From 6a61b68c31478af726eb150eb3684935f0fdaa6a Mon Sep 17 00:00:00 2001
From: Kashyap Chamarthy <kchamart@redhat.com>
Date: Wed, 16 Jan 2019 17:50:10 +0100
Subject: [PATCH] docs: Update references to "QEMU-native TLS" document

Link to the "Secure live migration with QEMU-native TLS" document from
other relevant guides, and small blurbs of text where appropriate.

Blueprint: support-qemu-native-tls-for-live-migration

Change-Id: I9c6676897d27254e2e16bf7e36a74bf9f3da3832
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
---
 doc/source/admin/configuring-migrations.rst | 24 +++++++++++++++------
 doc/source/admin/security.rst               | 10 +++++++++
 2 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/doc/source/admin/configuring-migrations.rst b/doc/source/admin/configuring-migrations.rst
index 7c9b737db6f0..471d8ba66772 100644
--- a/doc/source/admin/configuring-migrations.rst
+++ b/doc/source/admin/configuring-migrations.rst
@@ -75,10 +75,6 @@ using the KVM and XenServer hypervisors.
 KVM-libvirt
 ~~~~~~~~~~~
 
-.. :ref:`_configuring-migrations-kvm-general`
-.. :ref:`_configuring-migrations-kvm-block-and-volume-migration`
-.. :ref:`_configuring-migrations-kvm-shared-storage`
-
 .. _configuring-migrations-kvm-general:
 
 General configuration
@@ -136,13 +132,29 @@ the instructions below:
 
       Be mindful of the security risks introduced by opening ports.
 
+.. _`configuring-migrations-securing-live-migration-streams`:
+
+Securing live migration streams
+-------------------------------
+
+If your compute nodes have at least libvirt 4.4.0 and QEMU 2.11.0, it is
+strongly recommended to secure all your live migration streams by taking
+advantage of the "QEMU-native TLS" feature.  This requires a
+pre-existing PKI (Public Key Infrastructure) setup.  For further details
+on how to set this all up, refer to the
+:doc:`secure-live-migration-with-qemu-native-tls` document.
+
+
 .. _configuring-migrations-kvm-block-and-volume-migration:
 
 Block migration, volume-based live migration
 --------------------------------------------
 
-No additional configuration is required for block migration and volume-backed
-live migration.
+If your environment satisfies the requirements for "QEMU-native TLS",
+then block migration requires some setup; refer to the above section,
+`Securing live migration streams`_, for details.  Otherwise, no
+additional configuration is required for block migration and
+volume-backed live migration.
 
 Be aware that block migration adds load to the network and storage subsystems.
 
diff --git a/doc/source/admin/security.rst b/doc/source/admin/security.rst
index 515e91bed1d1..31c6b0a52fea 100644
--- a/doc/source/admin/security.rst
+++ b/doc/source/admin/security.rst
@@ -38,3 +38,13 @@ encryption in the ``metadata_agent.ini`` file.
    .. code-block:: ini
 
       nova_client_priv_key = PATH_TO_KEY
+
+
+Securing live migration streams with QEMU-native TLS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+It is strongly recommended to secure all the different live migration
+streams of a nova instance—i.e. guest RAM, device state, and disks (via
+NBD) when using non-shared storage.  For further details on how to set
+this up, refer to the
+:doc:`secure-live-migration-with-qemu-native-tls` document.