libvirt: Use VIR_MIGRATE_TLS to get QEMU's native TLS support for migration and NBD
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Kashyap Chamarthy |
Bug Description
Make Nova's libvirt driver use libvirt's VIR_MIGRATE_TLS, which will
transport a Nova instance's migration and NBD data streams via QEMU's
native TLS.
Rationale
---------
From a downstream bug description by Dan Berrangé:
"The default QEMU migration transport runs a clear text TCP connection
between the two QEMU servers. It is possible to tunnel the migration
connection over libvirtd's secure connection but this imposes a
significant performance penalty. It is also not possible to tunnel the
NBD connection use for block migration at all.
"As a step towards securing the management network we need to have Nova
configure QEMU to use native TLS support on its migration and NBD data
transports, without any tunnelling."
Minimum version requirements for this feature to work:
QEMU == 2.9
libvirt == v.4.4.0
* * *
Broader context and background here:
https:/
RFC: Universal encryption on QEMU I/O channels
tags: | added: libvirt |
Changed in nova: | |
importance: | Undecided → Medium |
assignee: | nobody → Kashyap Chamarthy (kashyapc) |
Changed in nova: | |
importance: | Wishlist → Medium |
Fix proposed to branch: master /review. openstack. org/625216
Review: https:/