docs: Update references to "QEMU-native TLS" document
Link to the "Secure live migration with QEMU-native TLS" document from other relevant guides, and small blurbs of text where appropriate. Blueprint: support-qemu-native-tls-for-live-migration Change-Id: I9c6676897d27254e2e16bf7e36a74bf9f3da3832 Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
This commit is contained in:
Kashyap Chamarthy
parent
f59140ed7a
commit
6a61b68c31
|
|
@ -75,10 +75,6 @@ using the KVM and XenServer hypervisors.
|
|||
KVM-libvirt
|
||||
~~~~~~~~~~~
|
||||
|
||||
.. :ref:`_configuring-migrations-kvm-general`
|
||||
.. :ref:`_configuring-migrations-kvm-block-and-volume-migration`
|
||||
.. :ref:`_configuring-migrations-kvm-shared-storage`
|
||||
|
||||
.. _configuring-migrations-kvm-general:
|
||||
|
||||
General configuration
|
||||
|
|
@ -136,13 +132,29 @@ the instructions below:
|
|||
|
||||
Be mindful of the security risks introduced by opening ports.
|
||||
|
||||
.. _`configuring-migrations-securing-live-migration-streams`:
|
||||
|
||||
Securing live migration streams
|
||||
-------------------------------
|
||||
|
||||
If your compute nodes have at least libvirt 4.4.0 and QEMU 2.11.0, it is
|
||||
strongly recommended to secure all your live migration streams by taking
|
||||
advantage of the "QEMU-native TLS" feature. This requires a
|
||||
pre-existing PKI (Public Key Infrastructure) setup. For further details
|
||||
on how to set this all up, refer to the
|
||||
:doc:`secure-live-migration-with-qemu-native-tls` document.
|
||||
|
||||
|
||||
.. _configuring-migrations-kvm-block-and-volume-migration:
|
||||
|
||||
Block migration, volume-based live migration
|
||||
--------------------------------------------
|
||||
|
||||
No additional configuration is required for block migration and volume-backed
|
||||
live migration.
|
||||
If your environment satisfies the requirements for "QEMU-native TLS",
|
||||
then block migration requires some setup; refer to the above section,
|
||||
`Securing live migration streams`_, for details. Otherwise, no
|
||||
additional configuration is required for block migration and
|
||||
volume-backed live migration.
|
||||
|
||||
Be aware that block migration adds load to the network and storage subsystems.
|
||||
|
||||
|
|
|
|||
|
|
@ -38,3 +38,13 @@ encryption in the ``metadata_agent.ini`` file.
|
|||
.. code-block:: ini
|
||||
|
||||
nova_client_priv_key = PATH_TO_KEY
|
||||
|
||||
|
||||
Securing live migration streams with QEMU-native TLS
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
It is strongly recommended to secure all the different live migration
|
||||
streams of a nova instance—i.e. guest RAM, device state, and disks (via
|
||||
NBD) when using non-shared storage. For further details on how to set
|
||||
this up, refer to the
|
||||
:doc:`secure-live-migration-with-qemu-native-tls` document.
|
||||
|
|
|
|||
Loading…
Reference in New Issue