-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I use xen 4.2.1 and i''m trying to do live migration without ssh. I read at the manual page of xl that if i place the option -s empty the command is running as run <host>, instead of ssh <host>. I ''ve used the command with the following alternatives: - - sudo xl migrate VM3 root@ip -s - - sudo xl migrate VM3 root@ip -s '''' the problem is that in the same time i run tcpdump (filtering the particular interface/port 22/and the target host) and i can see the ssh packets, even the -s option is empty (no parameters). my question is: How can I disable ssh???? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRQEvWAAoJEIrShLVVnSKrp94H/3dqno4IolDeyvXDLJh9JAVX jUR+/xBSpuH49N9dKxczOc89SWjPHNhZ58lvUlvZMm/NiPrRGmm+oR2nLg5YTue+ A5GzX4X23v2P6lDNHYiCREIULzjKvZEMrT8MwmUy/+AGl3NZ0tw+uwgdctWd2kqK eSiKqCErDTbjK73D74Mxrt4NWwSTOcGaBBZleqGOlQtIUIvlkBT+7OzsNqAlC8Ar j+TN9TRmiYPJBC3IHLBW2ZrDs+9sxXAVwL2braJSY4sV1sXEfI17Z4fl48ubWOX0 4fh+Xg6esKK9Jy6LsMEJCEzvbpPEWyb0ukqeYDD3pFf2cTVKFQfN5fZxEH0QP9E=XrqQ -----END PGP SIGNATURE-----
On Wed, Mar 13, 2013 at 5:50 AM, Katerina Mparmpopoulou <kate_mparmpop@hotmail.com> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > I use xen 4.2.1 and i''m trying to do live migration without ssh. > > I read at the manual page of xl that if i place the option -s empty > the command is running as run <host>, instead of ssh <host>. > > I ''ve used the command with the following alternatives: > > - - sudo xl migrate VM3 root@ip -s > > - - sudo xl migrate VM3 root@ip -s '''' > > the problem is that in the same time i run tcpdump (filtering the > particular interface/port 22/and the target host) and i can see the > ssh packets, even the -s option is empty (no parameters). > > my question is: > > How can I disable ssh???? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJRQEvWAAoJEIrShLVVnSKrp94H/3dqno4IolDeyvXDLJh9JAVX > jUR+/xBSpuH49N9dKxczOc89SWjPHNhZ58lvUlvZMm/NiPrRGmm+oR2nLg5YTue+ > A5GzX4X23v2P6lDNHYiCREIULzjKvZEMrT8MwmUy/+AGl3NZ0tw+uwgdctWd2kqK > eSiKqCErDTbjK73D74Mxrt4NWwSTOcGaBBZleqGOlQtIUIvlkBT+7OzsNqAlC8Ar > j+TN9TRmiYPJBC3IHLBW2ZrDs+9sxXAVwL2braJSY4sV1sXEfI17Z4fl48ubWOX0 > 4fh+Xg6esKK9Jy6LsMEJCEzvbpPEWyb0ukqeYDD3pFf2cTVKFQfN5fZxEH0QP9E> =XrqQ > -----END PGP SIGNATURE----- > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xen.org > http://lists.xen.org/xen-usersI''m rather curious as to why you want to disable SSH. Since the migration is passing raw memory blocks across the network, this is certainly something that ought to be encrypted to prevent both monkeying and sniffing. Regardless, to migrate using some program other than SSH, you need something akin to it (e.g. tenlet, RSH, etc.). Xen does not create a migration "socket" on its own, AFAIK the xl migrate scheme passes the data to xl on the receiving side through stdin on the terminal. -- --Zootboy Sent from some sort of computing device.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/14/2013 01:28 AM, Sean Greenslade wrote:> On Wed, Mar 13, 2013 at 5:50 AM, Katerina Mparmpopoulou > <kate_mparmpop@hotmail.com> wrote: Hi all, > > I use xen 4.2.1 and i''m trying to do live migration without ssh. > > I read at the manual page of xl that if i place the option -s > empty the command is running as run <host>, instead of ssh <host>. > > I ''ve used the command with the following alternatives: > > - sudo xl migrate VM3 root@ip -s > > - sudo xl migrate VM3 root@ip -s '''' > > the problem is that in the same time i run tcpdump (filtering the > particular interface/port 22/and the target host) and i can see > the ssh packets, even the -s option is empty (no parameters). > > my question is: > > How can I disable ssh???? >> >> _______________________________________________ Xen-users mailing >> list Xen-users@lists.xen.org http://lists.xen.org/xen-users > > I''m rather curious as to why you want to disable SSH. Since the > migration