womax/nova
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "docs: Update references to "QEMU-native TLS" document"

Browse Source
This commit is contained in:
Zuul
2019-01-29 17:36:21 +00:00
committed by Gerrit Code Review
parent 9ecfe6a66b 6a61b68c31
commit 5be2638ebb
2 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
doc/source/admin/configuring-migrations.rst
+18 -6
View File
@@ -75,10 +75,6 @@ using the KVM and XenServer hypervisors.
KVM-libvirt
~~~~~~~~~~~
.. :ref:`_configuring-migrations-kvm-general`
.. :ref:`_configuring-migrations-kvm-block-and-volume-migration`
.. :ref:`_configuring-migrations-kvm-shared-storage`
.. _configuring-migrations-kvm-general:
General configuration
@@ -136,13 +132,29 @@ the instructions below:
Be mindful of the security risks introduced by opening ports.
.. _`configuring-migrations-securing-live-migration-streams`:
Securing live migration streams
-------------------------------
If your compute nodes have at least libvirt 4.4.0 and QEMU 2.11.0, it is
strongly recommended to secure all your live migration streams by taking
advantage of the "QEMU-native TLS" feature. This requires a
pre-existing PKI (Public Key Infrastructure) setup. For further details
on how to set this all up, refer to the
:doc:`secure-live-migration-with-qemu-native-tls` document.
.. _configuring-migrations-kvm-block-and-volume-migration:
Block migration, volume-based live migration
--------------------------------------------
No additional configuration is required for block migration and volume-backed
live migration.
If your environment satisfies the requirements for "QEMU-native TLS",
then block migration requires some setup; refer to the above section,
`Securing live migration streams`_, for details. Otherwise, no
additional configuration is required for block migration and
volume-backed live migration.
Be aware that block migration adds load to the network and storage subsystems.
doc/source/admin/security.rst
+10
View File
@@ -38,3 +38,13 @@ encryption in the ``metadata_agent.ini`` file.
.. code-block:: ini
nova_client_priv_key = PATH_TO_KEY
Securing live migration streams with QEMU-native TLS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is strongly recommended to secure all the different live migration
streams of a nova instance—i.e. guest RAM, device state, and disks (via
NBD) when using non-shared storage. For further details on how to set
this up, refer to the
:doc:`secure-live-migration-with-qemu-native-tls` document.