When live migrating an instance with a config disk, the destination copies the config disk from the source over scp. This is denied by nova-migration-wrapper with: Jul 28 11:34:51 localhost nova_migration_wrapper: Denying connection='172.17.1.19 33100 172.17.1.17 22' command=['scp', '-r', '-f', '/var/lib/nova/instances/2979904 7-9dfd-4bfd-80fe-54115897b353/disk.config'] Note that the scp command has '-f' in place of '-t'. I believe this is because this is a remote to local copy, not a local to remote copy: https://github.com/openssh/openssh-portable/blob/master/scp.c#L713 We also do remote to local copies during both cold and live migration when a backing file is missing because an image has been deleted from glance. In this case the destination host side-loads the file from the image cache of the source host. I suspect this issue means that this case is also broken.
Fix: /bin/nova-migration-wrapper gets: cold_migration_cmds = [ ['mkdir', '-p'], ['rm', '-rf'], ['touch'], ['rm'], ['scp', '-r', '-t'], + ['scp', '-r', '-f'], ] /etc/nova/migration/rootwrap.d/cold_migration.filters gets: copy_file: PathFilter, /usr/bin/scp, nova, -r, -t, /var/lib/nova/instances/ + copy_file: PathFilter, /usr/bin/scp, nova, -r, -f, /var/lib/nova/instances/
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2994