hi, this patch add ssl/tls support to relocation: * SSL/TLS support is disabled by default, as other server did. * If "xend-relocation-server-ssl-key-file" and "xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled automatically. * "xend-relocation-tls" is used by relocation client only. Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Carb, Brian A
2008-May-02 17:47 UTC
RE: [Xen-devel] [PATCH] add ssl/tls support to relocation
With this patch included, xend start errors:
# xend start
Traceback (most recent call last):
File "/usr/sbin/xend", line 44, in ?
from xen.xend.server import SrvDaemon
File
"/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/xend/ser
ver/SrvDaemon.py", line 26, in ?
import relocate
File
"/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/xend/ser
ver/relocate.py", line 23, in ?
from xen.web import protocol, tcp, unix
File
"/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/web/tcp.
py", line 25, in ?
from OpenSSL import SSL
ImportError: No module named OpenSSL
I guess this produces a dependency on python-openssl, but this rpm is
not included in the standard SLES10 distro.
brian carb
unisys corporation - malvern, pa
-----Original Message-----
From: xen-devel-bounces@lists.xensource.com
[mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Zhigang Wang
Sent: Sunday, April 27, 2008 10:50 PM
To: xen-devel
Subject: [Xen-devel] [PATCH] add ssl/tls support to relocation
hi, this patch add ssl/tls support to relocation:
* SSL/TLS support is disabled by default, as other server did.
* If "xend-relocation-server-ssl-key-file" and
"xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled
automatically.
* "xend-relocation-tls" is used by relocation client only.
Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Zhigang Wang
2008-May-02 18:11 UTC
Re: [Xen-devel] [PATCH] add ssl/tls support to relocation
Yes. I add a dependency. maybe we can separate SSLTCPListener to a new file like (tcp-ssl.py), and import it when needed, just like tools/python/xen/xend/server/SSLXMLRPCServer.py did. will try it later, or you can help. thanks, zhigang Carb, Brian A wrote:> With this patch included, xend start errors: > > # xend start > Traceback (most recent call last): > File "/usr/sbin/xend", line 44, in ? > from xen.xend.server import SrvDaemon > File > "/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/xend/ser > ver/SrvDaemon.py", line 26, in ? > import relocate > File > "/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/xend/ser > ver/relocate.py", line 23, in ? > from xen.web import protocol, tcp, unix > File > "/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/web/tcp. > py", line 25, in ? > from OpenSSL import SSL > ImportError: No module named OpenSSL > > I guess this produces a dependency on python-openssl, but this rpm is > not included in the standard SLES10 distro. > > brian carb > unisys corporation - malvern, pa > > > -----Original Message----- > From: xen-devel-bounces@lists.xensource.com > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Zhigang Wang > Sent: Sunday, April 27, 2008 10:50 PM > To: xen-devel > Subject: [Xen-devel] [PATCH] add ssl/tls support to relocation > > hi, this patch add ssl/tls support to relocation: > > * SSL/TLS support is disabled by default, as other server did. > > * If "xend-relocation-server-ssl-key-file" and > "xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled > automatically. > > * "xend-relocation-tls" is used by relocation client only. > > Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com> > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Carb, Brian A
2008-May-05 15:43 UTC
RE: [Xen-devel] [PATCH] add ssl/tls support to relocation
