From mboxrd@z Thu Jan 1 00:00:00 1970 From: George Dunlap Subject: Re: Xen 4.4 development update: Feature freeze has started Date: Fri, 15 Nov 2013 16:11:35 +0000 Message-ID: <528647B7.6020102@eu.citrix.com> References: <1384254550.1883.53.camel@kazak.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1384254550.1883.53.camel@kazak.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Campbell Cc: Wei Liu , Roger Pau Monne , Stefano Stabellini , Jaeyong Yoo , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org On 12/11/13 11:09, Ian Campbell wrote: >> * xend still in tree (x) >> - xl list -l on a dom0-only system >> - xl list -l doesn't contain tty console port >> - xl Alternate transport support for migration > Are some of these (this one in particular) also covered separately > elsewhere in the list? Yes, this one is also here: * xl migrate transport improvements owner: None > See discussion here: http://bugs.xenproject.org/xen/bug/19 - Option to connect over a plain TCP socket rather than ssh - xl-migrate-recieve suitable for running in inetd - option for above to redirect log output somewhere useful - Documentation for setting up alternate transports However, after the discussion with Zhigang, I'm not sure this should really be a blocker for xend removal anymore. The putative reason for having ssl was because exchanging ssh keys was thought to be a security risk, allowing anyone on one host to log into any of the other hosts. However: 1) ssh keys can be limited so that they can only execute a specific command; so this can be dealt with by configuration 2) There are no permissions checks on resources for incoming domains; so given the ability to migrate to a host, you can get a shell on that host pretty handily anyway. -George