-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all,
I''ve recently switch from Xen 4.1 to 4.2.1 and from xm/xend to
xl/libxl toolstack as well.
Although Xen 4.1 did not support Secure Live Migration by default, I
could modify the /etc/xen/xend-config.sxp file giving any level of
security I wanted, either allow only specific hosts, or using ssl and
adjusting my private key and the certificate.
#### e x a m p l e ####
###### uncommented modules in /etc/xen/xend-config.sxp ######
##### ######
(xend-relocation-ssl-server yes)
(xend-relocation-ssl-port 8003)
(xend-relocation-server-ssl-key-file server.key)
(xend-relocation-server-ssl-cert-file server.crt)
(xend-relocation-ssl yes)
Xen 4.2
- - uses xl by default [By default xl relies on ssh as a transport
mechanism between the two hosts.]
- - and also Xen daemon configuration file (xend-config.sxp ) is
officially deprecated
My question is, Is there any way that I can control the level of
security in Xen 4.2 considering Live Migration? Should I look in
specific libxl files??
Katerina
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJRLUqFAAoJEIrShLVVnSKr6BUH/i9unhmMJMDMDOC2yO5SA0dX
s/lju/k0QI37gDRNOvf8TI85FbuGGyaN/PHpAn8ElbVi3sRFIuMbTg824EYuTcmW
5SmfQay7igHiqb8VxLYAaeVgWTpRpLpI22w+X2NFjs9TPghdNH/s3RVJUg1jdo0M
+KpzvDM4eH1t8LSG8weMsPGAzoeP017ri4DKR6YG7gLbUy6WKG+E4MnOZT3FYI1j
+i1duavyPirX3LjbW+vSvFNu60O2ze2dDPjZKwXbs/buUzH7hkiazdplfSlXG589
7s3bt3kA/NvZ64QT+chThHwW/GjKc5gNTinr/s0jxD8dTqwPndqHWdH/VQEc/qc=hvsE
-----END PGP SIGNATURE-----
On Tue, 2013-02-26 at 23:51 +0000, Katerina Mparmpopoulou wrote:> Is there any way that I can control the level of > security in Xen 4.2 considering Live Migration? Should I look in > specific libxl files??The migration protocol is specific to the toolstack (xl) not the lower layer library (libxl, which is intended to be shared by all toolstacks). Check out the xl manpage, in particular the -e option to xl migrate, which lets you specify any command you like to act as the transport. Ian.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Ian, Thanks for the quick reply,> Check out the xl manpage, in particular the -e option to xl > migrate, which lets you specify any command you like to act as the > transport.I have checked already the xl manpage and also the migrate subcommand. I thought that the -s sshcommand was the most relevant for me, but still i don''t know how i can use it efficiently. If i want to place my own ssl key and my own certificate when i''m migrating a vm in another physical machine, how should I use the command?? Regards, Katerina -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRLdHpAAoJEIrShLVVnSKrBlIH/0w4FUW1n4bsnJyBOl71MMZV mPdzRumLHz7k3rtjnu87yxaQbNQYwlm3YMs5pJs3/44LGepp+mRj2Ixx86VhfJw0 qySpAt48Yy/ZVA5gmIJB/S79M7CXtHtBfcgh7DFy9U1CvWVFqdkqUxvxoBUEfpsH plzOHerp0EQ/Mpf/hYMm/bJvwQxv8XSvExQcWWKmlpE4bdhFIEtzQqOepH/2S0rw hgdF2tGVdMlljRPizIFOZF1kgTtkZ5BwBwwr6fD0R86jGEiDFeLFGS0m0O614whI kMxxpB8ZFiYzxO1G5+g/K3eohaphO0iWe23upYA72d7l4PpgRe6jQX2EvfDPXk8=BLnp -----END PGP SIGNATURE-----
On Wed, 2013-02-27 at 09:29 +0000, Katerina Mparmpopoulou wrote:> Hello Ian, > > Thanks for the quick reply, > > > Check out the xl manpage, in particular the -e option to xl > > migrate, which lets you specify any command you like to act as the > > transport. > > I have checked already the xl manpage and also the migrate subcommand. > > I thought that the -s sshcommand was the most relevant for me, but > still i don''t know how i can use it efficiently.Sorry. I meant -s, I didn''t have the manpage handy when I wrote -e.