4:52 a.m.
Hi guys.
I have a problem getting migration traffic encrypted for some scenarios. I need to
migrate domain with non shared disks and can't use tunelled migration because of RHEL7
qemu.
Without tunnel i get both vm state and disk state traffic unencrypted between
peer's qemus. AFAIK there is a work in progress in qemu to bring TLS encryption
to all channels and eventually I get desired functionality but what are my options
now?
I thinking of forwarding ports from destination to source and use localhost in
hypervisor uri. The only problem is that port for disk migration is auto selected.
Can we add a patch to pass this port as a migration parameter?
5:08 a.m.
On Tue, Nov 10, 2015 at 01:52:16PM +0300, Nikolay Shirokovskiy wrote:
Hi guys.
I have a problem getting migration traffic encrypted for some scenarios. I need to
migrate domain with non shared disks and can't use tunelled migration because of
RHEL7 qemu.
Without tunnel i get both vm state and disk state traffic unencrypted between
peer's qemus. AFAIK there is a work in progress in qemu to bring TLS encryption
to all channels and eventually I get desired functionality but what are my options
now?
I thinking of forwarding ports from destination to source and use localhost in
hypervisor uri. The only problem is that port for disk migration is auto selected.
Can we add a patch to pass this port as a migration parameter?
We already have a migration URI, where you can specify the port:
http://libvirt.org/migration.html#uris
so working around the lack of encryption should be possible.
The listen address can now also be specified if you don't want QEMU to
listen on all interfaces:
http://libvirt.org/html/libvirt-libvirt-domain.html#VIR_MIGRATE_PARAM_LIS...
Jan
5:24 a.m.
On 10.11.2015 14:08, Ján Tomko wrote:
On Tue, Nov 10, 2015 at 01:52:16PM +0300, Nikolay Shirokovskiy
wrote:
> Hi guys.
>
> I have a problem getting migration traffic encrypted for some scenarios. I need to
> migrate domain with non shared disks and can't use tunelled migration because of
RHEL7 qemu.
> Without tunnel i get both vm state and disk state traffic unencrypted between
> peer's qemus. AFAIK there is a work in progress in qemu to bring TLS encryption
> to all channels and eventually I get desired functionality but what are my options
> now?
> I thinking of forwarding ports from destination to source and use localhost in
> hypervisor uri. The only problem is that port for disk migration is auto selected.
> Can we add a patch to pass this port as a migration parameter?
>
We already have a migration URI, where you can specify the port:
http://libvirt.org/migration.html#uris
so working around the lack of encryption should be possible.
True, but I need to
specify 2 ports: one for vm state migration and
one for vm disks migration (in case of non shared disks).
The listen address can now also be specified if you don't want QEMU to
listen on all interfaces:
http://libvirt.org/html/libvirt-libvirt-domain.html#VIR_MIGRATE_PARAM_LIS...
Jan
6:57 a.m.
add CC
On 10.11.2015 14:24, Nikolay Shirokovskiy wrote:
On 10.11.2015 14:08, Ján Tomko wrote:
> On Tue, Nov 10, 2015 at 01:52:16PM +0300, Nikolay Shirokovskiy wrote:
>> Hi guys.
>>
>> I have a problem getting migration traffic encrypted for some scenarios. I need
to
>> migrate domain with non shared disks and can't use tunelled migration because
of RHEL7 qemu.
>> Without tunnel i get both vm state and disk state traffic unencrypted between
>> peer's qemus. AFAIK there is a work in progress in qemu to bring TLS
encryption
>> to all channels and eventually I get desired functionality but what are my
options
>> now?
>> I thinking of forwarding ports from destination to source and use localhost in
>> hypervisor uri. The only problem is that port for disk migration is auto
selected.
>> Can we add a patch to pass this port as a migration parameter?
>>
>
> We already have a migration URI, where you can specify the port:
> http://libvirt.org/migration.html#uris
> so working around the lack of encryption should be possible.
True, but I need to specify 2 ports: one for vm state migration and
one for vm disks migration (in case of non shared disks).
>
> The listen address can now also be specified if you don't want QEMU to
> listen on all interfaces:
> http://libvirt.org/html/libvirt-libvirt-domain.html#VIR_MIGRATE_PARAM_LIS...
>
> Jan
>
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
7:20 a.m.
Actually we need to specify 4 ports. state and nbd transfer ports for both source
and destination because they have to be allocated independently on source and
destination.
Allocation will be done externally on both sides.
On 12.11.2015 15:57, Nikolay Shirokovskiy wrote:
add CC
On 10.11.2015 14:24, Nikolay Shirokovskiy wrote:
>
>
> On 10.11.2015 14:08, Ján Tomko wrote:
>> On Tue, Nov 10, 2015 at 01:52:16PM +0300, Nikolay Shirokovskiy wrote:
>>> Hi guys.
>>>
>>> I have a problem getting migration traffic encrypted for some scenarios. I
need to
>>> migrate domain with non shared disks and can't use tunelled migration
because of RHEL7 qemu.
>>> Without tunnel i get both vm state and disk state traffic unencrypted
between
>>> peer's qemus. AFAIK there is a work in progress in qemu to bring TLS
encryption
>>> to all channels and eventually I get desired functionality but what are my
options
>>> now?
>>> I thinking of forwarding ports from destination to source and use localhost
in
>>> hypervisor uri. The only problem is that port for disk migration is auto
selected.
>>> Can we add a patch to pass this port as a migration parameter?
>>>
>>
>> We already have a migration URI, where you can specify the port:
>> http://libvirt.org/migration.html#uris
>> so working around the lack of encryption should be possible.
> True, but I need to specify 2 ports: one for vm state migration and
> one for vm disks migration (in case of non shared disks).
>>
>> The listen address can now also be specified if you don't want QEMU to
>> listen on all interfaces:
>>
http://libvirt.org/html/libvirt-libvirt-domain.html#VIR_MIGRATE_PARAM_LIS...
>>
>> Jan
>>
>
> --
> libvir-list mailing list
> libvir-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
3551
days inactive
3553
days old
4 comments
2 participants
participants (2)
-
Ján Tomko -
Nikolay Shirokovskiy