Releases/FeatureVirtSecurity

= Virtualization Security =

Summary
There are no secure remote management capabilities in Xen, KVM or QEMU. All areas where management of Xen, KVM or QEMU involves network connections need to be run with TLS encryption, and client/server certificate checking. The scope of this extends to management APIs, remote console (VNC) and guest migration between hosts.

Owner

 * Name: DanielBerrange

Current status

 * Targeted release:  Fedora 8
 * Last updated: 2007-10-11
 * Percentage of completion: 100%

Usage cases/rationale

 * Secure remote management of guest VM lifecycle
 * Secure remote access to the guest virtual consoles
 * Secure remote provisioning of new guests
 * --(Secure migration of guests across physical hosts)--

Scope
Requires working with upstream libvirt, Xen, QEMU and KVM communities to achieve a consistent approach to security throughout the software stack. At very least must allow TLS encryption to be viable for large scale enterprise use. Supporting tunnelling over SSH connections is also desirable, but lower priority.

Test Plan

 * Setup x509 certificate authority
 * Install Xen or KVM virtualization on a host
 * Create x509 certificates for host
 * Setup Xen / KVM / libvirt to use x509 certs
 * Install virt-manager on a different host
 * Create x509 certificate for client
 * Setup virt-manager to use x509 certs
 * Connect to remote host in virt-manager
 * Provision new guest in virt-manager
 * --(Migrate a guest in virt-manager)--

Dependencies
libvirt, xen, qemu, kvm, virt-manager.

virt-manager (Complete)

 * Switch to using GTK VNC client widget to enable TLS support & more efficient wire encodings (Complete)
 * Enable UI for connecting to remote hosts (Complete)
 * Adapt UI to improve viewing of multiple concurrent hosts (Complete)

gtk-vnc (Complete)

 * Polish off API to state where it can be integrated with virt-manager (Complete)
 * Package in RPM format (Complete)
 * Get a formal upstream release made (Complete)
 * Get packages through Fedora review process (Complete)

virt-install (Complete)

 * Replace vncviewer with app using gtk-vnc. (Complete)

virt-viewer (Complete)

 * Do upstream release (Complete)
 * Get packages through Fedora review process (Complete)

libvirt

 * Merging of libvirt daemon patches with TLS support (Complete)

xen

 * --(Add code to do migration over a TLS secured connection)--
 * Merge TLS patches for VNC in QEMU (Complete)
 * Switch paravirt framebuffer daemon to use QEMU vnc code (Completed)

KVM

 * Merge TLS patches for VNC in QEMU (Complete)
 * --(Add code to do migration over a TLS secured connection)--

QEMU

 * Merge TLS patches for VNC in QEMU (primary upstream codebase) (Complete)

virt-manager

 * Provisioning of new guests remotely. Will require new libvirt APIs for storage management. Will require PXE support for all guests. (Postponed to F9)
 * New UI for migration of VMs. (Postponed to F9)

libvirt

 * New storage management APIs to allow enumeration & creation of storage devices (Postponed to F9)
 * New API for migration of VMs. (Complete)

Contingency Plan
The basic level of TLS support at the libvirt API layer is already complete. If the QEMU VNC TLS patches are not completed in time, virt-maanger will be restricted to only use SSH tunnels, rather than offering choice of TLS vs SSH.

Migration support is already optional bonus point and thus requires no contingency plan.

Documentation

 * Presentation on libvirt remote management
 * VNC server TLS patches for QEMU
 * GTK VNC client supporting TLS
 * Using virt-manager remotely with SSH
 * Using virt-manager remotely with TLS/SSL + x509 certs

Release Notes
TODO list:


 * Describe how to setup a TLS CA, issue server& client certificates (cf http://libvirt.org/remote.html)
 * Describe how to use virsh to connect remotely (cf http://berrange.com/personal/diary/2007/07/libvirt-remote-management-news)
 * Describe how to use virt-manager remotely (cf http://virt-manager.org/page/RemoteTLS and http://virt-manager.org/page/RemoteSSH)
 * Describe limitations in remote support
 * Describe requirements for firewall configuration