This works on SLES10SP1 if we download a compatible python openssl rpm (python-openssl-0.6-17.x86_64.rpm) from opensuse. brian carb unisys corporation - malvern, pa -----Original Message----- From: Zhigang Wang [mailto:zhigang.x.wang@oracle.com] Sent: Friday, May 02, 2008 2:11 PM To: Carb, Brian A Cc: xen-devel Subject: Re: [Xen-devel] [PATCH] add ssl/tls support to relocation Yes. I add a dependency. maybe we can separate SSLTCPListener to a new file like (tcp-ssl.py), and import it when needed, just like tools/python/xen/xend/server/SSLXMLRPCServer.py did. will try it later, or you can help. thanks, zhigang Carb, Brian A wrote:> With this patch included, xend start errors: > > # xend start > Traceback (most recent call last): > File "/usr/sbin/xend", line 44, in ? > from xen.xend.server import SrvDaemon > File > "/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/xend/s > er > ver/SrvDaemon.py", line 26, in ? > import relocate > File > "/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/xend/s > er > ver/relocate.py", line 23, in ? > from xen.web import protocol, tcp, unix > File >"/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/web/tcp.> py", line 25, in ? > from OpenSSL import SSL > ImportError: No module named OpenSSL > > I guess this produces a dependency on python-openssl, but this rpm is > not included in the standard SLES10 distro. > > brian carb > unisys corporation - malvern, pa > > > -----Original Message----- > From: xen-devel-bounces@lists.xensource.com > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Zhigang > Wang > Sent: Sunday, April 27, 2008 10:50 PM > To: xen-devel > Subject: [Xen-devel] [PATCH] add ssl/tls support to relocation > > hi, this patch add ssl/tls support to relocation: > > * SSL/TLS support is disabled by default, as other server did. > > * If "xend-relocation-server-ssl-key-file" and > "xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled > automatically. > > * "xend-relocation-tls" is used by relocation client only. > > Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com> > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Zhigang Wang
2008-May-08 12:55 UTC
Re: [Xen-devel] [PATCH] add ssl/tls support to relocation
After further investigation, I find that I didn''t get relocation using
ssl/tls: the read/write to the pyOpenSSL socket.fileno() will communicate
without data encrypted.
I have add a wrapper to the read/write with the following patch.
This patch also makes pyOpenSSL an optional package.
Note on changing:
raise XendError("can''t connect: %s" % err[1])
to:
raise XendError("can''t connect: %s" % err)
in tools/python/xen/xend/XendDomain.py:
it will avoid the following error:
[2008-05-08 14:17:28 2678] ERROR (xmlrpclib2:178) Internal error handling
xend.domain.migrate
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/xen/util/xmlrpclib2.py", line
131, in
_marshaled_dispatch
response = self._dispatch(method, params)
File "/usr/lib/python2.4/SimpleXMLRPCServer.py", line 406, in
_dispatch
return func(*params)
File "/usr/lib/python2.4/site-packages/xen/xend/XendDomain.py", line
1335,
in domain_migrate
raise XendError("can''t connect: %s" % err[1])
IndexError: tuple index out of range
Implement reference:
http://twistedmatrix.com/trac/browser/trunk/twisted/internet/tcp.py
Sorry for the careless.
thanks,
zhigang
Carb, Brian A wrote:> This works on SLES10SP1 if we download a compatible python openssl rpm
> (python-openssl-0.6-17.x86_64.rpm) from opensuse.
>
> brian carb
> unisys corporation - malvern, pa
>
> -----Original Message-----
> From: Zhigang Wang [mailto:zhigang.x.wang@oracle.com]
> Sent: Friday, May 02, 2008 2:11 PM
> To: Carb, Brian A
> Cc: xen-devel
> Subject: Re: [Xen-devel] [PATCH] add ssl/tls support to relocation
>
> Yes. I add a dependency.
>
> maybe we can separate SSLTCPListener to a new file like (tcp-ssl.py),
> and import it when needed, just like
> tools/python/xen/xend/server/SSLXMLRPCServer.py did.
>
> will try it later, or you can help.
>
> thanks,
>
> zhigang
>
> Carb, Brian A wrote:
>> With this patch included, xend start errors:
>>
>> # xend start
>> Traceback (most recent call last):
>> File "/usr/sbin/xend", line 44, in ?
>> from xen.xend.server import SrvDaemon
>> File
>>
"/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/xend/s
>> er
>> ver/SrvDaemon.py", line 26, in ?
>> import relocate
>> File
>>
"/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/xend/s
>> er
>> ver/relocate.py", line 23, in ?
>> from xen.web import protocol, tcp, unix
>> File
>>
>
"/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/web/tcp.
