Mirrors/criu
1
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu.git synced 2026-01-23 02:14:37 +00:00
Code Issues Projects Releases Wiki Activity
criu/Documentation
History
Radostin Stoyanov 76a41209b0 page-xfer: Add TLS support with X509 certificates 
This commit adds Transport Layer Security (TLS) support for remote
page-server connections.

The following command-line options are introduced with this commit:

--tls-cacert  FILE    Trust certificates signed only by this CA
--tls-cacrl   FILE    CA certificate revocation list
--tls-cert    FILE    TLS certificate
--tls-key     FILE    TLS private key
--tls                   Use TLS to secure remote connections

The default PKI locations are:

CA certificate              /etc/pki/CA/cacert.pem
CA revocation list          /etc/pki/CA/cacrl.pem
Client/server certificate   /etc/pki/criu/cert.pem
Client/server private key   /etc/pki/criu/private/key.pem

The files cacert.pem and cacrl.pem are optional. If they are not
present, and not explicitly specified with a command-line option,
CRIU will use only the system's trusted CAs to verify the remote
peer's identity. This implies that if a CA certificate is specified
using "--tls-cacert" only this CA will be used for verification.
If CA certificate (cacert.pem) is not present, certificate revocation
list (cacrl.pem) will be ignored.

Both (client and server) sides require a private key and certificate.

When the "--tls" option is specified, a TLS handshake (key exchange)
will be performed immediately after the remote TCP connection has been
accepted.

X.509 certificates can be generated as follows:
-------------------------%<-------------------------
	# Generate CA key and certificate
	echo -ne "ca\ncert_signing_key" > temp
	certtool --generate-privkey > cakey.pem
	certtool --generate-self-signed \
	    --template temp \
	    --load-privkey cakey.pem \
	    --outfile cacert.pem

	# Generate server key and certificate
	echo -ne "cn=$HOSTNAME\nencryption_key\nsigning_key" > temp
	certtool --generate-privkey > key.pem
	certtool --generate-certificate \
	    --template temp \
	    --load-privkey key.pem \
	    --load-ca-certificate cacert.pem \
	    --load-ca-privkey cakey.pem \
	    --outfile cert.pem
	rm temp

	mkdir -p /etc/pki/CA
	mkdir -p /etc/pki/criu/private

	mv cacert.pem /etc/pki/CA/
	mv cert.pem /etc/pki/criu/
	mv key.pem /etc/pki/criu/private
-------------------------%<-------------------------

Usage Example:

Page-server:

 [src]# criu page-server -D <PATH> --port <PORT> --tls

 [dst]# criu dump --page-server --address <SRC> --port <PORT> \
	-t <PID> -D <PATH> --tls

Lazy migration:

 [src]# criu dump --lazy-pages --port <PORT> -t <PID> -D <PATH> --tls

 [dst]# criu lazy-pages --page-server --address <SRC> --port <PORT> \
	-D <PATH> --tls

 [dst]# criu restore -D <PATH> --lazy-pages

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
2019-09-07 15:59:53 +03:00
..
.gitattributes docs: Initial commit 2012-01-29 00:09:32 +04:00
.gitignore .gitignore: update to recent changes 2017-03-14 21:03:22 +03:00
asciidoc.conf docs: Initial commit 2012-01-29 00:09:32 +04:00
crit.txt crit: added crit manpage 2016-12-12 11:34:22 +03:00
criu.txt page-xfer: Add TLS support with X509 certificates 2019-09-07 15:59:53 +03:00
custom.xsl Documentation: enable monospaced font in PS/PDF 2016-09-27 17:06:02 +03:00
HOWTO.cross-compile Add notes for Android NDK cross compile 2019-04-20 20:25:26 -07:00
Makefile Documentation: Allow to use asciidoctor for formatting man pages 2019-04-20 20:25:26 -07:00