Re: [libvirt] [RFC] migration encryption

On 10.11.2015 14:08, Ján Tomko wrote: > On Tue, Nov 10, 2015 at 01:52:16PM +0300, Nikolay Shirokovskiy wrote: >> Hi guys. >> >> I have a problem getting migration traffic encrypted for some scenarios. I need to >> migrate domain with non shared disks and can't use tunelled migration because of RHEL7 qemu. >> Without tunnel i get both vm state and disk state traffic unencrypted between >> peer's qemus. AFAIK there is a work in progress in qemu to bring TLS encryption >> to all channels and eventually I get desired functionality but what are my options >> now? >> I thinking of forwarding ports from destination to source and use localhost in >> hypervisor uri. The only problem is that port for disk migration is auto selected. >> Can we add a patch to pass this port as a migration parameter? >> > > We already have a migration URI, where you can specify the port: > http://libvirt.org/migration.html#uris > so working around the lack of encryption should be possible. True, but I need to specify 2 ports: one for vm state migration and one for vm disks migration (in case of non shared disks). > > The listen address can now also be specified if you don't want QEMU to > listen on all interfaces: > http://libvirt.org/html/libvirt-libvirt-domain.html#VIR_MIGRATE_PARAM_LIS... > > Jan > -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list