diff --git a/doc/source/admin/configuring-migrations.rst b/doc/source/admin/configuring-migrations.rst index 7c9b737db6f0..471d8ba66772 100644 --- a/doc/source/admin/configuring-migrations.rst +++ b/doc/source/admin/configuring-migrations.rst @@ -75,10 +75,6 @@ using the KVM and XenServer hypervisors. KVM-libvirt ~~~~~~~~~~~ -.. :ref:`_configuring-migrations-kvm-general` -.. :ref:`_configuring-migrations-kvm-block-and-volume-migration` -.. :ref:`_configuring-migrations-kvm-shared-storage` - .. _configuring-migrations-kvm-general: General configuration @@ -136,13 +132,29 @@ the instructions below: Be mindful of the security risks introduced by opening ports. +.. _`configuring-migrations-securing-live-migration-streams`: + +Securing live migration streams +------------------------------- + +If your compute nodes have at least libvirt 4.4.0 and QEMU 2.11.0, it is +strongly recommended to secure all your live migration streams by taking +advantage of the "QEMU-native TLS" feature. This requires a +pre-existing PKI (Public Key Infrastructure) setup. For further details +on how to set this all up, refer to the +:doc:`secure-live-migration-with-qemu-native-tls` document. + + .. _configuring-migrations-kvm-block-and-volume-migration: Block migration, volume-based live migration -------------------------------------------- -No additional configuration is required for block migration and volume-backed -live migration. +If your environment satisfies the requirements for "QEMU-native TLS", +then block migration requires some setup; refer to the above section, +`Securing live migration streams`_, for details. Otherwise, no +additional configuration is required for block migration and +volume-backed live migration. Be aware that block migration adds load to the network and storage subsystems. diff --git a/doc/source/admin/security.rst b/doc/source/admin/security.rst index 515e91bed1d1..31c6b0a52fea 100644 --- a/doc/source/admin/security.rst +++ b/doc/source/admin/security.rst @@ -38,3 +38,13 @@ encryption in the ``metadata_agent.ini`` file. .. code-block:: ini nova_client_priv_key = PATH_TO_KEY + + +Securing live migration streams with QEMU-native TLS +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +It is strongly recommended to secure all the different live migration +streams of a nova instance—i.e. guest RAM, device state, and disks (via +NBD) when using non-shared storage. For further details on how to set +this up, refer to the +:doc:`secure-live-migration-with-qemu-native-tls` document.