[libvirt] [PATCH RFC] update cacrl without restarting libvirtd via virt-admin

Daniel P. Berrangé berrange at redhat.com
Thu Jan 2 16:01:19 UTC 2020 

On Sat, Dec 28, 2019 at 02:18:20AM +0000, Zhangbo (Oscar) wrote:
> This is an RFC request for supporting virt-admin to update cacrl without
> restarting libvirtd.
> 
> When a client wants to establish a TLS connection with libvirtd, a CRL
> file is used by libvirtd to verify the client's certificate. Right now,
> if the CRL file is changed, you must restart libvirtd to make it take
> effect. The restart behavior of libvirtd will cause clients connecting
> with libvirtd to fail.
> 
> In a server cluster, the CRL file may be updated quite frequently due to
> the large amount of certificates.  If the new CRL does not take effect
> in time, there are security risks. So you may need to restart libvirtd
> frequently to make the CRL take effect in time. However, frequent restarts
> will affect the reliability of cluster virtual machine management(such as
> openstack) services.
> 
> This RFC patch adds a virt-admin command to update the server's CRL *online*.
> 
> This patch is not elegant enough, if this feature makes sense, I'd do more
> improvements.

I agree that not being able to update the CRL without restarts is a
significant problem that needs a fix. I'd suggest it is just part of
an even bigger problem - we can't update the CA cert, server cert / key
either. This is increasingly important as the popularity of short-expiry
serve certs increases.

So I think we should make the command be able to update all these TLS
related PEM files. eg have a more general command

 "virt-admin daemon-reload-tls"

to update CA cert, CA crl, server cert+key.  The impl could check the
timestamps on the individual PEM files, so it avoids reloading the
files which haven't changed since last time.

> 
> ---
> include/libvirt/libvirt-admin.h          |  4 ++
> src/admin/admin_protocol.x           | 13 +++++-
> src/admin/admin_server.c             | 13 ++++++
> src/admin/admin_server.h             |  4 ++
> src/admin/libvirt-admin.c              | 33 ++++++++++++++++
> src/admin/libvirt_admin_private.syms   |  1 +
> src/admin/libvirt_admin_public.syms    |  1 +
> src/rpc/virnetserver.c                 | 58 +++++++++++++++++++++++++++
> src/rpc/virnetserver.h                 |  3 ++
> src/rpc/virnettlscontext.c              | 33 ++++++++++++++++
> src/rpc/virnettlscontext.h              |  3 ++
> tools/virt-admin.c                    | 59 ++++++++++++++++++++++++++++

docs/manpages/virt-admin.rst will need an update too.



Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list