KVM hook script include - logic to execute custom scripts & logging requirements
KVM hook script include - add logic to create custom directory if not exists & extra logging
This extends securing of KVM hosts to securing of libvirt on KVM
host as well for TLS enabled live VM migration. To simplify implementation
securing of host implies that both host and libvirtd processes are
secured with management server's CA plugin issued certificates.
Based on whether keystore and certificates files are available at
/etc/cloudstack/agent, the KVM agent determines whether to use TLS or
TCP based uris for live VM migration. It is also enforced that a secured
host will allow live VM migration to/from other secured host, and an
unsecured hosts will allow live VM migration to/from other unsecured
host only.
Post upgrade the KVM agent on startup will expose its security state
(secured detail is sent as true or false) to the managements server that
gets saved in host_details for the host. This host detail can be accesed
via the listHosts response, and in the UI unsecured KVM hosts will show
up with the host state of ‘unsecured’. Further, a button has been added
that allows admins to provision/renew certificates to KVM hosts and can
be used to secure any unsecured KVM host.
The `cloudstack-setup-agent` was modified to accept a new flag `-s`
which will reconfigure libvirtd with following settings:
listen_tcp=0
listen_tls=1
tcp_port="16509"
tls_port="16514"
auth_tcp="none"
auth_tls="none"
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"
For a connected KVM host agent, when the certificate are
renewed/provisioned a background task is scheduled that waits until all
of the agent tasks finish after which libvirt process is restarted and
finally the agent is restarted via AgentShell.
There are no API or DB changes.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
CLOUDSTACK-8765: fix vm migration failure due to different dev name on KVM
* pr/736:
CLOUDSTACK-8765: fix vm migration failure due to different dev name on KVM
Signed-off-by: Remi Bergsma <github@remi.nl>
This allows non-root users to add KVM hosts, the user should be an admin or
added to sudoers to execute sudo cloudstack-setup-agent.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Signed-off-by: Remi Bergsma <apache@remi.nl>
This closes#288
(cherry picked from commit d2b0c1a32b2d8719eafd6d4574de9a824d46d290)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
There still exist two issues after Edison's commits.
(1) Migration from new hosts to old hosts failed.
The bridge name on old host is set to cloudVirBr* if network.bridge.name.schema is set to 3.0 in /etc/cloudstack/agent/agent.properties, but the actual bridge name is breth*-* after running cloudstack-agent-upgrade.
(2) all ports of vms (Basic zone, or Advanced zone with security groups) on old hosts are open, because the iptables rules are binding to device (bridge) name which is changed by cloudstack-agent-upgrade.
After this, the KVM upgrade steps :
a. Install 4.2 cloudstack agent on each kvm host
b. Run "cloudstack-agent-upgrade". This script will upgrade all the existing bridge name to new bridge name, and update related firewall rules.
c. install a libvirt hook:
c1. mkdir /etc/libvirt/hooks
c2. cp /usr/share/cloudstack-agent/lib/libvirtqemuhook /etc/libvirt/hooks/qemu
c3. chmod +x /etc/libvirt/hooks/qemu
c4. service libvirtd restart
c5. service cloudstack-agent restart
Signed-off-by: Wei Zhou <w.zhou@leaseweb.com>
New network.bridge.type was introduced, but for
buckward compatibility, the key should be optional.
Signed-off-by: Hiroaki KAWAI <kawai@stratosphere.co.jp>
Ovs brcompat will be obsolete, so if network.bridge.type was
set to openvswitch, we'll use ovs command explicitly.
Signed-off-by: Hiroaki KAWAI <kawai@stratosphere.co.jp>
Detail: new script called cloud-ssh replaces the long
'ssh -i /root/.ssh/id_rsa.cloud -p 3922 root@169.254.0.12'
users can now just run 'cloud-ssh 169.254.0.12'. Also adds it to deb and rpm
builds.
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1353086232 -0700
The sequence:
1. add host in UI
2. scp setup_agent.sh to agent host, and execute it. This script receives hostip,zoneid, podid and guid, then runs "cloud-setup-agent" and "cloud-setup-console-proxy". Here, we assume that network/hostname and cloud-agent are already configed and installed.
3. Write a dummy kvm resource into the database, then wait for agent connects to server, by polling the database for every 1 minutes. If it finds the agent is in UP state in database, then return, or wait for at least 10 minutes.
