Bug 1769732 - [Docs][RFE] Document how to use QEMU TLS to secure all data transports
Summary: [Docs][RFE] Document how to use QEMU TLS to secure all data transports
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 16.0 (Train)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: RHOS Documentation Team
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On: 1301025
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-07 10:24 UTC by Irina
Modified: 2020-03-25 15:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-23 14:48:48 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Irina 2019-11-07 10:24:20 UTC
The default QEMU migration transport runs a clear text TCP connection between the two QEMU servers. It is possible to tunnel the migration connection over libvirtd's secure connection but this imposes a significant performance penalty. It is also not possible to tunnel the NBD connection use for block migration at all.

As a step towards securing the management network we need to have Nova configure QEMU to use native TLS support on its migration and NBD data transports, without any tunnelling.


Note You need to log in before you can comment on or make changes to this bug.