec
 ##
 @@ -493,6 +493,12 @@ if [ -f 
"%{_sysconfdir}/cloud.rpmsave/agent/agent.properties" ]; then
 mv %{_sysconfdir}/cloud.rpmsave/agent/agent.properties 
%{_sysconfdir}/cloud.rpmsave/agent/agent.properties.rpmsave
 fi
 
+# Enable TLS enabled VM migration for libvirtd
+if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT" 
> /dev/null; then
+iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+fi
+
 
 Review comment:
   We'll document in release notes and admin/install docs. Fixed.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444562#comment-16444562
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on a change in pull request #2505: WIP CLOUDSTACK-10333: Secure 
Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r182842046
 
 

 ##
 File path: debian/cloudstack-agent.postinst
 ##
 @@ -50,6 +50,13 @@ case "$1" in
 mkdir /etc/libvirt/hooks
 fi
 cp -a /usr/share/cloudstack-agent/lib/libvirtqemuhook 
/etc/libvirt/hooks/qemu
+
+# Enable TLS enabled VM migration for libvirtd
+if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j 
ACCEPT" > /dev/null; then
+iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+fi
+
 
 Review comment:
   Okay, removed this.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444560#comment-16444560
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on a change in pull request #2505: WIP CLOUDSTACK-10333: Secure 
Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r182841804
 
 

 ##
 File path: agent/src/com/cloud/agent/Agent.java
 ##
 @@ -274,6 +279,19 @@ public void start() {
 }
 }
 _shell.updateConnectedHost();
+
+// In case of software based restart, GC to remove old instances
+_executor.submit(new Runnable() {
 
 Review comment:
   Fixed.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16444558#comment-16444558
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on a change in pull request #2505: WIP CLOUDSTACK-10333: Secure 
Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r182841123
 
 

 ##
 File path: agent/src/com/cloud/agent/Agent.java
 ##
 @@ -140,9 +143,11 @@ public int value() {
 long _startupWait = _startupWaitDefault;
 boolean _reconnectAllowed = true;
 //For time sentitive task, e.g. PingTask
-private final ThreadPoolExecutor _ugentTaskPool;
+ThreadPoolExecutor _ugentTaskPool;
 ExecutorService _executor;
 
+Thread _shutdownThread = new ShutdownThread(this);
 
 Review comment:
   I'll post another PR to cleanup the name with `_`.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16442618#comment-16442618
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-382412378
 
 
   Trillian test result (tid-2514)
   Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
   Total time taken: 107105 seconds
   Marvin logs: 
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2505-t2514-kvm-centos7.zip
   Intermitten failure detected: /marvin/tests/smoke/test_public_ip_range.py
   Intermitten failure detected: /marvin/tests/smoke/test_routers.py
   Intermitten failure detected: /marvin/tests/smoke/test_templates.py
   Intermitten failure detected: /marvin/tests/smoke/test_usage.py
   Intermitten failure detected: /marvin/tests/smoke/test_volumes.py
   Intermitten failure detected: /marvin/tests/smoke/test_hostha_kvm.py
   Smoke tests completed. 62 look OK, 5 have error(s)
   Only failed tests results shown below:
   
   
   Test | Result | Time (s) | Test File
   --- | --- | --- | ---
   test_04_restart_network_wo_cleanup | `Failure` | 2.96 | test_routers.py
   test_04_extract_template | `Failure` | 128.34 | test_templates.py
   ContextSuite context=TestISOUsage>:setup | `Error` | 0.00 | test_usage.py
   test_06_download_detached_volume | `Failure` | 137.61 | test_volumes.py
   test_hostha_enable_ha_when_host_in_maintenance | `Error` | 2.48 | 
test_hostha_kvm.py
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16440585#comment-16440585
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-381894661
 
 
   @borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has 
been kicked to run smoke tests


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16440581#comment-16440581
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-381894193
 
 
   @blueorangutan test


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16439065#comment-16439065
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-381504553
 
 
   @borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has 
been kicked to run smoke tests


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16439063#comment-16439063
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-381504294
 
 
   @blueorangutan test


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16438443#comment-16438443
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-381347286
 
 
   Trillian test result (tid-2502)
   Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
   Total time taken: 112688 seconds
   Marvin logs: 
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2505-t2502-kvm-centos7.zip
   Intermitten failure detected: 
/marvin/tests/smoke/test_outofbandmanagement_nestedplugin.py
   Intermitten failure detected: /marvin/tests/smoke/test_privategw_acl.py
   Intermitten failure detected: /marvin/tests/smoke/test_routers.py
   Intermitten failure detected: /marvin/tests/smoke/test_vm_life_cycle.py
   Intermitten failure detected: /marvin/tests/smoke/test_vpc_redundant.py
   Intermitten failure detected: /marvin/tests/smoke/test_vpc_vpn.py
   Intermitten failure detected: /marvin/tests/smoke/test_hostha_kvm.py
   Smoke tests completed. 64 look OK, 3 have error(s)
   Only failed tests results shown below:
   
