-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migration over HTTPS #4816
Migration over HTTPS #4816
Conversation
For the time being, only intra-pool migrations will have certificate checking turned on. The new parameter informs xenopsd about the choice. This only matters if an https URL is specified. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
This switches the xenopsd-to-xenopsd connection over to HTTPS, if enabled in the config file (currently off by default). Socket keepalives do not work when stunnel is used, as the given fd is the local connection to stunnel, and are not set in HTTPS mode. This is fine, because the stunnel client is already set up with keepalives. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
The host.migrate_receive call returns URLs for the sending host to use in its VM.migrate_send call. HTTPS URLs are returned based on the value of the config option. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
The function is question redirects a local storage call to another host if the current host does not have access to the SR. This involves rewriting a localhost HTTP URL to a remote URL, which must be an HTTPS URL if storage migration is configured to use HTTPS. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Storage calls that are handled by the local host should always use HTTP, and not set up a connecting through stunnel. The SM URL that is passed to VM.migrate_send in the `dest` parameter, which comes from the return value of a call to host.migrate_receive, may be an HTTPS URL to the localhost, which needs to be rewritten upon receiving it. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
When starting a mirroring process for a disk as part of a storage migration, xapi establishes the connection to the destination, but hands it over to tapdisk to do the actual mirroring over NBD. It is crucial that xapi just hands over the file descriptor and then continues with other business, without waiting for the connection to finish. This is how it works for TCP connections now. When switching to TLS connections, xapi starts an stunnel process as part of the connection setup, and hands over the stunnel fd to tapdisk. By default, this functionality then waits for stunnel to finish after the connection is eventually broken, thus introducing the unwanted blocking. We fix this by telling stunnel to disconnect, but not wait for this to actually happen. Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
@@ -1321,6 +1323,11 @@ let other_options = | |||
, (fun () -> string_of_bool !website_https_only) | |||
, "Allow access to the internal website using HTTPS only (no HTTP)" | |||
) | |||
; ( "migration-https-only" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need this parameter? I would have thought host.https_only
would be enough for this. This might mean some functionality might break, but it's intended for testing development and it's disable by default anyway
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to keep them separate. While we keep host.https_only
, this config option will go away as soon as we have done full testing. Then HTTPS will be the default for migration, like all other xapi operations.
Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
Signed-off-by: Rob Hoes <rob.hoes@citrix.com>
This adds the ability for xapi to do VM (storage) migration over HTTPS, therefore allowing hosts to close port 80. This is currently off by default, and can be enabled using a config file option.