vpsfreecz / vpsadminos

Host for Linux system containers based on NixOS, ZFS and LXC
https://vpsadminos.org
MIT License
163 stars 28 forks source link

Authorize container migrations #44

Closed aither64 closed 4 years ago

aither64 commented 4 years ago

Introduce per-pool container migration access list. Authorization would be required on the target node, e.g.

osctl ct receive allow [--permanent] [--passphrase *passphrase*] <expected id> <source node address>

before osctl ct send on the source node would be allowed. Further commands like

osctl ct receive ls
osctl ct receive disallow

could exist to manage the entries. Entries could be for one-time or repeated use, container ids and source node addresses could contain wildcards, that is to be evaluated. If the passphrase would be set, than the source node would have to provide it as well.

This new mechanism wouldn't replace osctl receive authorized-keys, but it would be an additional requirement for migrations to be allowed.

aither64 commented 4 years ago

Implemented as part of osctl receive authorized-keys.