[libvirt] [RFC] migration encryption

Ján Tomko jtomko at redhat.com
Tue Nov 10 11:08:45 UTC 2015

On Tue, Nov 10, 2015 at 01:52:16PM +0300, Nikolay Shirokovskiy wrote:
> Hi guys.
>  I have a problem getting migration traffic encrypted for some scenarios. I need to
> migrate domain with non shared disks and can't use tunelled migration because of RHEL7 qemu.
> Without tunnel i get both vm state and disk state traffic unencrypted between
> peer's qemus. AFAIK there is a work in progress in qemu to bring TLS encryption
> to all channels and eventually I get desired functionality but what are my options
> now?
>  I thinking of forwarding ports from destination to source and use localhost in
> hypervisor uri. The only problem is that port for disk migration is auto selected.
> Can we add a patch to pass this port as a migration parameter?

We already have a migration URI, where you can specify the port:
so working around the lack of encryption should be possible.

The listen address can now also be specified if you don't want QEMU to
listen on all interfaces:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20151110/42b9cbd9/attachment-0001.sig>

More information about the libvir-list mailing list