Comment 4 for bug 1287194

@fifieldt
I did set up Havana (RDO distribution) with two compute nodes configured for live migration. I configured libvirtd to use the SASL GSSAPI mechanism to perform Kerberos authentication over an normal TCP connection (no TLS). Performing a live migration with the "nova live-migration" command works fine with this approach. It's not ideal, as you need to ensure that root has a Kerberos ticket first, which requires one to run kinit to get a valid ticket. This could likely be partially automated by setting the KRB5CCNAME environment variable in /etc/sysconfig/libvirtdand using a keytab to call kinit from a script, but one would still have to deal with ticket expiration.

I haven't yet tried the X.509 approach, but I don't expect any big issues there. In addition to the libvirtd configuration changes to use TLS for remote connections and X.509 client certificate authentication, the "live_migration_uri" setting in /etc/nova/nova.conf will need to be changed as follows:

    live_migration_uri=qemu+tls://%s/system

This change would also be needed if one were using GSSAPI/Kerberos over TLS.

One advantage with the X.509 approach is that certificates usually have a long lifetime. This makes expiration issues less of an issue since it's infrequent (usually every few years in most PKI deployments). One would simply be able to drop the client public and private key files onto each compute node (protected by the appropriate permissions), which would then be used for authentication between compute nodes during live migration. I will test this approach tomorrow, but I think this is enough to go on for putting together an OSSN.