From 14071dfb118a32b26c6ebc068c66558d37466a5a Mon Sep 17 00:00:00 2001 From: Kashyap Chamarthy Date: Tue, 16 Mar 2021 16:36:18 +0100 Subject: [PATCH] libvirt: Deprecate `live_migration_tunnelled` We are well above the required MIN_LIBVIRT_VERSION and MIN_QEMU_VERSION (4.4.0 and 2.11.0, respectively) to get QEMU-native TLS[1] support by default. So we can now deprecate (and later remove) the support for "tunnelled live migration", which has two inherent limitations: (a) it cannot handle live migration of disks in a non-shared storage setup (a.k.a. "block migration"); and (b) it has a huge performance overhead and latency, because it burns more CPU and memory bandwidth due to increased number of data copies, on both source and destination hosts. Both the above limitations are addressed by the QEMU-native TLS support `live_migration_with_native_tls`, which is the recommended approach for securing all live migration streams (guest RAM, device state, and disks). [1] https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html Change-Id: I34fd5a4788a2ad4380d9a57b84512fa94a6f9c37 Signed-off-by: Kashyap Chamarthy --- nova/conf/libvirt.py | 9 +++++++++ ...unnelled-live-migration-81c06a04627724ec.yaml | 16 ++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 releasenotes/notes/deprecate-tunnelled-live-migration-81c06a04627724ec.yaml diff --git a/nova/conf/libvirt.py b/nova/conf/libvirt.py index 82fea00184cc..80984c5a970b 100644 --- a/nova/conf/libvirt.py +++ b/nova/conf/libvirt.py @@ -285,6 +285,15 @@ Related options: """), cfg.BoolOpt('live_migration_tunnelled', default=False, + deprecated_for_removal=True, + deprecated_since='23.0.0', + deprecated_reason=""" +The "tunnelled live migration" has two inherent limitations: it cannot +handle live migration of disks in a non-shared storage setup; and it has +a huge performance cost. Both these problems are solved by +``live_migration_with_native_tls`` (requires a pre-configured TLS +environment), which is the recommended approach for securing all live +migration streams.""", help=""" Enable tunnelled migration. diff --git a/releasenotes/notes/deprecate-tunnelled-live-migration-81c06a04627724ec.yaml b/releasenotes/notes/deprecate-tunnelled-live-migration-81c06a04627724ec.yaml new file mode 100644 index 000000000000..a7860525c498 --- /dev/null +++ b/releasenotes/notes/deprecate-tunnelled-live-migration-81c06a04627724ec.yaml @@ -0,0 +1,16 @@ +--- +deprecations: + - | + The ``[libvirt]live_migration_tunnelled`` option is deprecated as of + Wallaby (23.0.0) release. + + The "tunnelled live migration" has two inherent limitations: (a) it + cannot handle live migration of disks in a non-shared storage setup, + and (b) it has a huge performance overhead and latency, because it + burns more CPU and memory during live migration. + + Both these problems are addressed by the QEMU-native support in Nova + -- this is the recommended approach for securing all live migration + streams (guest RAM, device state, and disks). Assuming TLS + environment is setup, this can be enabled by setting the config + attribiute ``[libvirt]live_migration_with_native_tls``.