Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migration over HTTPS #4816

Merged
merged 8 commits into from
Oct 12, 2022
Merged

Migration over HTTPS #4816

merged 8 commits into from
Oct 12, 2022

Conversation

robhoes
Copy link
Member

@robhoes robhoes commented Oct 11, 2022

This adds the ability for xapi to do VM (storage) migration over HTTPS, therefore allowing hosts to close port 80. This is currently off by default, and can be enabled using a config file option.

For the time being, only intra-pool migrations will have certificate
checking turned on. The new parameter informs xenopsd about the choice.
This only matters if an https URL is specified.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
This switches the xenopsd-to-xenopsd connection over to HTTPS, if
enabled in the config file (currently off by default).

Socket keepalives do not work when stunnel is used, as the given fd is
the local connection to stunnel, and are not set in HTTPS mode. This is
fine, because the stunnel client is already set up with keepalives.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
The host.migrate_receive call returns URLs for the sending host to use
in its VM.migrate_send call. HTTPS URLs are returned based on the value
of the config option.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
The function is question redirects a local storage call to another host
if the current host does not have access to the SR. This involves
rewriting a localhost HTTP URL to a remote URL, which must be an HTTPS
URL if storage migration is configured to use HTTPS.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Storage calls that are handled by the local host should always use HTTP,
and not set up a connecting through stunnel. The SM URL that is passed
to VM.migrate_send in the `dest` parameter, which comes from the return
value of a call to host.migrate_receive, may be an HTTPS URL to the
localhost, which needs to be rewritten upon receiving it.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
When starting a mirroring process for a disk as part of a storage
migration, xapi establishes the connection to the destination, but hands
it over to tapdisk to do the actual mirroring over NBD. It is crucial
that xapi just hands over the file descriptor and then continues with
other business, without waiting for the connection to finish. This is
how it works for TCP connections now.

When switching to TLS connections, xapi starts an stunnel process as
part of the connection setup, and hands over the stunnel fd to tapdisk.
By default, this functionality then waits for stunnel to finish after
the connection is eventually broken, thus introducing the unwanted
blocking. We fix this by telling stunnel to disconnect, but not wait for
this to actually happen.

Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
@@ -1321,6 +1323,11 @@ let other_options =
, (fun () -> string_of_bool !website_https_only)
, "Allow access to the internal website using HTTPS only (no HTTP)"
)
; ( "migration-https-only"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this parameter? I would have thought host.https_only would be enough for this. This might mean some functionality might break, but it's intended for testing development and it's disable by default anyway

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to keep them separate. While we keep host.https_only, this config option will go away as soon as we have done full testing. Then HTTPS will be the default for migration, like all other xapi operations.

ocaml/xapi/xapi_vm_migrate.ml Outdated Show resolved Hide resolved
ocaml/xenopsd/cli/xn.ml Outdated Show resolved Hide resolved
Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
@robhoes robhoes merged commit 03d7908 into xapi-project:master Oct 12, 2022
@robhoes robhoes deleted the https-migration branch October 12, 2022 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants