[openstack-dev] Fwd: Secure live VM migration in cloud (openstack)

Naveed Ahmad 12msccsnahmad at seecs.edu.pk
Tue Oct 22 14:20:40 UTC 2013


Hi,

I need some assistance.  i am very confused in one thing of Openstack. How
it manages VM's . i mean to say where i can find all files related to
single VM . i have Vbox on my system and in the VM main folder i have 3
files and 1 folder. I have attached snapshot of it.

How can i see those files for VM in Openstack. I know it uses XEN/KVM
hypervisor but where it store the VM all related files.

I tried to find it on Openstack but no success yet.

I would be very thankful to you

Regards
Naveed








On Wed, Oct 2, 2013 at 12:02 AM, Joshua Harlow <harlowja at yahoo-inc.com>wrote:

>  Sure, I'd like to hear about it :)
>
>   From: Naveed Ahmad <12msccsnahmad at seecs.edu.pk>
> Date: Tuesday, October 1, 2013 11:22 AM
>
> To: Joshua Harlow <harlowja at yahoo-inc.com>
> Subject: Re: [openstack-dev] Secure live VM migration in cloud (openstack)
>
>    Hi
>  Respected Sir,
>
>  Hopefully you will be fine. previously i discussed with you about my
> thesis.  can i share with you flow of secure live vm migration process w r
> t cloud . i almost completed the design that i will implement in
> libvirt/openstack.
>
>
>  Regards
>
>
>
>
> On Tue, Aug 27, 2013 at 11:12 AM, Naveed Ahmad <12msccsnahmad at seecs.edu.pk
> > wrote:
>
>>
>>  Sir i have seen openstack code yet and you are right , it is possible
>> with nova. i will update you soon about my plan.
>>
>>  Thanks for sharing useful links and thanks for nice discussion.
>>
>>
>>  Regards
>>
>>
>>
>>
>>
>>
>> On Tue, Aug 27, 2013 at 9:29 AM, Joshua Harlow <harlowja at yahoo-inc.com>wrote:
>>
>>>  Cool, so are u thinking about doing most of this at the openstack code
>>> level then or at the libvirt level??
>>>
>>>  I could see it being possible to do this in nova itself, or at a lower
>>> level in libvirt.
>>>
>>>  U might be interested in a wiki I made a while ago @
>>> https://wiki.openstack.org/wiki/LiveMigrationWorkflows
>>>
>>>  It might not be fully accurate, but u can likely determine the places
>>> u would need to change from that.
>>>
>>>  Also https://blueprints.launchpad.net/nova/+spec/unified-migrations might
>>> be interesting to u.
>>>
>>>   From: Naveed Ahmad <12msccsnahmad at seecs.edu.pk>
>>> Date: Monday, August 26, 2013 9:04 PM
>>> To: Joshua Harlow <harlowja at yahoo-inc.com>
>>>
>>> Subject: Re: [openstack-dev] Secure live VM migration in cloud
>>> (openstack)
>>>
>>>    Respected  Joshua Harlow,
>>>
>>>  no i did not talk with libvirt team. but i have seen feature list of
>>> libvirt only and documentation of openstack.
>>>
>>>  Regards
>>>
>>>
>>>
>>> On Tue, Aug 27, 2013 at 2:58 AM, Joshua Harlow <harlowja at yahoo-inc.com>wrote:
>>>
>>>>  Hi,
>>>>
>>>>  Those ideas sounds pretty good to me. Although I'm not an expert in
>>>> the security area, have u talked with the libvirt folks. I wonder if they
>>>> have any of this planned?
>>>>
>>>>   From: Naveed Ahmad <12msccsnahmad at seecs.edu.pk>
>>>> Reply-To: OpenStack Development Mailing List <
>>>> openstack-dev at lists.openstack.org>
>>>> Date: Monday, August 26, 2013 11:10 AM
>>>> To: OpenStack Development Mailing List <
>>>> openstack-dev at lists.openstack.org>
>>>> Subject: Re: [openstack-dev] Secure live VM migration in cloud
>>>> (openstack)
>>>>
>>>>     Respected Joshua Harlow,
>>>>
>>>>  Thanks for reply,
>>>>
>>>>  Based on literature survey i found that following techniques are used
>>>> for secure live migration of vm.
>>>>
>>>>  1. RSA with SSL protocol for authentication and encryption.
>>>> As you mentioned earlier same problem is in RSA based authentication.
>>>> we have to add public keys of all other hypervisors.
>>>>
>>>>  In Blackhat 2013, security research found vulnerability in SSL so it
>>>> can be breakable in very short time.
>>>>  please check
>>>>
>>>> http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/
>>>>
>>>>  2. SSH is used for secure tunnel before live vm migration.
>>>>
>>>>  Authentication is not discussed, only secure tunnel is used to
>>>> achieve  confidentiality.
>>>>
>>>>  3. Openstack uses libvirtd with kvm to provide secure vm migration
>>>> between src and dst machine.
>>>>  SSL is used for encrypted channel and SASL  is used for
>>>> authentication.
>>>>
>>>>
>>>>
>>>>  so i am interested to implement authentication level's in live vm
>>>> migration.
>>>>
>>>>  1.no authentication
>>>>  2. Certificate base
>>>>  3.smart card based authentication
>>>>
>>>>  and similarly ssl provide secure channel but after that seaprate VLAN
