1769732 – [Docs][RFE] Document how to use QEMU TLS to secure all data transports

Bug 1769732 - [Docs][RFE] Document how to use QEMU TLS to secure all data transports

Summary: [Docs][RFE] Document how to use QEMU TLS to secure all data transports

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	documentation
Sub Component:
Version:	16.0 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	RHOS Documentation Team
QA Contact:	RHOS Documentation Team
Docs Contact:
URL:
Whiteboard:
Depends On:	1301025
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-07 10:24 UTC by Irina
Modified:	2020-03-25 15:46 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-01-23 14:48:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Irina 2019-11-07 10:24:20 UTC

The default QEMU migration transport runs a clear text TCP connection between the two QEMU servers. It is possible to tunnel the migration connection over libvirtd's secure connection but this imposes a significant performance penalty. It is also not possible to tunnel the NBD connection use for block migration at all.

As a step towards securing the management network we need to have Nova configure QEMU to use native TLS support on its migration and NBD data transports, without any tunnelling.

Note You need to log in before you can comment on or make changes to this bug.