[libvirt-users] [RESOLVED] Re: P2P live migration with non-shared storage: fails to connect to remote libvirt URI qemu+ssh

Kashyap Chamarthy kchamart at redhat.com
Fri Apr 3 19:17:33 UTC 2015 

On Fri, Apr 03, 2015 at 12:27:07PM +0200, Kashyap Chamarthy wrote:
> On Fri, Apr 03, 2015 at 10:13:38AM +0200, Kashyap Chamarthy wrote:
> > On Fri, Apr 03, 2015 at 10:08:21AM +0200, Kashyap Chamarthy wrote:
> > > Migration without --p2p works just fine, ie. the below works:
> > > 
> > > 
> > >     $ virsh migrate --verbose --copy-storage-all \
> > >         --live cvm1 qemu+ssh://kashyapc@devstack3/system
> > >     Migration: [100 %]

Problem found:

I was running the `ssh-agent` with a passphrase for the SSH key. This
will work in the managed direct migration case as above (because the
client handles process controls most of it). . .

> > 
> > [. . .]
> > 
> > > 
> > > (2) Perform peer to peer live migration (as root):
> > > 
> > >     $ virsh migrate --verbose --p2p --copy-storage-all \
> > >         --live cvm1 qemu+ssh://kashyapc@devstack3/system

. . .but _not_ in P2P case, because the libvirt daemon on the source
_does not_ have access to the `ssh-agent` (so while I _can_ SSH into the
dest host as 'root' w/o password, libvirt daemon cannot!  So ensure that
SSH key has no pass-phrase (only in trusted networks for testing only!)
or setup X.509 certificates.

When Jirka asked me on IRC that if I was able to SSH as root to the
destination host, I was able to, but didn't think of the `ssh-agent`
holding the private key _with_ passphrase!

> Hmm, reading the flow for peer2peer here: 
> 
>     https://libvirt.org/migration.html#flowpeer2peer
> 
> which says:
> 
>     "Note that the source libvirtd uses its own credentials (typically root)
>     to connect to the destination, rather than the credentials used by the
>     client to connect to the source; if these differ, it is common to run
>     into a situation where a client can connect to the destination directly
>     but the source cannot make the connection to set up the peer-to-peer
>     migration."

Also thanks to Lars Kellogg-Stedman (OpenStack dev) who reminded me of
the the question "does your libvirtd have access to the ssh-agent" and
also for noticing I didn't refresh the storage pool on the destination
host while doing multiple migration tests. Speak of messy test
environments. . .

Sorry for the noise. At-least I'm now clear on a couple of migration
techniques that libvirt offers. :-)

Have a nice weekend!

-- 
/kashyap

More information about the libvirt-users mailing list