WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Re: Live Migration Config

For Xen to go mainstream, I think this needs to be easier for the average user. I know I'm repeating myself, but it really should use ordinary config file settings like virtually all other inet services. Also, in whatever config file this is going to appear in, the default setting for migration should be "all hosts denied".

Alan


Yeah, iptables is definitely a beast. In this case though, the commands are pretty sane:

If you care about security, always run:

 iptables -D INPUT -p tcp --destination-port 8002 -j REJECT

This inserts a rule to disable all traffic to port 8002. This effectively shuts migration off (#5). To enable migration from specific addresses, you would then say:

iptables -I INPUT -p tcp --source 192.168.1.100 --destination-port 8002 -j ACCEPT

Which allows migrations to originate from 192.168.1.100. If you later change your mind, you can say:

iptables -D INPUT -p tcp --source 192.168.1.100 --destination-port 8002 -j ACCEPT

Which disallows migrations from 192.168.1.100. For added security, you can only enable migration from a given address before you do the migration and then immediately disable it after the migration is done.

You can replace 192.168.1.100 with a hostname or even a netmask (either in the form 192.168.1.100/8 or 192.168.1.100/255.255.255.0).

Best of all, you don't have to restart Xend for the rules to take affect.



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users