On Tue, Nov 10, 2015 at 01:52:16PM +0300, Nikolay Shirokovskiy wrote: > Hi guys. > > I have a problem getting migration traffic encrypted for some scenarios. I need to > migrate domain with non shared disks and can't use tunelled migration because of RHEL7 qemu. > Without tunnel i get both vm state and disk state traffic unencrypted between > peer's qemus. AFAIK there is a work in progress in qemu to bring TLS encryption > to all channels and eventually I get desired functionality but what are my options > now? > I thinking of forwarding ports from destination to source and use localhost in > hypervisor uri. The only problem is that port for disk migration is auto selected. > Can we add a patch to pass this port as a migration parameter? > We already have a migration URI, where you can specify the port: http://libvirt.org/migration.html#uris so working around the lack of encryption should be possible.

The listen address can now also be specified if you don't want QEMU to listen on all interfaces: http://libvirt.org/html/libvirt-libvirt-domain.html#VIR_MIGRATE_PARAM_LIS... Jan

add CC On 10.11.2015 14:24, Nikolay Shirokovskiy wrote: > > > On 10.11.2015 14:08, Ján Tomko wrote: >> On Tue, Nov 10, 2015 at 01:52:16PM +0300, Nikolay Shirokovskiy wrote: >>> Hi guys. >>> >>> I have a problem getting migration traffic encrypted for some scenarios. I need to >>> migrate domain with non shared disks and can't use tunelled migration because of RHEL7 qemu. >>> Without tunnel i get both vm state and disk state traffic unencrypted between >>> peer's qemus. AFAIK there is a work in progress in qemu to bring TLS encryption >>> to all channels and eventually I get desired functionality but what are my options >>> now? >>> I thinking of forwarding ports from destination to source and use localhost in >>> hypervisor uri. The only problem is that port for disk migration is auto selected. >>> Can we add a patch to pass this port as a migration parameter? >>> >> >> We already have a migration URI, where you can specify the port: >> http://libvirt.org/migration.html#uris >> so working around the lack of encryption should be possible. > True, but I need to specify 2 ports: one for vm state migration and > one for vm disks migration (in case of non shared disks). >> >> The listen address can now also be specified if you don't want QEMU to >> listen on all interfaces: >> http://libvirt.org/html/libvirt-libvirt-domain.html#VIR_MIGRATE_PARAM_LIS... >> >> Jan >> > > -- > libvir-list mailing list > libvir-list(a)redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list > -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list