diff options
| author | Josephine Seifert <josephine.seifert@secustack.com> | 2021-03-17 08:09:47 +0100 |
|---|---|---|
| committer | Josephine Seifert <josephine.seifert@secustack.com> | 2021-03-26 06:04:19 +0000 |
| commit | b5c206b5cbe06cbf94dae92891624b0813d743d1 (patch) | |
| tree | aef64c1b4e3f0a3f0d661faeecee898ee6650d69 | |
| parent | ad7e4fb8f4ea6c458af00ec7aa0b321dc37c097c (diff) | |
| download | nova-b5c206b5cbe06cbf94dae92891624b0813d743d1.tar.gz | |
Add config parameter 'live_migration_scheme' to live migration with tls guide
This patch adds the config option 'live_migration_scheme = tls' to the
secure live migration guide.
To let the live migration use the qemu native tls, some configuration of
the compute nodes is needed. The guide describes this but misses the
'live_migration_scheme' config option.
It is necessary to set 'live_migration_scheme' to tls to use the
connection uri for encrypted traffic. Without this parameter everything
seems to work, but the unencrypted tcp-connection is still used for the
live migration.
Closes-Bug: #1919357
Change-Id: Ia5130d411706bf7e1c983156158011a3bc6d5cd6
(cherry picked from commit 5d5ff82bab1dfb12e6223446b1cf20db6a348f38)
(cherry picked from commit 276b8db5afd945bfc56ccfadd25bcce1b6df9cb7)
(cherry picked from commit a968289b1f89b52d7396b66294f768c732583849)
(cherry picked from commit 8559ceeec4e52651a272d08ef344d7c03520ed19)
| -rw-r--r-- | doc/source/admin/secure-live-migration-with-qemu-native-tls.rst | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/doc/source/admin/secure-live-migration-with-qemu-native-tls.rst b/doc/source/admin/secure-live-migration-with-qemu-native-tls.rst index 012d78e93b..fb76f656af 100644 --- a/doc/source/admin/secure-live-migration-with-qemu-native-tls.rst +++ b/doc/source/admin/secure-live-migration-with-qemu-native-tls.rst @@ -120,10 +120,13 @@ Performing the migration (1) On all relevant compute nodes, enable the :oslo.config:option:`libvirt.live_migration_with_native_tls` - configuration attribute:: + configuration attribute and set the + :oslo.config:option:`libvirt.live_migration_scheme` + configuration attribute to tls:: [libvirt] live_migration_with_native_tls = true + live_migration_scheme = tls .. note:: Setting both @@ -131,6 +134,12 @@ Performing the migration :oslo.config:option:`libvirt.live_migration_tunnelled` at the same time is invalid (and disallowed). + .. note:: + Not setting + :oslo.config:option:`libvirt.live_migration_scheme` to ``tls`` + will result in libvirt using the unencrypted TCP connection + without displaying any error or a warning in the logs. + And restart the ``nova-compute`` service:: $ systemctl restart openstack-nova-compute |