Ask Your Question
0

live migration: what is a simple way to setup ssh for libvirt?

asked 2014-09-08 06:03:20 -0500

Daniel P gravatar image

Hi,

I'm attempting to setup live migration per the documentation here:

http://docs.openstack.org/admin-guide...

I've successfully setup NFS, and synced UID and GID across servers. I now need to enable secure remote TCP for libvirt, which lead me here:

http://libvirt.org/remote.html

It seems like ssh should be a simple solution, so I'm seeking to setup a typical exchange of ssh keys between nova users on the compute nodes, but it looks like the nova user by default has no home directory which I can put ssh keys into, etc. Is there a reasonable way to set this up? I'm hesitant to start creating a home directory, etc, since I'm assuming the nova user has no home directory, shell, etc for security reasons.

For those of you who have setup a secure libvirt transport to support live migration, did you use SSH or something else? What did your setup look like?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-09-08 10:09:58 -0500

SamYaple gravatar image

You can setup a home directory without enabling a shell. I don't see any security implications there.

I have never put it into production, but I setup live migrate and used ssh since it was simple.

edit flag offensive delete link more

Comments

Thanks for your response. Is that what you did then when you used ssh for live migration; created a home directory for nova and exchanged the proper ssh keys?

If you didn't use ssh, may I ask what transport you're using in production for live migration and why?

Daniel P gravatar imageDaniel P ( 2014-09-09 08:04:31 -0500 )edit

I don't remember the specifics, but I did create the ssh keys and push them around. I believe there was something else I don't remember

We do not use live migration in production. Due to earlier architectual mistakes, mainly involving cpu flags, we determined we would not be able to support it.

SamYaple gravatar imageSamYaple ( 2014-09-09 09:38:56 -0500 )edit

turns out my problems were due to restrictions on our system due to security policy. Just knowing that you were able to setup ssh and that it was as simple as one would expect it to be, is helpful! thanks for your comments.

Daniel P gravatar imageDaniel P ( 2014-09-18 04:43:02 -0500 )edit

Would you mind updating your original post with the security policy that you needed to change (if it was a default one, not some internal one)? Sorry I could not be of more help in the matter.

SamYaple gravatar imageSamYaple ( 2014-09-18 10:08:43 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-09-08 06:03:20 -0500

Seen: 640 times

Last updated: Sep 08 '14