>>>> is used for vm migration traffic. if we use ipsec then we can achieve same
>>>> goal on network layer to hide all communication of vm migration.
>>>>
>>>>
>>>>
>>>>  Regards
>>>>  Naveed
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Aug 26, 2013 at 2:44 AM, Joshua Harlow <harlowja at yahoo-inc.com>wrote:
>>>>
>>>>>  Arg, hit send to quick.
>>>>>
>>>>>  *likely these problems would require some managed migration "thing"
>>>>> that would temporarily open the network access, issue temporary auth keys
>>>>> and the initiate the migration between the 2 hypervisors. Is this in your
>>>>> scope, to make this thing??
>>>>>
>>>>>
>>>>> Sent from my really tiny device...
>>>>>
>>>>> On Aug 25, 2013, at 2:42 PM, "Joshua Harlow" <harlowja at yahoo-inc.com>
>>>>> wrote:
>>>>>
>>>>>   Hi,
>>>>>
>>>>>  I think it's a good idea, can u describe more what would be
>>>>> different, would there be a new auth and live migration mechanism?
>>>>>
>>>>>  I think one of the problems at least yahoo has is that live
>>>>> migration requires all ssh keys to be on all hypervisors since hypervisors
>>>>> (libvirtd) open up the connection to the hypervisor to be migrated to. This
>>>>> is obviously bad, as any hacker if they can get out of a vm now can start
>>>>> issuing these migration requests. Also at yahoo we don't allow hypervisors
>>>>> to communicate openly to each other, this is protected at the network
>>>>> level. Would u be working on solutions to these problems (likely involving
>>>>>
>>>>> Sent from my really tiny device...
>>>>>
>>>>> On Aug 25, 2013, at 6:33 AM, "Naveed Ahmad" <
>>>>> 12msccsnahmad at seecs.edu.pk> wrote:
>>>>>
>>>>>
>>>>>  thanks for replying Joshua,
>>>>>
>>>>>
>>>>>  VM migration is the process used to migrate vm from one physical
>>>>> server to another physical server due to many reasons like system
>>>>> maintenance, hardware failure ,
>>>>>
>>>>>  VM is important element in cloud as well, so we do same in the
>>>>> cloud. xen/kvm hypervisor used in the openstack dont provide security  in
>>>>> this process. i studied few paper on it  which are related to VM migration
>>>>> in DC instead of Cloud.   i also seen book on openstack security in which
>>>>> it is describe that xen/kvm could not provide security but libvirt can be
>>>>> used with xen/kvm to secure this process.
>>>>>
>>>>>  Currently libvirt is providing ssl for confidentiality of data
>>>>> between source and destination. and SASL for authentication. i want to add
>>>>> other authentication mechanism in it and in the end it would be added in
>>>>> the Dashboard of openstack so that administrator use it easily, Access
>>>>> control is also part of this thesis..
>>>>>
>>>>>
>>>>>  may you got my idea Mr. Joshua Harlow and now please comment on it.
>>>>> is it good or not? your comment will help me to choose good topic in cloud
>>>>> security,
>>>>>
>>>>>
>>>>>  Regards
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Aug 25, 2013 at 4:17 AM, Joshua Harlow <harlowja at yahoo-inc.com
>>>>> > wrote:
>>>>>
>>>>>> Is there any write up of what u want to do or is that not defined yet?
>>>>>>
>>>>>> If u can write up some information I think that would help others
>>>>>> provide feedback as well as help everyone (including yourself) see the goal
>>>>>> too be accomplished. It's hard to tell what the desired outcome is
>>>>>> otherwise, secure vm migration could mean a lot of things :)
>>>>>>
>>>>>> Sent from my really tiny device...
>>>>>>
>>>>>> On Aug 24, 2013, at 12:26 PM, "Naveed Ahmad" <
>>>>>> 12msccsnahmad at seecs.edu.pk> wrote:
>>>>>>
>>>>>> >
>>>>>> >
>>>>>> > Hi all,
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > I am doing thesis in cloud computing security domain, i selected to
>>>>>> secure vm migration  process in openstack.
>>>>>> > Please let me know about this idea. i have done some initial work
>>>>>> on it. i need comment of you people which will be helpful for me.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Thanks and Regards
>>>>>> >
>>>>>> >
>>>>>>  > _______________________________________________
>>>>>> > OpenStack-dev mailing list
>>>>>> > OpenStack-dev at lists.openstack.org
>>>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenStack-dev mailing list
>>>>>> OpenStack-dev at lists.openstack.org
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>
>>>>>
>>>>>    _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131022/f9342883/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rest.png
Type: image/png
Size: 10727 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131022/f9342883/attachment.png>


More information about the OpenStack-dev mailing list