On 1 August 2016 at 13:30, Marcus Furlong <[email protected]> wrote: > Looks like there is a bug open which suggests that it should be using > RPC calls, rather than commands executed over ssh: > > https://bugs.launchpad.net/nova/+bug/1459782
I agree, no operator in their right mind wants to turn this on for a production cloud, but it's a capability that a lot of useful higher level tooling wants to exploit (e.g. right-sizing solutions). IIRC this was discussed some time ago and I thought there was something in the dev pipeline to address it. Looking at the bug it does mention the related live-migration cleanup work that happened ~Havana or so, I guess the cold-migrate/resize pathway was missed or did it get stuck in review? On this point in the bug report: == There's a complication though. In virt.libvirt.utils.copy_image() we also rely on passwordless authentication to do either "rsync" or "scp" to copy the image file over when doing cold migration with local storage. So for the case of local storage we'd still need to set up passwordless ssh between compute nodes to handle cold migration. == Passwordless ssh for services need not be so scary, it just needs to be managed right... Fortunately OpenSSH has a rather cool feature (that lots of people seem not to know about) - it supports auth by certificate, by which I mean an appropriately configured sshd can authenticate a client's cert based on the fact that it was signed by a trusted SSH CA without any need to have a record of the client's public key. Signed certs are valid for a limited time, so you can imagine building some automation that created a short-lived cert on demand that was valid just long enough to establish the scp connection needed to complete a cold-migration or resize. See "man ssh-keygen" -> CERTIFICATES. -- Cheers, ~Blairo _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