   
   Test | Result | Time (s) | Test File
   --- | --- | --- | ---
   test_04_restart_network_wo_cleanup | `Failure` | 4.25 | test_routers.py
   test_01_secured_vm_migration | `Error` | 23.83 | test_vm_life_cycle.py
   test_hostha_enable_ha_when_host_in_maintenance | `Error` | 2.63 | 
test_hostha_kvm.py
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437114#comment-16437114
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-381089214
 
 
   @borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has 
been kicked to run smoke tests


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437111#comment-16437111
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-38107
 
 
   @blueorangutan test


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437098#comment-16437098
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-381087052
 
 
   Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1918


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437046#comment-16437046
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-381075071
 
 
   @borisstoyanov a Jenkins job has been kicked to build packages. I'll keep 
you posted as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437045#comment-16437045
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: WIP CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-381074947
 
 
   @blueorangutan package


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437035#comment-16437035
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

DaanHoogland commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-381072342
 
 
   As you announced extra commits , i'm marking this WIP @rhtyd 


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16435897#comment-16435897
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-380870819
 
 
   Trillian test result (tid-2494)
   Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
   Total time taken: 101305 seconds
   Marvin logs: 
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2505-t2494-kvm-centos7.zip
   Intermitten failure detected: /marvin/tests/smoke/test_routers.py
   Intermitten failure detected: /marvin/tests/smoke/test_vm_life_cycle.py
   Intermitten failure detected: /marvin/tests/smoke/test_vpc_redundant.py
   Intermitten failure detected: /marvin/tests/smoke/test_hostha_kvm.py
   Smoke tests completed. 63 look OK, 4 have error(s)
   Only failed tests results shown below:
   
   
   Test | Result | Time (s) | Test File
   --- | --- | --- | ---
   test_04_restart_network_wo_cleanup | `Failure` | 3.99 | test_routers.py
   test_01_secured_vm_migration | `Failure` | 1033.48 | test_vm_life_cycle.py
   test_02_not_secured_vm_migration | `Failure` | 193.32 | test_vm_life_cycle.py
   test_04_rvpc_network_garbage_collector_nics | `Failure` | 287.33 | 
test_vpc_redundant.py
   test_hostha_enable_ha_when_host_in_maintenance | `Error` | 1.39 | 
test_hostha_kvm.py
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16433802#comment-16433802
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-380428948
 
 
   @blueorangutan test


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16433803#comment-16433803
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-380429185
 
 
   @borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has 
been kicked to run smoke tests


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16433768#comment-16433768
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-380420402
 
 
   Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1902


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16433741#comment-16433741
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-380414753
 
 
   Okay @borisstoyanov 
   All - please hold merging this, I may include some keystore related changes 
reported in recent issues.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16433739#comment-16433739
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-380414312
 
 
   @borisstoyanov a Jenkins job has been kicked to build packages. I'll keep 
you posted as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16433738#comment-16433738
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-380414080
 
 
   I've resolved the conflict, let me run tests again @rhtyd 
   @blueorangutan package


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16428106#comment-16428106
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

DaanHoogland commented on a change in pull request #2505: CLOUDSTACK-10333: 
Secure Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r179692024
 
 

 ##
 File path: test/integration/smoke/test_vm_life_cycle.py
 ##
 @@ -21,9 +21,11 @@
 from marvin.cloudstackAPI import (recoverVirtualMachine,
   destroyVirtualMachine,
   attachIso,
-  detachIso)
-from marvin.lib.utils import (cleanup_resources,
-  validateList)
+  detachIso,
 
 Review comment:
   strange alignment is happening here and below. not fatal, just a headsup


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16428077#comment-16428077
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

DaanHoogland commented on a change in pull request #2505: CLOUDSTACK-10333: 
Secure Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r179684831
 
 

 ##
 File path: debian/cloudstack-agent.postinst
 ##
 @@ -50,6 +50,13 @@ case "$1" in
 mkdir /etc/libvirt/hooks
 fi
 cp -a /usr/share/cloudstack-agent/lib/libvirtqemuhook 
/etc/libvirt/hooks/qemu
+
+# Enable TLS enabled VM migration for libvirtd
+if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j 
ACCEPT" > /dev/null; then
+iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+fi
+
 
 Review comment:
   Is there an alternative that will work. I would not like to see a large 
devide between the amount of work to be done on rhel-like systems versus 
debian-likes.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16427279#comment-16427279
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-379009668
 
 
   Looks like there is an outstanding/related issue to CA management, I'll have 
a look next week (on holidays now).


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16427264#comment-16427264
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-379007673
 
 
   Trillian test result (tid-2459)
   Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
   Total time taken: 107420 seconds
   Marvin logs: 
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2505-t2459-kvm-centos7.zip
   Intermitten failure detected: /marvin/tests/smoke/test_privategw_acl.py
   Intermitten failure detected: /marvin/tests/smoke/test_routers_network_ops.py
   Intermitten failure detected: /marvin/tests/smoke/test_routers.py
   Intermitten failure detected: /marvin/tests/smoke/test_ssvm.py
   Intermitten failure detected: /marvin/tests/smoke/test_vm_life_cycle.py
   Smoke tests completed. 65 look OK, 2 have error(s)
   Only failed tests results shown below:
   
   
   Test | Result | Time (s) | Test File
   --- | --- | --- | ---
   test_04_restart_network_wo_cleanup | `Failure` | 4.14 | test_routers.py
   test_01_secured_vm_migration | `Failure` | 1069.92 | test_vm_life_cycle.py
   test_02_not_secured_vm_migration | `Failure` | 118.28 | test_vm_life_cycle.py
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16421986#comment-16421986
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377871531
 
 
   @borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has 
been kicked to run smoke tests


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16421984#comment-16421984
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377871391
 
 
   @blueorangutan test


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16421977#comment-16421977
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377869637
 
 
   Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1855


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16421966#comment-16421966
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377866123
 
 
   @borisstoyanov a Jenkins job has been kicked to build packages. I'll keep 
you posted as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16421965#comment-16421965
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377866082
 
 
   @blueorangutan package
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16419080#comment-16419080
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377251692
 
 
   Packaging result: ✖centos6 ✖centos7 ✖debian. JID-1851


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16419052#comment-16419052
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377246348
 
 
   @borisstoyanov a Jenkins job has been kicked to build packages. I'll keep 
you posted as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16419049#comment-16419049
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377246041
 
 
   @blueorangutan package


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16419031#comment-16419031
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377243724
 
 
   Packaging result: ✖centos6 ✖centos7 ✖debian. JID-1850


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16419008#comment-16419008
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377240132
 
 
   I'll kick new tests with the latest commit once the build comes out


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16419002#comment-16419002
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377238976
 
 
   @borisstoyanov a Jenkins job has been kicked to build packages. I'll keep 
you posted as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16419001#comment-16419001
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377238735
 
 
   @blueorangutan package
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418870#comment-16418870
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rafaelweingartner commented on a change in pull request #2505: 
CLOUDSTACK-10333: Secure Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r178034861
 
 

 ##
 File path: agent/src/com/cloud/agent/Agent.java
 ##
 @@ -140,9 +143,11 @@ public int value() {
 long _startupWait = _startupWaitDefault;
 boolean _reconnectAllowed = true;
 //For time sentitive task, e.g. PingTask
-private final ThreadPoolExecutor _ugentTaskPool;
+ThreadPoolExecutor _ugentTaskPool;
 ExecutorService _executor;
 
+Thread _shutdownThread = new ShutdownThread(this);
 
 Review comment:
   Awesome! Thanks!
   This is a cosmetic thing, but if we do not get ride of them, newcomers might 
think that we enforce them. I am trying to do the same in other PRs.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418867#comment-16418867
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rafaelweingartner commented on a change in pull request #2505: 
CLOUDSTACK-10333: Secure Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r178034614
 
 

 ##
 File path: agent/src/com/cloud/agent/Agent.java
 ##
 @@ -274,6 +279,19 @@ public void start() {
 }
 }
 _shell.updateConnectedHost();
+
+// In case of software based restart, GC to remove old instances
+_executor.submit(new Runnable() {
 
 Review comment:
   Got it. There is only one thing. We never now for sure that the GC has been 
executed. `System.gc` only suggests for the JVM that the GC can be executed, 
but there is no guarantees. Anyways, as long as the old objects are not used 
anymore we are safe to go.
   
   Would you mind extracting this block of code to a method and document it 
with this explanation? 


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418846#comment-16418846
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on a change in pull request #2505: CLOUDSTACK-10333: Secure 
Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r178033244
 
 

 ##
 File path: agent/src/com/cloud/agent/Agent.java
 ##
 @@ -140,9 +143,11 @@ public int value() {
 long _startupWait = _startupWaitDefault;
 boolean _reconnectAllowed = true;
 //For time sentitive task, e.g. PingTask
-private final ThreadPoolExecutor _ugentTaskPool;
+ThreadPoolExecutor _ugentTaskPool;
 ExecutorService _executor;
 
+Thread _shutdownThread = new ShutdownThread(this);
 
 Review comment:
   I'm not fan of them either, but added the name to keep the naming consistent 
in the Agent class. Sure, will fix this for all the variables in Agent then.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418844#comment-16418844
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on a change in pull request #2505: CLOUDSTACK-10333: Secure 
Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r178033101
 
 

 ##
 File path: agent/src/com/cloud/agent/Agent.java
 ##
 @@ -274,6 +279,19 @@ public void start() {
 }
 }
 _shell.updateConnectedHost();
+
+// In case of software based restart, GC to remove old instances
+_executor.submit(new Runnable() {
 
 Review comment:
   Yes @rafaelweingartner, with the feature we've introduced a background 
thread that will perform software based restart of the agent. Look at the post 
renewal restart task. With this it will be easier to restart an agent without 
actually restarting the agent JVM process. This runnable is needed to GC old 
agent instance, we can remove this as well, but keeping it ensures that old 
agent is stopped+GC-ed.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418825#comment-16418825
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rafaelweingartner commented on a change in pull request #2505: 
CLOUDSTACK-10333: Secure Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r178028132
 
 

 ##
 File path: agent/src/com/cloud/agent/Agent.java
 ##
 @@ -274,6 +279,19 @@ public void start() {
 }
 }
 _shell.updateConnectedHost();
+
+// In case of software based restart, GC to remove old instances
+_executor.submit(new Runnable() {
 
 Review comment:
   Can you explaining the goal of this code here?
   Remove old instance of Java objects? 
   
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418824#comment-16418824
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rafaelweingartner commented on a change in pull request #2505: 
CLOUDSTACK-10333: Secure Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r178027920
 
 

 ##
 File path: agent/src/com/cloud/agent/Agent.java
 ##
 @@ -140,9 +143,11 @@ public int value() {
 long _startupWait = _startupWaitDefault;
 boolean _reconnectAllowed = true;
 //For time sentitive task, e.g. PingTask
-private final ThreadPoolExecutor _ugentTaskPool;
+ThreadPoolExecutor _ugentTaskPool;
 ExecutorService _executor;
 
+Thread _shutdownThread = new ShutdownThread(this);
 
 Review comment:
   Would you mind not introducing `_` in the code anymore?
   They are meaningless in our code base.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418781#comment-16418781
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377203944
 
 
   @rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been 
kicked to run smoke tests


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418780#comment-16418780
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377203845
 
 
   @blueorangutan test


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418773#comment-16418773
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377201936
 
 
   Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1849


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418729#comment-16418729
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377195906
 
 
   @borisstoyanov as discovered in lab, the issue was related to traffic label 
and was env related. Please use the sed based unsecuring approach, and avoid 
cloudstack-setup-agent to speed up tests.
   @blueorangutan package


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418730#comment-16418730
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377195942
 
 
   @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted 
as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16418105#comment-16418105
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-377036238
 
 
   Trillian test result (tid-2427)
   Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
   Total time taken: 126331 seconds
   Marvin logs: 
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2505-t2427-kvm-centos7.zip
   Intermitten failure detected: 
/marvin/tests/smoke/test_deploy_virtio_scsi_vm.py
   Intermitten failure detected: /marvin/tests/smoke/test_internal_lb.py
   Intermitten failure detected: /marvin/tests/smoke/test_public_ip_range.py
   Intermitten failure detected: /marvin/tests/smoke/test_routers.py
   Intermitten failure detected: /marvin/tests/smoke/test_templates.py
   Intermitten failure detected: /marvin/tests/smoke/test_usage.py
   Intermitten failure detected: /marvin/tests/smoke/test_vm_life_cycle.py
   Intermitten failure detected: /marvin/tests/smoke/test_volumes.py
   Intermitten failure detected: /marvin/tests/smoke/test_vpc_redundant.py
   Intermitten failure detected: /marvin/tests/smoke/test_hostha_kvm.py
   Smoke tests completed. 60 look OK, 7 have error(s)
   Only failed tests results shown below:
   
