Bug 1739557
| Summary: | RFE: add support for native TLS encryption on migration TCP transport | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Michal Skrivanek <michal.skrivanek> |
| Component: | vdsm | Assignee: | Milan Zamazal <mzamazal> |
| Status: | CLOSED ERRATA | QA Contact: | Beni Pelled <bpelled> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | danken, lleistne, lsurette, mavital, mkalinin, mtessun, mzamazal, rdlugyhe, sgoodman, srevivo, ycui |
| Target Milestone: | ovirt-4.4.0 | Keywords: | FutureFeature |
| Target Release: | 4.4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | vdsm-4.40.13 | Doc Type: | Enhancement |
| Doc Text: |
With this update, you can enable encryption for live migration of virtual machines between hosts in the same cluster. This provides more protection to data transferred between hosts. You can enable or disable encryption in the Administration Portal, in the Edit Cluster dialog box, under Migration Policy > Additional Properties. Encryption is disabled by default.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-08-04 13:27:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Virt | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1754533, 1781149 | ||
| Bug Blocks: | |||
|
Description
Michal Skrivanek
2019-08-09 13:56:58 UTC
To implement this functionality we will need (at least): - To add support for TLS encryption option from Engine to VDSM. - To add the option to Engine, in the cluster migration UI. - Point libvirt/QEMU configuration to the right certificates. There is an issue with certificates: We use destination IP address to initiate migrations, while the host certificates use host names. That means the destination (IP) address doesn't match the certificate and a TLS migration fails. We must ensure that IP addresses are put into the host certificates. Note that the migration IP of a host can change if a new network is assigned the migration role, or when the migration network is attached to a host with a new static address, or if DHCP server provides a new address instead of renewing the host lease. In these occasions, someone/something should enroll a new certificate to the host. We've decided to solve the certificate problem by adding an option to libvirt that specifies what to verify in the destination certificate, see bug 1754533. As a temporary workaround until the libvirt feature is implemented, the host name is used in the connection URI when an encrypted migration is requested. This ignores contingent migration network, but we have no better option, since updating the certificates would be too complicated. Verified with: - ovirt-engine-4.4.1.5-0.17.el8ev.noarch - vdsm-python-4.40.20-1.el8ev.noarch All tests [1] passed except HE migration which is waiting for [2] [1] https://polarion.engineering.redhat.com/polarion/#/project/RHEVM3/wiki/Compute/4_4_Migration_Encryption [2] https://bugzilla.redhat.com/show_bug.cgi?id=1850909 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHV RHEL Host (ovirt-host) 4.4), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:3246 |