[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] Xen API/libvirt & Remote


  • To: <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: "John Anderson" <johnha@xxxxxxxxxx>
  • Date: Thu, 3 Aug 2006 10:14:05 -0700
  • Delivery-date: Thu, 03 Aug 2006 10:14:34 -0700
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: Aca22T9K01hNnkztRcmct8hnEuyaZgARqe+Q
  • Thread-topic: [Xen-devel] Xen API/libvirt & Remote

Authentication would have been my next question had I discovered that
remote access was possible and widely used, but since there is no
authentication mechanism, I agree that opening the http port is a bad
thing.

I think I've found a solution.  I've wrapped the libvirt calls I need
with gSOAP using SSL certificate authentication.   It seems to be
working for me and secure.

Thanks!

John A.

-----Original Message-----
From: Daniel Veillard [mailto:veillard@xxxxxxxxxx] 
Sent: Thursday, August 03, 2006 1:46 AM
To: John Anderson
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Xen API/libvirt & Remote

On Wed, Aug 02, 2006 at 04:28:37PM -0700, John Anderson wrote:
> I've been reading through the Xen API wiki page and it's associated
PDF,
> as well as checking out libvirt for a solution to remotely manage xend
> daemons.  Unless I missed something, it seems both the Xen API and
> libvirt only make xml-rpc calls to a local xend daemon.  Is this true
or
> am I way off base? 

  It's a bit more complex, first libvirt does not (yet) make xml-rpc
calls
it currently does more ad-hoc HTTP based calls when talking to xend.
Second
libvirt interract with Xen in more ways than just with xend. 

> If the Xen API & libvirt can only connect to a local xend daemon, are
> there any alternatives short of providing your own transport (i.e.
> ssh/telnet to invoke the command locally) ?

  I think libvirt 0.1.3 should be able to connect to remote xend daemons
using the HTTP protocol. It will be limited to xend based accesses and
there is unfortunately no authentication.
  Security wise opening the HTTP port is a big no-no in my opinion,
anybody
getting access to the network one way or another would instantly get
control
over every domain running. Using SSH or other secure authenticated
transport
to then connect to the local service sounds way saner, that's why I
didn't
really pushed or tested the remote access. But passing an URL pointing
to
the remote service when opening the libvirt connection may work, though
as
said I don't really recommend this.

Daniel

-- 
Daniel Veillard      | Red Hat http://redhat.com/
veillard@xxxxxxxxxx  | libxml GNOME XML XSLT toolkit
http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.