   
   Test | Result | Time (s) | Test File
   --- | --- | --- | ---
   test_04_restart_network_wo_cleanup | `Failure` | 4.25 | test_routers.py
   test_04_extract_template | `Failure` | 128.35 | test_templates.py
   ContextSuite context=TestISOUsage>:setup | `Error` | 0.00 | test_usage.py
   test_01_secured_vm_migration | `Failure` | 934.74 | test_vm_life_cycle.py
   test_02_not_secured_vm_migration | `Error` | 0.22 | test_vm_life_cycle.py
   test_03_secured_to_nonsecured_vm_migration | `Error` | 1.26 | 
test_vm_life_cycle.py
   test_04_nonsecured_to_secured_vm_migration | `Error` | 1.26 | 
test_vm_life_cycle.py
   test_06_download_detached_volume | `Failure` | 143.42 | test_volumes.py
   test_04_rvpc_network_garbage_collector_nics | `Failure` | 505.57 | 
test_vpc_redundant.py
   test_hostha_enable_ha_when_host_in_maintenance | `Error` | 2.24 | 
test_hostha_kvm.py
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16417300#comment-16417300
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376878832
 
 
   Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1848


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16417282#comment-16417282
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376871848
 
 
   Maybe this ^^ needs further investigation since I've provisioned the 
certificates on both the hosts and still getting the same error. 


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16417276#comment-16417276
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376870877
 
 
   @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted 
as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16417275#comment-16417275
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376870609
 
 
   @rhtyd I'm trying to migrate a VM between unsecured hosts and got the 
following exception: 
   ```
   2018-03-28 12:31:52,414 ERROR [c.c.v.VmWorkJobHandlerProxy] 
(Work-Job-Executor-6:ctx-bc927fcc job-38/job-39 ctx-441b0b18) (logid:d8b1d686) 
Invocation exception, caused by: 
com.cloud.utils.exception.CloudRuntimeException: org.libvirt.LibvirtException: 
Cannot get interface MTU on 'breth0-769': No such device
   2018-03-28 12:31:52,415 INFO  [c.c.v.VmWorkJobHandlerProxy] 
(Work-Job-Executor-6:ctx-bc927fcc job-38/job-39 ctx-441b0b18) (logid:d8b1d686) 
Rethrow exception com.cloud.utils.exception.CloudRuntimeException: 
org.libvirt.LibvirtException: Cannot get interface MTU on 'breth0-769': No such 
device
   2018-03-28 12:31:52,415 DEBUG [c.c.v.VmWorkJobDispatcher] 
(Work-Job-Executor-6:ctx-bc927fcc job-38/job-39) (logid:d8b1d686) Done with run 
of VM work job: com.cloud.vm.VmWorkMigrate for VM 3, job origin: 38
   2018-03-28 12:31:52,415 ERROR [c.c.v.VmWorkJobDispatcher] 
(Work-Job-Executor-6:ctx-bc927fcc job-38/job-39) (logid:d8b1d686) Unable to 
complete AsyncJobVO {id:39, userId: 2, accountId: 2, instanceType: null, 
instanceId: null, cmd: com.cloud.vm.VmWorkMigrate, cmdInfo: 
rO0ABXNyABpjb20uY2xvdWQudm0uVm1Xb3JrTWlncmF0ZRdxQXtPtzYqAgAGSgAJc3JjSG9zdElkTAAJY2x1c3RlcklkdAAQTGphdmEvbGFuZy9Mb25nO0wABmhvc3RJZHEAfgABTAAFcG9kSWRxAH4AAUwAB3N0b3JhZ2V0AA9MamF2YS91dGlsL01hcDtMAAZ6b25lSWRxAH4AAXhyABNjb20uY2xvdWQudm0uVm1Xb3Jrn5m2VvAlZ2sCAARKAAlhY2NvdW50SWRKAAZ1c2VySWRKAAR2bUlkTAALaGFuZGxlck5hbWV0ABJMamF2YS9sYW5nL1N0cmluZzt4cAACAAIAA3QAGVZpcnR1YWxNYWNoaW5lTWFuYWdlckltcGwAAXNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAXNxAH4ABwACcQB-AAlwcQB-AAk,
 cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: 
null, initMsid: 6653541943041, completeMsid: null, lastUpdated: null, 
lastPolled: null, created: Wed Mar 28 12:31:50 UTC 2018}, job origin:38
   com.cloud.utils.exception.CloudRuntimeException: 
org.libvirt.LibvirtException: Cannot get interface MTU on 'breth0-769': No such 
device
   ```
   I've made the hosts unsecured by deleting the executing the 
cloudstack-setup-agent script without the -s option. 


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16417274#comment-16417274
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376870609
 
 
   @rhtyd I'm trying to migrate a VM between unsecured hosts and got the 
following exception: 
   ```
   2018-03-28 12:31:52,414 ERROR [c.c.v.VmWorkJobHandlerProxy] 
(Work-Job-Executor-6:ctx-bc927fcc job-38/job-39 ctx-441b0b18) (logid:d8b1d686) 
Invocation exception, caused by: 
com.cloud.utils.exception.CloudRuntimeException: org.libvirt.LibvirtException: 
Cannot get interface MTU on 'breth0-769': No such device
   2018-03-28 12:31:52,415 INFO  [c.c.v.VmWorkJobHandlerProxy] 
(Work-Job-Executor-6:ctx-bc927fcc job-38/job-39 ctx-441b0b18) (logid:d8b1d686) 
Rethrow exception com.cloud.utils.exception.CloudRuntimeException: 
org.libvirt.LibvirtException: Cannot get interface MTU on 'breth0-769': No such 
device
   2018-03-28 12:31:52,415 DEBUG [c.c.v.VmWorkJobDispatcher] 
(Work-Job-Executor-6:ctx-bc927fcc job-38/job-39) (logid:d8b1d686) Done with run 
of VM work job: com.cloud.vm.VmWorkMigrate for VM 3, job origin: 38
   2018-03-28 12:31:52,415 ERROR [c.c.v.VmWorkJobDispatcher] 
(Work-Job-Executor-6:ctx-bc927fcc job-38/job-39) (logid:d8b1d686) Unable to 
complete AsyncJobVO {id:39, userId: 2, accountId: 2, instanceType: null, 
instanceId: null, cmd: com.cloud.vm.VmWorkMigrate, cmdInfo: 
rO0ABXNyABpjb20uY2xvdWQudm0uVm1Xb3JrTWlncmF0ZRdxQXtPtzYqAgAGSgAJc3JjSG9zdElkTAAJY2x1c3RlcklkdAAQTGphdmEvbGFuZy9Mb25nO0wABmhvc3RJZHEAfgABTAAFcG9kSWRxAH4AAUwAB3N0b3JhZ2V0AA9MamF2YS91dGlsL01hcDtMAAZ6b25lSWRxAH4AAXhyABNjb20uY2xvdWQudm0uVm1Xb3Jrn5m2VvAlZ2sCAARKAAlhY2NvdW50SWRKAAZ1c2VySWRKAAR2bUlkTAALaGFuZGxlck5hbWV0ABJMamF2YS9sYW5nL1N0cmluZzt4cAACAAIAA3QAGVZpcnR1YWxNYWNoaW5lTWFuYWdlckltcGwAAXNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAXNxAH4ABwACcQB-AAlwcQB-AAk,
 cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: 
null, initMsid: 6653541943041, completeMsid: null, lastUpdated: null, 
lastPolled: null, created: Wed Mar 28 12:31:50 UTC 2018}, job origin:38
   com.cloud.utils.exception.CloudRuntimeException: 
org.libvirt.LibvirtException: Cannot get interface MTU on 'breth0-769': No such 
device
   ```
   I've made the hosts unsecured by deleting the executing the 
cloudstack-setup-agent script without the -s option. 


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16415430#comment-16415430
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

wido commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376488519
 
 
   @rhtyd Yes, that is correct. That tool is allowed to make such changes, but 
we should not just do this in a postinst of a package.
   
   The postinst of a package is to clean up old files related to the package, 
handle some things around the package, but it should not start touching 
firewalling on a host.
   
   That is just not done when it comes to packages.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16415312#comment-16415312
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376457037
 
 
   @rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been 
kicked to run smoke tests


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16415311#comment-16415311
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376456810
 
 
   @blueorangutan test


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16415306#comment-16415306
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376456314
 
 
   Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1836


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16415251#comment-16415251
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376447538
 
 
   @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted 
as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16415250#comment-16415250
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376447466
 
 
   @blueorangutan package


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16415249#comment-16415249
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376447343
 
 
   @borisstoyanov yes there was an unused import.
   
   @wido bear in mind that `cloudstack-setup-agent` will reconfigure network, 
libvirtd, iptables configuration. It's a little known fact, and not well 
documented; the docs are redundant (they tell you to add stuff, that 
cloudstack-setup-agent already does, you may test it yourself). I've removed 
the post-install steps, now you can re-review. I've sent doc PRs instead:
   apache/cloudstack-docs-admin#50
   apache/cloudstack-docs-install#36
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16415244#comment-16415244
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd opened a new pull request #36: CLOUDSTACK-10333: update docs to enable 
libvirtd tls port
URL: https://github.com/apache/cloudstack-docs-install/pull/36
 
 
   Enable port 16514


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16415238#comment-16415238
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd opened a new pull request #50: CLOUDSTACK-10333: Update docs per secure 
live VM migration
URL: https://github.com/apache/cloudstack-docs-admin/pull/50
 
 
   Update docs for changes in https://github.com/apache/cloudstack/pull/2505


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16415166#comment-16415166
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

borisstoyanov commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376429801
 
 
   @rhtyd there seems to be some build errors with the latests changes 


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413691#comment-16413691
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376131034
 
 
   Packaging result: ✖centos6 ✖centos7 ✖debian. JID-1830


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413679#comment-16413679
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376126542
 
 
   @blueorangutan package


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413681#comment-16413681
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376126719
 
 
   @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted 
as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413697#comment-16413697
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

wido commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-376132182
 
 
   Although the iptables changes have been removed for Ubuntu/Debian I think we 
should also remove them from the RPM packages.
   
   In my opinion a package should never be allowed to touch firewalls without 
the operating knowing it.
   
   In the documentation we already tell users to open ports: 
http://docs.cloudstack.apache.org/projects/cloudstack-installation/en/4.11/hypervisor/kvm.html#configuring-the-firewall
   
   If additional ports need to be opened we should put them in there, but not 
just open them in a RPM or DEB package.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413451#comment-16413451
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on a change in pull request #2505: CLOUDSTACK-10333: Secure 
Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r176993902
 
 

 ##
 File path: debian/cloudstack-agent.postinst
 ##
 @@ -50,6 +50,13 @@ case "$1" in
 mkdir /etc/libvirt/hooks
 fi
 cp -a /usr/share/cloudstack-agent/lib/libvirtqemuhook 
/etc/libvirt/hooks/qemu
+
+# Enable TLS enabled VM migration for libvirtd
+if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j 
ACCEPT" > /dev/null; then
+iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+fi
+
 
 Review comment:
   Alright @wido, perhaps we can remove this for Ubuntu (debian pkg). On both 
CentOS 6 and 7, iptables service is indeed available that is used to save 
existing rules, firewalld is not used here. It is likely that things may break 
for el6/7 users. I'm okay to document the change in release notes docs as well. 
Let's ask others for their thoughts - @DaanHoogland @rafaelweingartner @resmo 
@ustcweizhou @nvazquez @mlsorensen ?


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413447#comment-16413447
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

wido commented on a change in pull request #2505: CLOUDSTACK-10333: Secure Live 
VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r176992891
 
 

 ##
 File path: debian/cloudstack-agent.postinst
 ##
 @@ -50,6 +50,13 @@ case "$1" in
 mkdir /etc/libvirt/hooks
 fi
 cp -a /usr/share/cloudstack-agent/lib/libvirtqemuhook 
/etc/libvirt/hooks/qemu
+
+# Enable TLS enabled VM migration for libvirtd
+if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j 
ACCEPT" > /dev/null; then
+iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+fi
+
 
 Review comment:
   If users are using firewalld or ufw on their CentOS/Ubuntu system this may 
break things. And like I said, /etc/iptables does not exist on Ubuntu systems 
by default, you need the iptables-persistent package for that.
   
   I wouldn't touch the firewall in a postinst of a package. The package should 
not touch parts of the system it's not configuring.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413442#comment-16413442
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on a change in pull request #2505: CLOUDSTACK-10333: Secure 
Live VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r176992386
 
 

 ##
 File path: debian/cloudstack-agent.postinst
 ##
 @@ -50,6 +50,13 @@ case "$1" in
 mkdir /etc/libvirt/hooks
 fi
 cp -a /usr/share/cloudstack-agent/lib/libvirtqemuhook 
/etc/libvirt/hooks/qemu
+
+# Enable TLS enabled VM migration for libvirtd
+if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j 
ACCEPT" > /dev/null; then
+iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+fi
+
 
 Review comment:
   The `cloudstack-setup-agent` reconfigures libvirtd config and also adds 
iptables rules for several ports, the post-install script (both rpm+deb) does a 
test if expected iptables rules are in place and adds the ACCEPT rule only if 
needed.
   
   Given not all users may use a config mgmt system such as 
chef/puppet/ansible, running the commands as part of post-install script will 
save the additional work they may need to do themselves (manually or 
automated). @wido I'm okay to advise users via release/admin docs, but I don't 
see any negative/side-effects with the change.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413420#comment-16413420
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

wido commented on a change in pull request #2505: CLOUDSTACK-10333: Secure Live 
VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r176988145
 
 

 ##
 File path: packaging/centos63/cloud.spec
 ##
 @@ -493,6 +493,12 @@ if [ -f 
"%{_sysconfdir}/cloud.rpmsave/agent/agent.properties" ]; then
 mv %{_sysconfdir}/cloud.rpmsave/agent/agent.properties 
%{_sysconfdir}/cloud.rpmsave/agent/agent.properties.rpmsave
 fi
 
+# Enable TLS enabled VM migration for libvirtd
+if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT" 
> /dev/null; then
+iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+fi
+
 
 Review comment:
   Same here as in the DEB package, I'm not in favor of this


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413419#comment-16413419
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

wido commented on a change in pull request #2505: CLOUDSTACK-10333: Secure Live 
VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r176988097
 
 

 ##
 File path: debian/cloudstack-agent.postinst
 ##
 @@ -50,6 +50,13 @@ case "$1" in
 mkdir /etc/libvirt/hooks
 fi
 cp -a /usr/share/cloudstack-agent/lib/libvirtqemuhook 
/etc/libvirt/hooks/qemu
+
+# Enable TLS enabled VM migration for libvirtd
+if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j 
ACCEPT" > /dev/null; then
+iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+fi
+
 
 Review comment:
   I am not to keen on this one. Do we really want our packages to start 
configuring a firewall on a host?
   
   This should be on the docs to tell people to open the port(s), not having 
packages doing it manually.
   
   In addition, the directory /etc/iptables does not exist by default on Ubuntu.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413421#comment-16413421
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

wido commented on a change in pull request #2505: CLOUDSTACK-10333: Secure Live 
VM Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#discussion_r176988178
 
 

 ##
 File path: packaging/centos7/cloud.spec
 ##
 @@ -437,6 +437,12 @@ if [ -f 
"%{_sysconfdir}/cloud.rpmsave/agent/agent.properties" ]; then
 mv %{_sysconfdir}/cloud.rpmsave/agent/agent.properties 
%{_sysconfdir}/cloud.rpmsave/agent/agent.properties.rpmsave
 fi
 
+# Enable TLS enabled VM migration for libvirtd
+if ! iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT" 
> /dev/null; then
+iptables -t filter -A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+fi
 
 Review comment:
   And here again


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16411223#comment-16411223
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375623934
 
 
   Packaging result: ✖centos6 ✖centos7 ✖debian. JID-1821


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16411189#comment-16411189
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375619006
 
 
   @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted 
as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16411187#comment-16411187
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375618792
 
 
   @blueorangutan package


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16411184#comment-16411184
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375608035
 
 
   @blueorangutan package


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16411182#comment-16411182
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375618627
 
 
   Packaging result: ✖centos6 ✖centos7 ✖debian. JID-1820


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16411183#comment-16411183
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375608088
 
 
   @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted 
as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16411181#comment-16411181
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375618627
 
 
   Packaging result: ✖centos6 ✖centos7 ✖debian. JID-1820


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16411161#comment-16411161
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375608088
 
 
   @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted 
as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16411160#comment-16411160
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375608035
 
 
   @blueorangutan package


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16409938#comment-16409938
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375390869
 
 
   Trillian test result (tid-2401)
   Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
   Total time taken: 24349 seconds
   Marvin logs: 
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2505-t2401-kvm-centos7.zip
   Intermitten failure detected: 
/marvin/tests/smoke/test_deploy_virtio_scsi_vm.py
   Intermitten failure detected: /marvin/tests/smoke/test_privategw_acl.py
   Intermitten failure detected: /marvin/tests/smoke/test_vpc_redundant.py
   Intermitten failure detected: /marvin/tests/smoke/test_hostha_kvm.py
   Smoke tests completed. 65 look OK, 2 have error(s)
   Only failed tests results shown below:
   
   
   Test | Result | Time (s) | Test File
   --- | --- | --- | ---
   test_04_rvpc_network_garbage_collector_nics | `Failure` | 448.47 | 
test_vpc_redundant.py
   test_hostha_enable_ha_when_host_in_maintenance | `Error` | 2.09 | 
test_hostha_kvm.py
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16409330#comment-16409330
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375244965
 
 
   @rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been 
kicked to run smoke tests


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16409329#comment-16409329
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

rhtyd commented on issue #2505: CLOUDSTACK-10333: Secure Live VM Migration for 
KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375244794
 
 
   @blueorangutan test


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16409315#comment-16409315
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375242563
 
 
   Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1808


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10333) Secure VM Live migration for KVM

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16409292#comment-16409292
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10333:
-

blueorangutan commented on issue #2505: CLOUDSTACK-10333: Secure Live VM 
Migration for KVM
URL: https://github.com/apache/cloudstack/pull/2505#issuecomment-375234980
 
 
   @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted 
as I make progress.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Secure VM Live migration for KVM
> 
>
> Key: CLOUDSTACK-10333
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10333
> Project: CloudStack
>  Issue Type: Improvement
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
>Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> With use of CA framework to secure hosts, the current mechanisms don't secure 
> libvirtd to use those certificates (used by agent to connect to mgmt server). 
> This causes insecure vm migration over tcp instead of tls. The aim is to use 
> the same framework and certificates to secure live VM migration. This could 
> be coupled with securing of a host and renewal/provisioning of certificates 
> to host.
>  
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Live+VM+Migration+for+KVM



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)