[pve-devel] [PATCH qemu-server 1/7] api2 : migrate_vm : add migration_type "external"

Alexandre DERUMIER aderumier at odiso.com
Wed Nov 14 19:29:50 CET 2018


>>@Alexandre: please set the permissions to root at pam only for this new API 
>>path. 

yes, sure.


>>I see the following problematic aspects otherwise: 
>>- potential back channel from a user/attacker-controlled target host to 
>>the source node via bugs in Qemu (might not even require a bug?) 
>>- enumeration of hosts that root at pam can automatically connect to 
>>- intrusion into node/cluster that root at pam can automatically connect to 
>>by live-migrating user/attacker-controlled VM there and trying to 
>>escape VM (e.g., the bridge/network there might have totally different 
>>assumptions about the trustworthiness of the attached guests, the 
>>node/cluster might not have the same patch level, etc.pp.) 



>>given the above, I am not sure whether a model with explicit public keys 
>>to target mapping somewhere in /etc/pve/priv/ might not be preferable 
>>even with a limitation to root at pam. 

Ok, I'll look at this.


----- Mail original -----
De: "Fabian Grünbichler" <f.gruenbichler at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Cc: "aderumier" <aderumier at odiso.com>
Envoyé: Mercredi 14 Novembre 2018 11:37:16
Objet: Re: [pve-devel] [PATCH qemu-server 1/7] api2 : migrate_vm : add migration_type "external"

On Tue, Nov 13, 2018 at 11:22:23AM +0100, Dietmar Maurer wrote: 
> I would like to move forward with that, but changing an existing API makes that difficult. 
> 
> I would suggest to add a second API entry point instead: 
> 
> __PACKAGE__->register_method({ 
> name => 'external_migrate_vm', 
> path => '{vmid}/external_migrate', 
> method => 'POST', 
> ... 
> 
> Feel free to choose a better name ;-) We can the mark this API as unstable/experimental, and modify 
> the parameters/types. IMHO most existing parameters does not really makes sense with external migration. 
> I guess it is still possible to factor out most common code to avoid code duplication. 
> 
> What do you think? 

@Alexandre: please set the permissions to root at pam only for this new API 
path. 

I see the following problematic aspects otherwise: 
- potential back channel from a user/attacker-controlled target host to 
the source node via bugs in Qemu (might not even require a bug?) 
- enumeration of hosts that root at pam can automatically connect to 
- intrusion into node/cluster that root at pam can automatically connect to 
by live-migrating user/attacker-controlled VM there and trying to 
escape VM (e.g., the bridge/network there might have totally different 
assumptions about the trustworthiness of the attached guests, the 
node/cluster might not have the same patch level, etc.pp.) 

given the above, I am not sure whether a model with explicit public keys 
to target mapping somewhere in /etc/pve/priv/ might not be preferable 
even with a limitation to root at pam. 




More information about the pve-devel mailing list