← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #75324

[Bug 1798796] [NEW] libvirt: Use VIR_MIGRATE_TLS to get QEMU's native TLS support for migration and NBD

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Make Nova's libvirt driver use libvirt's VIR_MIGRATE_TLS, which will 
transport a Nova instance's migration and NBD data streams via QEMU's
native TLS.

Rationale
---------

>From a downstream bug description by Dan Berrangé:

    "The default QEMU migration transport runs a clear text TCP connection
    between the two QEMU servers. It is possible to tunnel the migration
    connection over libvirtd's secure connection but this imposes a
    significant performance penalty. It is also not possible to tunnel the
    NBD connection use for block migration at all.

    "As a step towards securing the management network we need to have Nova
    configure QEMU to use native TLS support on its migration and NBD data
    transports, without any tunnelling."

Minimum version requirements for this feature to work:

    QEMU == 2.9
    libvirt == v.4.4.0

                * * *

Broader context and background here:

    https://lists.gnu.org/archive/html/qemu-devel/2015-02/msg00529.html
    RFC: Universal encryption on QEMU I/O channels

** Affects: nova
     Importance: Medium
     Assignee: Kashyap Chamarthy (kashyapc)
         Status: New


** Tags: libvirt

** Tags added: libvirt

** Changed in: nova
   Importance: Undecided => Medium

** Changed in: nova
     Assignee: (unassigned) => Kashyap Chamarthy (kashyapc)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1798796

Title:
  libvirt: Use VIR_MIGRATE_TLS to get QEMU's native TLS support for
  migration and NBD

Status in OpenStack Compute (nova):
  New

Bug description:
  Make Nova's libvirt driver use libvirt's VIR_MIGRATE_TLS, which will 
  transport a Nova instance's migration and NBD data streams via QEMU's
  native TLS.

  Rationale
  ---------

  From a downstream bug description by Dan Berrangé:

      "The default QEMU migration transport runs a clear text TCP connection
      between the two QEMU servers. It is possible to tunnel the migration
      connection over libvirtd's secure connection but this imposes a
      significant performance penalty. It is also not possible to tunnel the
      NBD connection use for block migration at all.

      "As a step towards securing the management network we need to have Nova
      configure QEMU to use native TLS support on its migration and NBD data
      transports, without any tunnelling."

  Minimum version requirements for this feature to work:

      QEMU == 2.9
      libvirt == v.4.4.0

                  * * *

  Broader context and background here:

      https://lists.gnu.org/archive/html/qemu-devel/2015-02/msg00529.html
      RFC: Universal encryption on QEMU I/O channels

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1798796/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next