mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
8da2462469
This extends securing of KVM hosts to securing of libvirt on KVM
host as well for TLS enabled live VM migration. To simplify implementation
securing of host implies that both host and libvirtd processes are
secured with management server's CA plugin issued certificates.
Based on whether keystore and certificates files are available at
/etc/cloudstack/agent, the KVM agent determines whether to use TLS or
TCP based uris for live VM migration. It is also enforced that a secured
host will allow live VM migration to/from other secured host, and an
unsecured hosts will allow live VM migration to/from other unsecured
host only.
Post upgrade the KVM agent on startup will expose its security state
(secured detail is sent as true or false) to the managements server that
gets saved in host_details for the host. This host detail can be accesed
via the listHosts response, and in the UI unsecured KVM hosts will show
up with the host state of ‘unsecured’. Further, a button has been added
that allows admins to provision/renew certificates to KVM hosts and can
be used to secure any unsecured KVM host.
The `cloudstack-setup-agent` was modified to accept a new flag `-s`
which will reconfigure libvirtd with following settings:
listen_tcp=0
listen_tls=1
tcp_port="16509"
tls_port="16514"
auth_tcp="none"
auth_tls="none"
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"
For a connected KVM host agent, when the certificate are
renewed/provisioned a background task is scheduled that waits until all
of the agent tasks finish after which libvirt process is restarted and
finally the agent is restarted via AgentShell.
There are no API or DB changes.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
58 lines
2.0 KiB
Bash
Executable File
58 lines
2.0 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
set -e
|
|
|
|
case "$1" in
|
|
configure)
|
|
OLDCONFDIR="/etc/cloud/agent"
|
|
NEWCONFDIR="/etc/cloudstack/agent"
|
|
CONFFILES="agent.properties log4j.xml log4j-cloud.xml"
|
|
|
|
# Copy old configuration so the admin doesn't have to do that
|
|
# Only do so when we are installing for the first time
|
|
if [ -z "$2" ]; then
|
|
for FILE in $CONFFILES; do
|
|
if [ -f "$OLDCONFDIR/${FILE}" ]; then
|
|
cp -a $OLDCONFDIR/$FILE $NEWCONFDIR/$FILE
|
|
fi
|
|
done
|
|
fi
|
|
|
|
BR_NETFILTER_MODULE=br_netfilter
|
|
MODULES_FILE=/etc/modules
|
|
if /sbin/modinfo $BR_NETFILTER_MODULE >/dev/null 2>&1; then
|
|
/sbin/modprobe $BR_NETFILTER_MODULE
|
|
if ! grep $BR_NETFILTER_MODULE $MODULES_FILE >/dev/null 2>&1; then
|
|
echo "$BR_NETFILTER_MODULE" >> $MODULES_FILE
|
|
fi
|
|
fi
|
|
|
|
# Running cloudstack-agent-upgrade to update bridge name for upgrade from CloudStack 4.0.x (and before) to CloudStack 4.1 (and later)
|
|
/usr/bin/cloudstack-agent-upgrade
|
|
if [ ! -d "/etc/libvirt/hooks" ] ; then
|
|
mkdir /etc/libvirt/hooks
|
|
fi
|
|
cp -a /usr/share/cloudstack-agent/lib/libvirtqemuhook /etc/libvirt/hooks/qemu
|
|
|
|
;;
|
|
esac
|
|
|
|
#DEBHELPER#
|