> > If i want to place my own ssl key and my own certificate when i''m > migrating a vm in another physical machine, how should I use the command??You need to pass a command which will connect its stdin/stdout over the communication channel of your choice to the stdin/stdout of "xl migrate-receive" running on the target host. How you setup that communication channel and arrange for that process on the remote machine is up to you to arrange in that command. For example you could reasonably trivially build something out of netcat and ssh which did secure authentication and but insecure data transfer. If you want to do something with SSL certs then I expect you will wantto find an ssl capable netcat type thing, I think openssl has such mechanisms in it. Or you could write your own client/server pair, etc etc. Ian.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Ian, Thx again for your information, i''m quite unfamiliar with that and i''m still can''t get it. On 02/27/2013 11:40 AM, Ian Campbell wrote:> On Wed, 2013-02-27 at 09:29 +0000, Katerina Mparmpopoulou wrote:>> If i want to place my own ssl key and my own certificate when >> i''m migrating a vm in another physical machine, how should I use >> the command?? > > You need to pass a command which will connect its stdin/stdout over > the communication channel of your choice to the stdin/stdout of > "xl migrate-receive" running on the target host. How you setup > that communication channel and arrange for that process on the > remote machine is up to you to arrange in that command. >you mean that everything need to be done in: xl migrate -s <sshcommand> <guest_vm> <target_machine> where sshcommand is the stdin/stdout of another command?> For example you could reasonably trivially build something out of > netcat and ssh which did secure authentication and but insecure > data transfer. > > If you want to do something with SSL certs then I expect you will > wantto find an ssl capable netcat type thing, I think openssl has > such mechanisms in it. Or you could write your own client/server > pair, etc etc.I have already created my client/server pairs, but i don''t know in which file to place/save them. Namely, xl migrate-receive command from which file retrieves these keys? Where are the default pair (If there is any)? In previous version I could create client/server pairs and I used to save them in etc/xen/xend-config.sxp, like this: (xend-relocation-server-ssl-key-file my_server.key) (xend-relocation-server-ssl-cert-file my_server.crt) Now do I need to run the migrate command every time along with these pair? For example like this? $xl migrate -s /etc/ssh/keys/my_server.key /etc/ssh/keys/my_server.crt <sshcommand> <guest_vm> <target_machine> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRLgLfAAoJEIrShLVVnSKrPHcIAJ6lEO8kNZA1imy6Yg2XqgvK ZhSpG6WfWRH1Fp7fBWB1oaE1lYt1Mhoyzknkpi8JOlIq5M4eJqn+bRyG5/IZwNdT e1M0JsTdtDqNoqBx4Q2ijSadS3b4Vc764ZHKH5W2PRkgU+9C0cX12QmZw4/oVC+G GHqgOljtjQbnUb9tmkyTu/DhMUp+Ge/HKxx0d+k84QcaXvu22Nj8F4cQRa8Zgn0B gWqNVOxxajVFITDrCWZl1KXm3r8/dMCclmeo9RCxwC/qvrvlp0VzaWcZ0F0Tn7gW TL+r/fiWJ1gej7UswtN7Y3XTuZY02F5c5dRDf+U8oKqEd4E/OPpP8nxWarLNPjs=mk2U -----END PGP SIGNATURE-----
On Wed, 2013-02-27 at 12:58 +0000, Katerina Mparmpopoulou wrote:> Hello Ian, > > Thx again for your information, i''m quite unfamiliar with that and i''m > still can''t get it. > > On 02/27/2013 11:40 AM, Ian Campbell wrote: > > On Wed, 2013-02-27 at 09:29 +0000, Katerina Mparmpopoulou wrote: > > >> If i want to place my own ssl key and my own certificate when > >> i''m migrating a vm in another physical machine, how should I use > >> the command?? > > > > You need to pass a command which will connect its stdin/stdout over > > the communication channel of your choice to the stdin/stdout of > > "xl migrate-receive" running on the target host. How you setup > > that communication channel and arrange for that process on the > > remote machine is up to you to arrange in that command. > > > > you mean that everything need to be done in: > > xl migrate -s <sshcommand> <guest_vm> <target_machine> > > where sshcommand is the stdin/stdout of another command?sshcommand *is* a to be run, which has a stdin/stdout.> > For example you could reasonably trivially build something out of > > netcat and ssh which did secure authentication and but insecure > > data transfer. > > > > If you want to do something with SSL certs then I expect you will > > wantto find an ssl capable netcat type thing, I think openssl has > > such mechanisms in it. Or you could write your own client/server > > pair, etc etc. > > I have already created my client/server pairs, but i don''t know in > which file to place/save them. Namely, xl migrate-receive command from > which file retrieves these keys? Where are the default pair (If there > is any)? > > In previous version I could create client/server pairs and I used to > save them in etc/xen/xend-config.sxp, like this: > > (xend-relocation-server-ssl-key-file my_server.key) > (xend-relocation-server-ssl-cert-file my_server.crt)I''m afraid that xl doesn''t have equivalent functionality. TBH I didn''t even know xend did. However you can construct equivalent functionality with the sshcommand thing, by writing your own simple client and server, which is what I am talking about.> Now do I need to run the migrate command every time along with these > pair? For example like this? > > $xl migrate -s /etc/ssh/keys/my_server.key /etc/ssh/keys/my_server.crt > <sshcommand> <guest_vm> <target_machine>Your sshcommand would need to encode knowledge about my_server.key and .crt, either directly or through its own configuration file. Ian.
Hi,> In previous version I could create client/server pairs and I used to > save them in etc/xen/xend-config.sxp, like this: > > (xend-relocation-server-ssl-key-file my_server.key) > (xend-relocation-server-ssl-cert-file my_server.crt)Did you actually check the code to see what it does ? AFAICT, it just setups a SSL server using those, but it does no validation whatsoever that the client that connects is using a valid cert, nor does the client check anything about the server certificate ... Cheers, Sylvain
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/27/2013 08:41 PM, Sylvain Munaut wrote:> Hi, > >> In previous version I could create client/server pairs and I used >> to save them in etc/xen/xend-config.sxp, like this: >> >> (xend-relocation-server-ssl-key-file my_server.key) >> (xend-relocation-server-ssl-cert-file my_server.crt) > > Did you actually check the code to see what it does ? > > AFAICT, it just setups a SSL server using those, but it does no > validation whatsoever that the client that connects is using a > valid cert, nor does the client check anything about the server > certificate ... > > Cheers, > > SylvainHi Sylvain, thx for your reply! actually i didn''t check any code because it is mentioned in the man file of xend-config.sxp: "Note that relocation is currently unsecured and is very dangerous if left enabled. No authentication is performed, and very little sanity checking takes place. Enable at your own risk." http://xenbits.xen.org/docs/unstable/man/xend-config.sxp.5.html Now that I have switched to Xen-4.2.1 i''m searching from where i could modify security options considering live migration, like allowing only specific hosts or using ssl. Katerina -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRLmrYAAoJEIrShLVVnSKrjbEH/RytkqLkrdpbZB1L5sakq4vs eyxArVvoYgws+VxKVygcBa7hkoceZvmMXtpJmdKI3qWag/ivv1hyFy1aOPuuRSmv XplMxlpvhHKnw0fsY7kCQ1kD+ooeE8s/ttYcSwjJRCex0qQ6LDBZYuldQxWWEop7 uM6063dWg6xnA0LIbo1pd9yNaub7A9I+F9fsiQHLFNWH42L7VKQeWUncsZ0tn24p Z32kueGKFbYWIVdRi0ngucLgqyW+d31+nWpOttMyX/k1PhWNhfKhbQN6NNU2xaiS CjpBILXxm68y8zSAMZbW1m/7dWQ0veq0sBNIKbwh/0nzG9DWo+zWIuCLkmh0584=hFVR -----END PGP SIGNATURE-----