>> py", line 25, in ?
>> from OpenSSL import SSL
>> ImportError: No module named OpenSSL
>>
>> I guess this produces a dependency on python-openssl, but this rpm is
>> not included in the standard SLES10 distro.
>>
>> brian carb
>> unisys corporation - malvern, pa
>>
>>
>> -----Original Message-----
>> From: xen-devel-bounces@lists.xensource.com
>> [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Zhigang
>> Wang
>> Sent: Sunday, April 27, 2008 10:50 PM
>> To: xen-devel
>> Subject: [Xen-devel] [PATCH] add ssl/tls support to relocation
>>
>> hi, this patch add ssl/tls support to relocation:
>>
>> * SSL/TLS support is disabled by default, as other server did.
>>
>> * If "xend-relocation-server-ssl-key-file" and
>> "xend-relocation-server-ssl-cert-file" exist, SSL/TLS is
enabled
>> automatically.
>>
>> * "xend-relocation-tls" is used by relocation client only.
>>
>> Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com>
>>
>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Keir Fraser
2008-May-08 13:29 UTC
Re: [Xen-devel] [PATCH] add ssl/tls support to relocation
On 8/5/08 13:55, "Zhigang Wang" <zhigang.x.wang@oracle.com> wrote:> After further investigation, I find that I didn''t get relocation using > ssl/tls: the read/write to the pyOpenSSL socket.fileno() will communicate > without data encrypted.Need to be merged with current unstable tip (which is at least changeset 17589). Note also that 17577 has already made OpenSSL optional, and with less code movement than your approach. -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Zhigang Wang
2008-May-13 07:56 UTC
Re: [Xen-devel] [PATCH] add ssl/tls support to relocation
Thanks Keir, I reorganized the code and did a little more test, it just works. But maybe the best way is to patch pyOpenSSL, or use python built-in SSL support after python 2.5 in the future. And maybe someone (me ;-)) can rewrite the migration protocol based on a more robust framework. Someone already uses it to make papers: http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf comments & testing are welcome. thanks zhigang Keir Fraser wrote:> On 8/5/08 13:55, "Zhigang Wang" <zhigang.x.wang@oracle.com> wrote: > >> After further investigation, I find that I didn''t get relocation using >> ssl/tls: the read/write to the pyOpenSSL socket.fileno() will communicate >> without data encrypted. > > Need to be merged with current unstable tip (which is at least changeset > 17589). Note also that 17577 has already made OpenSSL optional, and with > less code movement than your approach. > > -- Keir > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Zhigang Wang
2008-May-13 08:16 UTC
Re: [Xen-devel] [PATCH] add ssl/tls support to relocation
find some typos in comments after post. fix it and regenerate a patch. use this one please. thanks, zhigang Zhigang Wang wrote:> Thanks Keir, > > I reorganized the code and did a little more test, it just works. > > But maybe the best way is to patch pyOpenSSL, or use python built-in > SSL support after python 2.5 in the future. > > And maybe someone (me ;-)) can rewrite the migration protocol based on > a more robust framework. > > Someone already uses it to make papers: > http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf > > comments & testing are welcome. > > thanks > > zhigang > > Keir Fraser wrote: >> On 8/5/08 13:55, "Zhigang Wang" <zhigang.x.wang@oracle.com> wrote: >> >>> After further investigation, I find that I didn''t get relocation using >>> ssl/tls: the read/write to the pyOpenSSL socket.fileno() will communicate >>> without data encrypted. >> Need to be merged with current unstable tip (which is at least changeset >> 17589). Note also that 17577 has already made OpenSSL optional, and with >> less code movement than your approach. >> >> -- Keir >> >> >> >> _______________________________________________ >> Xen-devel mailing list >> Xen-devel@lists.xensource.com >> http://lists.xensource.com/xen-devel >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Xen-devel mailing list >> Xen-devel@lists.xensource.com >> http://lists.xensource.com/xen-devel_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel