[libvirt] [RFC] migration encryption
Ján Tomko
jtomko at redhat.com
Tue Nov 10 11:08:45 UTC 2015
On Tue, Nov 10, 2015 at 01:52:16PM +0300, Nikolay Shirokovskiy wrote:
> Hi guys.
>
> I have a problem getting migration traffic encrypted for some scenarios. I need to
> migrate domain with non shared disks and can't use tunelled migration because of RHEL7 qemu.
> Without tunnel i get both vm state and disk state traffic unencrypted between
> peer's qemus. AFAIK there is a work in progress in qemu to bring TLS encryption
> to all channels and eventually I get desired functionality but what are my options
> now?
> I thinking of forwarding ports from destination to source and use localhost in
> hypervisor uri. The only problem is that port for disk migration is auto selected.
> Can we add a patch to pass this port as a migration parameter?
>
We already have a migration URI, where you can specify the port:
http://libvirt.org/migration.html#uris
so working around the lack of encryption should be possible.
The listen address can now also be specified if you don't want QEMU to
listen on all interfaces:
http://libvirt.org/html/libvirt-libvirt-domain.html#VIR_MIGRATE_PARAM_LISTEN_ADDRESS
Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20151110/42b9cbd9/attachment-0001.sig>
More information about the libvir-list
mailing list