On Fri, Jan 11, 2013 at 02:05:10PM +0800, Mark Wu wrote: > On 01/11/2013 04:14 AM, Caitlin Bestler wrote: > >Dan Kenisberg wrote: > > > > > >>Choosing tunnelled migration is thus a matter of policy. I would like to > >>suggest a new cluster-level configurable in Engine, > >>that controls whether migrations in this cluster are tunnelled. The > >>configurable must be available only in new cluster levels > >>where hosts support it. > >Why not just dump this issue to network configuration? > > > >Migrations occur over a secure network. That security could be provided by > >port groups, VLANs or encrypted tunnels. > Agreed. Is a separate vlan network not secure enough? If yes, we > could build a virtual encrypted network, like using openvpn + > iptables.
I agree that separating migration traffic to a different, optionally-encrypted network, is a noble goal. In fact, it is a parallel effort that I am pushing for: http://lists.ovirt.org/pipermail/arch/2013-January/001117.html Building our own tunnel between hosts is cool, but using libvirt's tunneling is here and now and easy, and should not wait just because there's even better technology around the third next corner. With my suggested API, we could even change the implementation of "tunnelled" to "tunnel over our own vpn" if we need to. Now is the time to eat the low-hanging fruit of VIR_MIGRATE_TUNNELLED. Dan. _______________________________________________ Arch mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/arch
