Reviewed: https://review.openstack.org/625216 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9160fe50987131feda9429c4e95d573e176916b6 Submitter: Zuul Branch: master
commit 9160fe50987131feda9429c4e95d573e176916b6 Author: Kashyap Chamarthy <kcham...@redhat.com> Date: Wed Dec 12 16:51:52 2018 +0100 libvirt: Support native TLS for migration and disks over NBD The encryption offered by Nova (via `live_migration_tunnelled`, i.e. "tunnelling via libvirtd") today secures only two migration streams: guest RAM and device state; but it does _not_ encrypt the NBD (Network Block Device) transport—which is used to migrate disks that are on non-shared storage setup (also called: "block migration"). Further, the "tunnelling via libvirtd" has a huge performance penalty and latency, because it burns more CPU and memory bandwidth due to increased number of data copies on both source and destination hosts. To solve this existing limitation, introduce a new config option `live_migration_with_native_tls`, which will take advantage of "native TLS" (i.e. TLS built into QEMU, and relevant support in libvirt). The native TLS transport will encrypt all migration streams, *including* disks that are not on shared storage — all of this without incurring the limitations of the "tunnelled via libvirtd" transport. Closes-Bug: #1798796 Blueprint: support-qemu-native-tls-for-live-migration Change-Id: I78f5fef41b6fbf118880cc8aa4036d904626b342 Signed-off-by: Kashyap Chamarthy <kcham...@redhat.com> ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1798796 Title: libvirt: Use VIR_MIGRATE_TLS to get QEMU's native TLS support for migration and NBD Status in OpenStack Compute (nova): Fix Released Bug description: Make Nova's libvirt driver use libvirt's VIR_MIGRATE_TLS, which will transport a Nova instance's migration and NBD data streams via QEMU's native TLS. Rationale --------- From a downstream bug description by Dan Berrangé: "The default QEMU migration transport runs a clear text TCP connection between the two QEMU servers. It is possible to tunnel the migration connection over libvirtd's secure connection but this imposes a significant performance penalty. It is also not possible to tunnel the NBD connection use for block migration at all. "As a step towards securing the management network we need to have Nova configure QEMU to use native TLS support on its migration and NBD data transports, without any tunnelling." Minimum version requirements for this feature to work: QEMU == 2.9 libvirt == v.4.4.0 * * * Broader context and background here: https://lists.gnu.org/archive/html/qemu-devel/2015-02/msg00529.html RFC: Universal encryption on QEMU I/O channels To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1798796/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp