Xen project Mailing List

RE: [Xen-users] Re: Live Migration Config

From: Tom Brown <tbrown@xxxxxxxxxxxxx>

Date: Sun, 30 Oct 2005 09:46:13 -0800 (PST)

Delivery-date: Sun, 30 Oct 2005 17:44:18 +0000

List-id: Xen user discussion <xen-users.lists.xensource.com>

On Sun, 30 Oct 2005, Ian Pratt wrote: > > > The following configurable controls should be implemented for > > Xen migration. > > > > 1. The migration port. > > 2. The network interface(s) that the migration service listens on. > > 3. The maximum # of allowed concurrent incoming migrations > > from a foreign host. > > 4. Observance of the /etc/hosts.allow and /etc/hosts.deny > > access controls (or the same within a Xen config file). > > 5. Some simple way to turn off incoming migration completely. > > 1, 2 & 5 are already possible; 4 is simple and is on the todo list[*]. 3 > is more of a higher level tools issue. 1 is a parameter to xfrd when it is started. 5 is (obviously) part of the xen startup scripts... 3 is (IMHO) bizarre. xfrd isn't a daemon you expect to be making frequent connections to. It could even be single threaded. IMHO, 2 doesn't work the way most people want it to. If you have two boxes next to each other, you can route the 127.0.0.0/8 subnet to your neighbour and connect the 127.0.0.1 on your neighbour. To achieve the "only accept xfrd requests on one interface", I believe you have to use your firewall rules... yes, binding to 127.0.0.1 makes it unlikely that you're going to be connected to from the wild internet. > The correct soloution is probably to have an 'xm migraterx' command that > generates a session key that has to be handed to 'xm migratetx'. The > actual transfer can then be authenticated, and potentially encrypted. > However, this will not be in 3.0.0. hhmm, In that line of thought, I'd probably suggest 6. some form of authentication, anything, even a simple shared "secret" would be better than wide open. I'll post some firewall rules shortly. I meant to do it last night. -Tom > > [*] The intention is that the set of allowable hosts be specificed in > xend-config.sxp e.g.: (migration-hosts-allow "*.test.xensource.com" > "129.34.45.0/24" "xenbits.xs.org" ) > > It would be good if someone could knock the above up. > > Ian > > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users > ---------------------------------------------------------------------- tbrown@xxxxxxxxxxxxx | "The Internet is a world of ends. You're at one http://BareMetal.com/ | end, and everybody and everything else are at the web hosting since '95 | other ends." - http://www.worldofends.com/ _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.