From: Zhigang Wang <zhigang.x.wang@oracle.com>
To: Matt Wilson <msw@linux.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
Matt Wilson <msw@amazon.com>, xen-devel <xen-devel@lists.xen.org>
Subject: Re: Suggestion for merging xl save/restore/migrate/migrate-receive
Date: Thu, 03 Oct 2013 09:34:46 -0400 [thread overview]
Message-ID: <524D7276.6080701@oracle.com> (raw)
In-Reply-To: <20131003021948.GA29049@u109add4315675089e695.ant.amazon.com>
On 10/02/2013 10:19 PM, Matt Wilson wrote:
> On Wed, Sep 25, 2013 at 11:06:29AM +0100, George Dunlap wrote:
>> On Tue, Sep 24, 2013 at 5:46 PM, Konrad Rzeszutek Wilk
>> <konrad.wilk@oracle.com> wrote:
>>>>>>> * In order to migrate a VM without user interactive, we have to configure ssh
>>>>>>> keys for all Servers in a pool. Key management brings complexity.
>>>>>>
>>>>>> Surely your automated server deployment system can manage this ?
>>>>>
>>>>> Yes, we can.
>>>>>
>>>>> keys are states; we need to make sure they are always sync. Also after this,
>>>>> all Servers in a pool can login to each other. I don't know whether it's
>>>>> a security issue for our product.
>>>>>
>>>>> This is something we try to avoid at this time.
>>>>
>>>> ...so instead of allowing anyone on one of the hosts log in, you're
>>>> going to allow anyone with access to the network to create a VM
>>>> without any kind of authentication?
>>>>
>>>> From a security perspective, that doesn't really sound like an
>>>> improvement...
>>>>
>>>
>>> How did this work with 'xend' and its migration using SSL? Was it as
>>> simple as this ?
>>
>> I have no idea -- Matt, do you know / would you care to take a look
>> and find out (since you have expressed a willingness to maintain
>> xend)?
>
> It seems that you would just configure a ssl key file and cert file in
> xend-config.sxp
>
> http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=0f26d15c
>
> Zhigang: you wrote this code, correct?
Yes. That's only a very basic implementation.
The SSL relocation server will not do client cert verification and there's
no way to configure the client to use specific cert right now.
I think SSL cert verification could be a way for security. But you need distribute
the certs to all the servers in a pool and reload xend relocation server to
use the new certificate.
Thanks,
Zhigang
next prev parent reply other threads:[~2013-10-03 13:34 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-13 16:04 Suggestion for merging xl save/restore/migrate/migrate-receive Zhigang Wang
2013-09-16 10:04 ` George Dunlap
2013-09-16 15:51 ` Zhigang Wang
2013-09-16 16:05 ` George Dunlap
2013-09-16 16:07 ` George Dunlap
2013-09-16 16:20 ` Ian Jackson
2013-09-16 16:40 ` George Dunlap
2013-09-16 17:06 ` Ian Jackson
2013-09-16 17:21 ` Zhigang Wang
2013-09-16 17:41 ` Zhigang Wang
2013-09-16 20:42 ` Ian Campbell
2013-09-16 20:51 ` Zhigang Wang
2013-09-17 8:25 ` George Dunlap
2013-09-17 9:26 ` Ian Jackson
2013-09-17 10:07 ` George Dunlap
2013-09-17 13:44 ` Zhigang Wang
2013-09-24 16:46 ` Konrad Rzeszutek Wilk
2013-09-25 10:06 ` George Dunlap
2013-10-03 2:19 ` Matt Wilson
2013-10-03 13:34 ` Zhigang Wang [this message]
2013-09-17 10:28 ` George Dunlap
2013-09-17 10:45 ` Processed: " xen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=524D7276.6080701@oracle.com \
--to=zhigang.x.wang@oracle.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=msw@amazon.com \
--cc=msw@linux.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).