[libvirt] [PATCH RFC] update cacrl without restarting libvirtd via virt-admin
Daniel P. Berrangé
berrange at redhat.com
Thu Jan 2 16:01:19 UTC 2020
On Sat, Dec 28, 2019 at 02:18:20AM +0000, Zhangbo (Oscar) wrote:
> This is an RFC request for supporting virt-admin to update cacrl without
> restarting libvirtd.
>
> When a client wants to establish a TLS connection with libvirtd, a CRL
> file is used by libvirtd to verify the client's certificate. Right now,
> if the CRL file is changed, you must restart libvirtd to make it take
> effect. The restart behavior of libvirtd will cause clients connecting
> with libvirtd to fail.
>
> In a server cluster, the CRL file may be updated quite frequently due to
> the large amount of certificates. If the new CRL does not take effect
> in time, there are security risks. So you may need to restart libvirtd
> frequently to make the CRL take effect in time. However, frequent restarts
> will affect the reliability of cluster virtual machine management(such as
> openstack) services.
>
> This RFC patch adds a virt-admin command to update the server's CRL *online*.
>
> This patch is not elegant enough, if this feature makes sense, I'd do more
> improvements.
I agree that not being able to update the CRL without restarts is a
significant problem that needs a fix. I'd suggest it is just part of
an even bigger problem - we can't update the CA cert, server cert / key
either. This is increasingly important as the popularity of short-expiry
serve certs increases.
So I think we should make the command be able to update all these TLS
related PEM files. eg have a more general command
"virt-admin daemon-reload-tls"
to update CA cert, CA crl, server cert+key. The impl could check the
timestamps on the individual PEM files, so it avoids reloading the
files which haven't changed since last time.
>
> ---
> include/libvirt/libvirt-admin.h | 4 ++
> src/admin/admin_protocol.x | 13 +++++-
> src/admin/admin_server.c | 13 ++++++
> src/admin/admin_server.h | 4 ++
> src/admin/libvirt-admin.c | 33 ++++++++++++++++
> src/admin/libvirt_admin_private.syms | 1 +
> src/admin/libvirt_admin_public.syms | 1 +
> src/rpc/virnetserver.c | 58 +++++++++++++++++++++++++++
> src/rpc/virnetserver.h | 3 ++
> src/rpc/virnettlscontext.c | 33 ++++++++++++++++
> src/rpc/virnettlscontext.h | 3 ++
> tools/virt-admin.c | 59 ++++++++++++++++++++++++++++
docs/manpages/virt-admin.rst will need an update too.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list