docs: Update references to "QEMU-native TLS" document
Link to the "Secure live migration with QEMU-native TLS" document from other relevant guides, and small blurbs of text where appropriate. Blueprint: support-qemu-native-tls-for-live-migration Change-Id: I9c6676897d27254e2e16bf7e36a74bf9f3da3832 Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
This commit is contained in:
Kashyap Chamarthy
parent
f59140ed7a
commit
6a61b68c31
@ -75,10 +75,6 @@ using the KVM and XenServer hypervisors.
|
|||||||
KVM-libvirt
|
KVM-libvirt
|
||||||
~~~~~~~~~~~
|
~~~~~~~~~~~
|
||||||
|
|
||||||
.. :ref:`_configuring-migrations-kvm-general`
|
|
||||||
.. :ref:`_configuring-migrations-kvm-block-and-volume-migration`
|
|
||||||
.. :ref:`_configuring-migrations-kvm-shared-storage`
|
|
||||||
|
|
||||||
.. _configuring-migrations-kvm-general:
|
.. _configuring-migrations-kvm-general:
|
||||||
|
|
||||||
General configuration
|
General configuration
|
||||||
@ -136,13 +132,29 @@ the instructions below:
|
|||||||
|
|
||||||
Be mindful of the security risks introduced by opening ports.
|
Be mindful of the security risks introduced by opening ports.
|
||||||
|
|
||||||
|
.. _`configuring-migrations-securing-live-migration-streams`:
|
||||||
|
|
||||||
|
Securing live migration streams
|
||||||
|
-------------------------------
|
||||||
|
|
||||||
|
If your compute nodes have at least libvirt 4.4.0 and QEMU 2.11.0, it is
|
||||||
|
strongly recommended to secure all your live migration streams by taking
|
||||||
|
advantage of the "QEMU-native TLS" feature. This requires a
|
||||||
|
pre-existing PKI (Public Key Infrastructure) setup. For further details
|
||||||
|
on how to set this all up, refer to the
|
||||||
|
:doc:`secure-live-migration-with-qemu-native-tls` document.
|
||||||
|
|
||||||
|
|
||||||
.. _configuring-migrations-kvm-block-and-volume-migration:
|
.. _configuring-migrations-kvm-block-and-volume-migration:
|
||||||
|
|
||||||
Block migration, volume-based live migration
|
Block migration, volume-based live migration
|
||||||
--------------------------------------------
|
--------------------------------------------
|
||||||
|
|
||||||
No additional configuration is required for block migration and volume-backed
|
If your environment satisfies the requirements for "QEMU-native TLS",
|
||||||
live migration.
|
then block migration requires some setup; refer to the above section,
|
||||||
|
`Securing live migration streams`_, for details. Otherwise, no
|
||||||
|
additional configuration is required for block migration and
|
||||||
|
volume-backed live migration.
|
||||||
|
|
||||||
Be aware that block migration adds load to the network and storage subsystems.
|
Be aware that block migration adds load to the network and storage subsystems.
|
||||||
|
|
||||||
|
|||||||
@ -38,3 +38,13 @@ encryption in the ``metadata_agent.ini`` file.
|
|||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
nova_client_priv_key = PATH_TO_KEY
|
nova_client_priv_key = PATH_TO_KEY
|
||||||
|
|
||||||
|
|
||||||
|
Securing live migration streams with QEMU-native TLS
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
It is strongly recommended to secure all the different live migration
|
||||||
|
streams of a nova instance—i.e. guest RAM, device state, and disks (via
|
||||||
|
NBD) when using non-shared storage. For further details on how to set
|
||||||
|
this up, refer to the
|
||||||
|
:doc:`secure-live-migration-with-qemu-native-tls` document.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user