| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
RE: [Xen-users] Re: Live Migration Config
On Sun, 30 Oct 2005, Ian Pratt wrote:
>
> > The following configurable controls should be implemented for
> > Xen migration.
> >
> > 1. The migration port.
> > 2. The network interface(s) that the migration service listens on.
> > 3. The maximum # of allowed concurrent incoming migrations
> > from a foreign host.
> > 4. Observance of the /etc/hosts.allow and /etc/hosts.deny
> > access controls (or the same within a Xen config file).
> > 5. Some simple way to turn off incoming migration completely.
>
> 1, 2 & 5 are already possible; 4 is simple and is on the todo list[*]. 3
> is more of a higher level tools issue.
1 is a parameter to xfrd when it is started.
5 is (obviously) part of the xen startup scripts...
3 is (IMHO) bizarre. xfrd isn't a daemon you expect to be making frequent
connections to. It could even be single threaded.
IMHO, 2 doesn't work the way most people want it to. If you have two boxes
next to each other, you can route the 127.0.0.0/8 subnet to your neighbour
and connect the 127.0.0.1 on your neighbour. To achieve the "only accept
xfrd requests on one interface", I believe you have to use your firewall
rules... yes, binding to 127.0.0.1 makes it unlikely that you're going to
be connected to from the wild internet.
> The correct soloution is probably to have an 'xm migraterx' command that
> generates a session key that has to be handed to 'xm migratetx'. The
> actual transfer can then be authenticated, and potentially encrypted.
> However, this will not be in 3.0.0.
hhmm, In that line of thought, I'd probably suggest
6. some form of authentication, anything, even a simple shared "secret"
would be better than wide open.
I'll post some firewall rules shortly. I meant to do it last night.
-Tom
>
> [*] The intention is that the set of allowable hosts be specificed in
> xend-config.sxp e.g.: (migration-hosts-allow "*.test.xensource.com"
> "129.34.45.0/24" "xenbits.xs.org" )
>
> It would be good if someone could knock the above up.
>
> Ian
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>
----------------------------------------------------------------------
tbrown@xxxxxxxxxxxxx | "The Internet is a world of ends. You're at one
http://BareMetal.com/ | end, and everybody and everything else are at the
web hosting since '95 | other ends." - http://www.worldofends.com/
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home