← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #76587

[Bug 1798796] Re: libvirt: Use VIR_MIGRATE_TLS to get QEMU's native TLS support for migration and NBD

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/625216
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9160fe50987131feda9429c4e95d573e176916b6
Submitter: Zuul
Branch:    master

commit 9160fe50987131feda9429c4e95d573e176916b6
Author: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
Date:   Wed Dec 12 16:51:52 2018 +0100

    libvirt: Support native TLS for migration and disks over NBD
    
    The encryption offered by Nova (via `live_migration_tunnelled`, i.e.
    "tunnelling via libvirtd") today secures only two migration streams:
    guest RAM and device state; but it does _not_ encrypt the NBD (Network
    Block Device) transport—which is used to migrate disks that are on
    non-shared storage setup (also called: "block migration").  Further, the
    "tunnelling via libvirtd" has a huge performance penalty and latency,
    because it burns more CPU and memory bandwidth due to increased number
    of data copies on both source and destination hosts.
    
    To solve this existing limitation, introduce a new config option
    `live_migration_with_native_tls`, which will take advantage of "native
    TLS" (i.e. TLS built into QEMU, and relevant support in libvirt).  The
    native TLS transport will encrypt all migration streams, *including*
    disks that are not on shared storage — all of this without incurring the
    limitations of the "tunnelled via libvirtd" transport.
    
    Closes-Bug: #1798796
    Blueprint: support-qemu-native-tls-for-live-migration
    
    Change-Id: I78f5fef41b6fbf118880cc8aa4036d904626b342
    Signed-off-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1798796

Title:
  libvirt: Use VIR_MIGRATE_TLS to get QEMU's native TLS support for
  migration and NBD

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Make Nova's libvirt driver use libvirt's VIR_MIGRATE_TLS, which will 
  transport a Nova instance's migration and NBD data streams via QEMU's
  native TLS.

  Rationale
  ---------

  From a downstream bug description by Dan Berrangé:

      "The default QEMU migration transport runs a clear text TCP connection
      between the two QEMU servers. It is possible to tunnel the migration
      connection over libvirtd's secure connection but this imposes a
      significant performance penalty. It is also not possible to tunnel the
      NBD connection use for block migration at all.

      "As a step towards securing the management network we need to have Nova
      configure QEMU to use native TLS support on its migration and NBD data
      transports, without any tunnelling."

  Minimum version requirements for this feature to work:

      QEMU == 2.9
      libvirt == v.4.4.0

                  * * *

  Broader context and background here:

      https://lists.gnu.org/archive/html/qemu-devel/2015-02/msg00529.html
      RFC: Universal encryption on QEMU I/O channels

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1798796/+subscriptions

References

  Thread PreviousDate PreviousThread Next