WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Re: Live Migration Config

from [Alan Greenspan] [Permanent Link][Original]
To: "Anthony Liguori" <aliguori@xxxxxxxxxx>, "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Subject: Re: [Xen-users] Re: Live Migration Config
From: "Alan Greenspan" <alan@xxxxxxxxxxx>
Date: Sun, 30 Oct 2005 19:54:59 -0500
Cc: ian.pratt@xxxxxxxxxxxx, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 31 Oct 2005 00:52:12 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <A95E2296287EAD4EB592B5DEEFCE0E9D32E69B@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <43655C71.9080702@xxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
I think its got to work as Ian outlined with proper configurable access controls like any other inet service. Look to other services as examples, e,g, rsync, ftp, nfs, etc. Mucking with iptables isn't for the average consumer (or even the average management tool). 

Alan
The following configurable controls should be implemented for Xen migration. 

1. The migration port.
2. The network interface(s) that the migration service listens on.
3. The maximum # of allowed concurrent incoming migrations from a foreign host. 4. Observance of the /etc/hosts.allow and /etc/hosts.deny access controls (or the same within a Xen config file). 
5.  Some simple way to turn off incoming migration completely.



1, 2 & 5 are already possible; 4 is simple and is on the todo list[*]. 3
is more of a higher level tools issue.

The correct soloution is probably to have an 'xm migraterx' command that
generates a session key that has to be handed to 'xm migratetx'. The
actual transfer can then be authenticated, and potentially encrypted.
However, this will not be in 3.0.0.
With an SSL Xend interface, this would work quite well. Unfortunately, this is a bit of work because Python doesn't have server-side SSL support (doh!). 


[*] The intention is that the set of allowable hosts be specificed in
xend-config.sxp e.g.: (migration-hosts-allow "*.test.xensource.com"
"129.34.45.0/24" "xenbits.xs.org" )
This might be a bit of overkill. Any basic firewall can provide this functionality already. What would be nice is to have some common firewall configurations for dom0 in the Users Manual. I'll write up something for Shorewall this week. 

Regards,

Anthony Liguori


It would be good if someone could knock the above up.

Ian


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users







_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Re: Live Migration Config, Anthony Liguori
Next by Date:  Re: [Xen-users] Re: Live Migration Config, Anthony Liguori
Previous by Thread:  Re: [Xen-users] Re: Live Migration Config, Anthony Liguori
Next by Thread:  Re: [Xen-users] Re: Live Migration Config, Anthony Liguori
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy