Migration over HTTPS #4816
Merged
Migration over HTTPS #4816
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For the time being, only intra-pool migrations will have certificate checking turned on. The new parameter informs xenopsd about the choice. This only matters if an https URL is specified. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
This switches the xenopsd-to-xenopsd connection over to HTTPS, if enabled in the config file (currently off by default). Socket keepalives do not work when stunnel is used, as the given fd is the local connection to stunnel, and are not set in HTTPS mode. This is fine, because the stunnel client is already set up with keepalives. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
The host.migrate_receive call returns URLs for the sending host to use in its VM.migrate_send call. HTTPS URLs are returned based on the value of the config option. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
The function is question redirects a local storage call to another host if the current host does not have access to the SR. This involves rewriting a localhost HTTP URL to a remote URL, which must be an HTTPS URL if storage migration is configured to use HTTPS. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Storage calls that are handled by the local host should always use HTTP, and not set up a connecting through stunnel. The SM URL that is passed to VM.migrate_send in the `dest` parameter, which comes from the return value of a call to host.migrate_receive, may be an HTTPS URL to the localhost, which needs to be rewritten upon receiving it. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
When starting a mirroring process for a disk as part of a storage migration, xapi establishes the connection to the destination, but hands it over to tapdisk to do the actual mirroring over NBD. It is crucial that xapi just hands over the file descriptor and then continues with other business, without waiting for the connection to finish. This is how it works for TCP connections now. When switching to TLS connections, xapi starts an stunnel process as part of the connection setup, and hands over the stunnel fd to tapdisk. By default, this functionality then waits for stunnel to finish after the connection is eventually broken, thus introducing the unwanted blocking. We fix this by telling stunnel to disconnect, but not wait for this to actually happen. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
psafont
reviewed
Oct 11, 2022
| @@ -1321,6 +1323,11 @@ let other_options = | |||
| , (fun () -> string_of_bool !website_https_only) | |||
| , "Allow access to the internal website using HTTPS only (no HTTP)" | |||
| ) | |||
| ; ( "migration-https-only" | |||
There was a problem hiding this comment.
Do we need this parameter? I would have thought host.https_only would be enough for this. This might mean some functionality might break, but it's intended for testing development and it's disable by default anyway
There was a problem hiding this comment.
I wanted to keep them separate. While we keep host.https_only, this config option will go away as soon as we have done full testing. Then HTTPS will be the default for migration, like all other xapi operations.
psafont
approved these changes
Oct 12, 2022
lindig
approved these changes
Oct 12, 2022
Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds the ability for xapi to do VM (storage) migration over HTTPS, therefore allowing hosts to close port 80. This is currently off by default, and can be enabled using a config file option.