is passing raw memory blocks across the network, this is > certainly something that ought to be encrypted to prevent both > monkeying and sniffing. >also if the migration takes place in a private dedicated network for example this is not the case. disabling ssh decreases cpu load and probably gives better performance. However my real intention is only to monitor the difference in performance for purely research purposes. :)> Regardless, to migrate using some program other than SSH, you need > something akin to it (e.g. tenlet, RSH, etc.). Xen does not create > a migration "socket" on its own,yeah i have understand that. I think that it uses the same certificate as the target machine uses for the ssh login for example. AFAIK the xl migrate scheme passes the> data to xl on the receiving side through stdin on the terminal. >I would be grateful if you can place me hints of how i can use that to achieve my goal. :) Thanks, Katerina -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRQR7UAAoJEIrShLVVnSKr1doIAJM9CldXO+fQLZGGk1tDMF24 AZPrLcgvixQJWx72Tz84V5UcDTLzYS6GwTTidY65/6UzdANUx6lbe2FuuNKQN63X QA7w2d9mPXnmLA21I+u1iocLdeQAbpVr3uIPYbRbHGK26hkDg4X4+pbIBmncRrjO CokT1gqj+JARG+H7EdqHoy7Rh35XN2bcScXn4WY5uwN7HK7uKrHybRQU/zNh8aY6 9SQbbmuZzy7EJg0e0qtQO6b4JVSUD2TJp//1blZRK/BRGhsIiQUApFUi72QH/zXw UQPFZW2utOd7fxR8nKRVReGgtKQuoiTiWcEuzpCUL0+mgnndxmHiG/XTeSmP8MY=oVhA -----END PGP SIGNATURE-----
>> I''m rather curious as to why you want to disable SSH. Since the >> migration is passing raw memory blocks across the network, this is >> certainly something that ought to be encrypted to prevent both >> monkeying and sniffing. >> > > also if the migration takes place in a private dedicated network for > example this is not the case. disabling ssh decreases cpu load and > probably gives better performance. However my real intention is only > to monitor the difference in performance for purely research purposes. :)Wonderful! Just had to do my due diligence.>> Regardless, to migrate using some program other than SSH, you need >> something akin to it (e.g. tenlet, RSH, etc.). Xen does not create >> a migration "socket" on its own, > > yeah i have understand that. I think that it uses the same certificate > as the target machine uses for the ssh login for example.That''s because it''s just ssh. Nothing special or fancy, just run of the mill ssh. It does the standard fingerprint checking that''s done with any ssh initiation, with the one slight gotcha of xl being run as root, so the /root/.sshh/known_hosts file is used instead of your own.>> AFAIK the xl migrate scheme passes the >> data to xl on the receiving side through stdin on the terminal. >> > > I would be grateful if you can place me hints of how i can use that to > achieve my goal. :) > > Thanks, > > KaterinaAs I said, you''ll first need to get some sort of remote shell working. My suggestions are for RSH or Telnet, but anything that can get you a shell will work. Unfortunately, I have absolutely no experience with either, as I have been raised in an ssh world. In fact, I use sshfs for remote file shares, and I''ve never had an issue with performance bottlenecks even while saturating my gigabit link. So not that I''m discouraging your academic exploration, but I would say that in all likelihood, the performance loss of using ssh is negligible and the security gained is substantial. Just my $0.02.> -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJRQR7UAAoJEIrShLVVnSKr1doIAJM9CldXO+fQLZGGk1tDMF24 > AZPrLcgvixQJWx72Tz84V5UcDTLzYS6GwTTidY65/6UzdANUx6lbe2FuuNKQN63X > QA7w2d9mPXnmLA21I+u1iocLdeQAbpVr3uIPYbRbHGK26hkDg4X4+pbIBmncRrjO > CokT1gqj+JARG+H7EdqHoy7Rh35XN2bcScXn4WY5uwN7HK7uKrHybRQU/zNh8aY6 > 9SQbbmuZzy7EJg0e0qtQO6b4JVSUD2TJp//1blZRK/BRGhsIiQUApFUi72QH/zXw > UQPFZW2utOd7fxR8nKRVReGgtKQuoiTiWcEuzpCUL0+mgnndxmHiG/XTeSmP8MY> =oVhA > -----END PGP SIGNATURE------- --Zootboy Sent from some sort of computing device.
> As I said, you''ll first need to get some sort of remote shell working. > My suggestions are for RSH or Telnet, but anything that can get you a > shell will work. Unfortunately, I have absolutely no experience with > either, as I have been raised in an ssh world. In fact, I use sshfs > for remote file shares, and I''ve never had an issue with performance > bottlenecks even while saturating my gigabit link. So not that I''m > discouraging your academic exploration, but I would say that in all > likelihood, the performance loss of using ssh is negligible and the > security gained is substantial. Just my $0.02.And, of course, itchy send finger strikes again. Once you have a remote shell, you simply need the command line string necessary to open said remote shell. Then xl migrate will take over from there. Check out "man xl" for info on that, especially the -s flag. Essentially, you''ll need to pass everything necessary for the shell to open within that string. I haven''t played around with it enough to know if it can deal with a password prompt correctly, so you''ll have to test that out for yourself. -- --Zootboy Sent from some sort of computing device.
On Mar 13, 9:55pm, Sean Greenslade wrote: } Subject: Re: [Xen-users] xl migrate command - disable ssh Good morning, hope the end of the week is going well for everyone.> As I said, you''ll first need to get some sort of remote shell > working. My suggestions are for RSH or Telnet, but anything that > can get you a shell will work. Unfortunately, I have absolutely no > experience with either, as I have been raised in an ssh world. In > fact, I use sshfs for remote file shares, and I''ve never had an > issue with performance bottlenecks even while saturating my gigabit > link. So not that I''m discouraging your academic exploration, but I > would say that in all likelihood, the performance loss of using ssh > is negligible and the security gained is substantial. Just my $0.02.Our group has just spent a fair amount of time working out issues with VM migration on 4.2.1. Using SSH as the transport framework has a number of advantages, modulo the generic security concerns of having to have root access to SSH enabled and having to have root credentials floating around to authenticate the remote shell invocation. We have a setuid wrapper program I should clean up and make available which exec''s the ''xl migrate-receive'' command. It has all the obvious issues of any setuid program but it does provide the ability to implement a somewhat stronger security architecture. The other issue is that depending on the configuraton of the migration target there may not be a path to the xl command. The following wrapper script is useful for automating migration on the send side: #! /bin/bash exec ssh -C $1 /usr/sbin/xl migrate-receive; The following snippet should be saved in a file named ''xen-migrate'' and placed in a directory accessible to the PATH variable of the user requesting migration. Migration of a virtual machine can then be requested with the following command: xl migrate -s xen-migrate DomainID TargetHost Where: DomainID = id of domain to migrate TargetHost = name of host to migrate VM to. The -C switch to ssh requests compression of the data stream which tends to positively impact the transfer rates of the VM image. The other issue is that you have to have a method for making sure the VM disk image is available to both the sender and receiver dom0 environments. NFS will work for a simple setup but if you are a bit crafty and can setup an iSCSI target using a Linux target stack such as SCST the following package allows domU instances to be implemented as first class SAN guests: ftp://ftp.enjellic.com/pub/xen/Xen-SAN-0.1.0.tar.gz The hotplug support implemented in that package will automtically setup and teardown the iSCSI block connections for the guest as part of the migration process. The functionality of this support has been extensively tested with the 4.2.1 Xen release. Hopefully the above is useful to others. VM migration is incredibly useful but does have some generic usability barriers which one has to putz with in order to get everything working. Best wishes for a pleasant weekend to everyone. Greg }-- End of excerpt from Sean Greenslade As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: greg@enjellic.com ------------------------------------------------------------------------------ "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk." -- Bruce Schneier Beyond Fear