Provide a button in host's detail/view to provision certificate to the KVM host.
During a host addition (addHost) and provisionCertificate API actions, the KVM host agent will determine if the necessary certificates are in place such that secure (tls) migrations are possible. If they are, then the host agent will configure TLS for libvirtd using the cloudstack-setup-agent.
3.5.1 Libvirtd configuration
The libvirtd config file such as at /etc/libvirt/libvirtd.conf, will receive TLS configuration using the assumed path and symlinks will be created as the following:
ln -s /etc/cloudstack/agent/cloud.ca.crt /etc/pki/CA/cacert.pem
mkdir -p /etc/pki/libvirt/private
ln -s /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/clientcert.pem
ln -s /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/servercert.pem
ln -s /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/clientkey.pem
ln -s /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/serverkey.pem
For reference, the following is seen by default in libvirtd.conf:
#key_file = "/etc/pki/libvirt/private/serverkey.pem"
#cert_file = "/etc/pki/libvirt/servercert.pem"
#ca_file = "/etc/pki/CA/cacert.pem"
In addition to these changes:
• The "listen_tls" will be set to "listen_tls=1" by the cloudstack-setup-agent script when TLS is to be enabled.
• TLS certificate based auth will be enabled, therefore explicit authentication using something like Simple Authentication and Security Layer (SASL) is not necessary and may be done out-of-band by an admin. By default we'll limit settings to:
• auth_tcp="none" (the current default)
• Port 16514 needs to be allowed/enabled by firewall/iptables rules, suitable changes will be done in cloudstack-setup-agent and other relevent files.
3.5.2 Agent changes
• A secured host will imply that both agent and libvirtd has certificates setup. When the keystore or certificates files are not available, host will be assumed as unsecured. This will be used by the agent and libvirt resource on whether qemu+tls:// can be used during live VM migration.
• When certificates are renewed, keystore-cert-import will be used to reconfirm libvirt’s security configuration.
• Subject to testing of service/libvirtd unavailability, a restart task may be performed when the agent has no other outstanding task.
3.5.3 Management Server changes
• During addition of a host via the addHost API, or after an provisionCertificate API call, the cloudstack-setup-agent will be passed a configuration flag to ask it to setup and enable tls for libvirtd.
• When a KVM agent connects to the management server, it will share its host details whether it has its libvirtd TLS setting enabled via the StartupRoutingCommand. And this information will be persisted in host_details.
• When a VM migration is requested, the MigrateCommand handler will determine which URI to use based on availability of certificates.
• When VM migration fails due to certificate related issues (for example CA.pem not found or TLS handshake failure), such errors will be logged and may be exposed to the admin throught the migrateVirtualMachine API/error response.
• MigrateVirtualMachine API failure due to migration between non-secured and secured host will be logged and may be exposed as error in the api response.