Re: [libvirt] [RFC] migration encryption

On Tue, Nov 10, 2015 at 01:52:16PM +0300, Nikolay Shirokovskiy wrote: > Hi guys. > > I have a problem getting migration traffic encrypted for some scenarios. I need to > migrate domain with non shared disks and can't use tunelled migration because of RHEL7 qemu. > Without tunnel i get both vm state and disk state traffic unencrypted between > peer's qemus. AFAIK there is a work in progress in qemu to bring TLS encryption > to all channels and eventually I get desired functionality but what are my options > now? > I thinking of forwarding ports from destination to source and use localhost in > hypervisor uri. The only problem is that port for disk migration is auto selected. > Can we add a patch to pass this port as a migration parameter? > We already have a migration URI, where you can specify the port: http://libvirt.org/migration.html#uris so working around the lack of encryption should be possible.

The listen address can now also be specified if you don't want QEMU to listen on all interfaces: http://libvirt.org/html/libvirt-libvirt-domain.html#VIR_MIGRATE_PARAM_LIS... Jan