On Sat, Dec 28, 2019 at 02:18:20AM +0000, Zhangbo (Oscar) wrote:
This is an RFC request for supporting virt-admin to update cacrl without restarting libvirtd.
When a client wants to establish a TLS connection with libvirtd, a CRL file is used by libvirtd to verify the client's certificate. Right now, if the CRL file is changed, you must restart libvirtd to make it take effect. The restart behavior of libvirtd will cause clients connecting with libvirtd to fail.
In a server cluster, the CRL file may be updated quite frequently due to the large amount of certificates. If the new CRL does not take effect in time, there are security risks. So you may need to restart libvirtd frequently to make the CRL take effect in time. However, frequent restarts will affect the reliability of cluster virtual machine management(such as openstack) services.
This RFC patch adds a virt-admin command to update the server's CRL *online*.
This patch is not elegant enough, if this feature makes sense, I'd do more improvements.
I agree that not being able to update the CRL without restarts is a significant problem that needs a fix. I'd suggest it is just part of an even bigger problem - we can't update the CA cert, server cert / key either. This is increasingly important as the popularity of short-expiry serve certs increases. So I think we should make the command be able to update all these TLS related PEM files. eg have a more general command "virt-admin daemon-reload-tls" to update CA cert, CA crl, server cert+key. The impl could check the timestamps on the individual PEM files, so it avoids reloading the files which haven't changed since last time.
--- include/libvirt/libvirt-admin.h | 4 ++ src/admin/admin_protocol.x | 13 +++++- src/admin/admin_server.c | 13 ++++++ src/admin/admin_server.h | 4 ++ src/admin/libvirt-admin.c | 33 ++++++++++++++++ src/admin/libvirt_admin_private.syms | 1 + src/admin/libvirt_admin_public.syms | 1 + src/rpc/virnetserver.c | 58 +++++++++++++++++++++++++++ src/rpc/virnetserver.h | 3 ++ src/rpc/virnettlscontext.c | 33 ++++++++++++++++ src/rpc/virnettlscontext.h | 3 ++ tools/virt-admin.c | 59 ++++++++++++++++++++++++++++
docs/manpages/virt-admin.rst will need an update too. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|