From xen-devel-bounces@lists.xen.org Thu Oct 03 14:38:08 2013 Received: (at maildrop) by bugs.xenproject.org; 3 Oct 2013 13:38:08 +0000 Received: from lists.xen.org ([50.57.142.19]) by bugs.xenproject.org with esmtp (Exim 4.80) (envelope-from ) id 1VRj6W-0003sU-89 for xen-devel-maildrop-Eithu9ie@bugs.xenproject.org; Thu, 03 Oct 2013 14:38:08 +0100 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VRj3X-00037S-Gp; Thu, 03 Oct 2013 13:35:03 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VRj3U-00037L-Q8 for xen-devel@lists.xen.org; Thu, 03 Oct 2013 13:35:00 +0000 Received: from [193.109.254.147:16338] by server-5.bemta-14.messagelabs.com id E7/0D-04931-4827D425; Thu, 03 Oct 2013 13:35:00 +0000 X-Env-Sender: zhigang.x.wang@oracle.com X-Msg-Ref: server-10.tower-27.messagelabs.com!1380807298!4717214!1 X-Originating-IP: [141.146.126.69] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogMTQxLjE0Ni4xMjYuNjkgPT4gMjc3MjE4\n X-StarScan-Received: X-StarScan-Version: 6.9.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 596 invoked from network); 3 Oct 2013 13:34:59 -0000 Received: from aserp1040.oracle.com (HELO aserp1040.oracle.com) (141.146.126.69) by server-10.tower-27.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 3 Oct 2013 13:34:59 -0000 Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r93DYmGa027912 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 3 Oct 2013 13:34:49 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r93DYlhu026753 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 3 Oct 2013 13:34:48 GMT Received: from abhmt113.oracle.com (abhmt113.oracle.com [141.146.116.65]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r93DYlum026726; Thu, 3 Oct 2013 13:34:47 GMT Received: from zhigang.us.oracle.com (/10.149.236.110) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Oct 2013 06:34:47 -0700 Message-ID: <524D7276.6080701@oracle.com> Date: Thu, 03 Oct 2013 09:34:46 -0400 From: Zhigang Wang User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 MIME-Version: 1.0 To: Matt Wilson References: <523337AA.5080103@oracle.com> <5237291C.9090100@oracle.com> <21047.12251.625579.745154@mariner.uk.xensource.com> <523742B3.5040204@oracle.com> <523811E8.6080304@eu.citrix.com> <20130924164652.GC13979@phenom.dumpdata.com> <20131003021948.GA29049@u109add4315675089e695.ant.amazon.com> In-Reply-To: <20131003021948.GA29049@u109add4315675089e695.ant.amazon.com> X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Cc: George Dunlap , Ian Jackson , Matt Wilson , xen-devel Subject: Re: [Xen-devel] Suggestion for merging xl save/restore/migrate/migrate-receive X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org On 10/02/2013 10:19 PM, Matt Wilson wrote: > On Wed, Sep 25, 2013 at 11:06:29AM +0100, George Dunlap wrote: >> On Tue, Sep 24, 2013 at 5:46 PM, Konrad Rzeszutek Wilk >> wrote: >>>>>>> * In order to migrate a VM without user interactive, we have to configure ssh >>>>>>> keys for all Servers in a pool. Key management brings complexity. >>>>>> >>>>>> Surely your automated server deployment system can manage this ? >>>>> >>>>> Yes, we can. >>>>> >>>>> keys are states; we need to make sure they are always sync. Also after this, >>>>> all Servers in a pool can login to each other. I don't know whether it's >>>>> a security issue for our product. >>>>> >>>>> This is something we try to avoid at this time. >>>> >>>> ...so instead of allowing anyone on one of the hosts log in, you're >>>> going to allow anyone with access to the network to create a VM >>>> without any kind of authentication? >>>> >>>> From a security perspective, that doesn't really sound like an >>>> improvement... >>>> >>> >>> How did this work with 'xend' and its migration using SSL? Was it as >>> simple as this ? >> >> I have no idea -- Matt, do you know / would you care to take a look >> and find out (since you have expressed a willingness to maintain >> xend)? > > It seems that you would just configure a ssl key file and cert file in > xend-config.sxp > > http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=0f26d15c > > Zhigang: you wrote this code, correct? Yes. That's only a very basic implementation. The SSL relocation server will not do client cert verification and there's no way to configure the client to use specific cert right now. I think SSL cert verification could be a way for security. But you need distribute the certs to all the servers in a pool and reload xend relocation server to use the new certificate. Thanks, Zhigang _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel