Add config parameter 'live_migration_scheme' to live migration with tls guide

This patch adds the config option 'live_migration_scheme = tls' to the secure live migration guide. To let the live migration use the qemu native tls, some configuration of the compute nodes is needed. The guide describes this but misses the 'live_migration_scheme' config option. It is necessary to set 'live_migration_scheme' to tls to use the connection uri for encrypted traffic. Without this parameter everything seems to work, but the unencrypted tcp-connection is still used for the live migration. Closes-Bug: #1919357 Change-Id: Ia5130d411706bf7e1c983156158011a3bc6d5cd6
2021-03-17 08:09:47 +01:00 · 2021-03-17 08:09:47 +01:00 · 5d5ff82bab
commit 5d5ff82bab
parent bde59951a9
1 changed files with 10 additions and 1 deletions
--- a/doc/source/admin/secure-live-migration-with-qemu-native-tls.rst
+++ b/doc/source/admin/secure-live-migration-with-qemu-native-tls.rst
@ -120,10 +120,13 @@ Performing the migration

 (1) On all relevant compute nodes, enable the
    :oslo.config:option:`libvirt.live_migration_with_native_tls`
-    configuration attribute::
+    configuration attribute and set the
+    :oslo.config:option:`libvirt.live_migration_scheme`
+    configuration attribute to tls::

       [libvirt]
       live_migration_with_native_tls = true
+       live_migration_scheme = tls

    .. note::
        Setting both
@ -131,6 +134,12 @@ Performing the migration
        :oslo.config:option:`libvirt.live_migration_tunnelled` at the
        same time is invalid (and disallowed).

+    .. note::
+        Not setting
+        :oslo.config:option:`libvirt.live_migration_scheme` to ``tls``
+        will result in libvirt using the unencrypted TCP connection
+        without displaying any error or a warning in the logs.
+
    And restart the ``nova-compute`` service::

        $ systemctl restart openstack-nova-compute