From e1f87963b142f494eb692e424c67512767d29f0f Mon Sep 17 00:00:00 2001 From: Zhenzan Zhou Date: Tue, 8 Sep 2015 16:49:52 +0800 Subject: [PATCH] Add notes on live migration configuration Live migration will not currently work with a multi-node DevStack environment due to the libvirtd process running as root and the compute process trying to use the stack user's SSH keys with the default live migration URI. The multi-node documentation is updated to outline how to configure the SSH keys between the source and destination stack and root users so that live migration will work as expected. Co-Authored-By: Taylor Peoples Change-Id: Ifed7e95cd5ba43a05a4099a3664cbefde3e0a749 Closes-Bug: #1487262 --- doc/source/guides/multinode-lab.rst | 40 +++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/doc/source/guides/multinode-lab.rst b/doc/source/guides/multinode-lab.rst index 37c8515e86..392bb1b807 100644 --- a/doc/source/guides/multinode-lab.rst +++ b/doc/source/guides/multinode-lab.rst @@ -373,3 +373,43 @@ If you forgot to set the root password you can do this: :: mysqladmin -u root -pnova password 'supersecret' + +Live Migration +-------------- + +In order for live migration to work with the default live migration URI:: + + [libvirt] + live_migration_uri = qemu+ssh://stack@%s/system + +SSH keys need to be exchanged between each compute node: + +1. The SOURCE root user's public RSA key (likely in /root/.ssh/id_rsa.pub) + needs to be in the DESTINATION stack user's authorized_keys file + (~stack/.ssh/authorized_keys). This can be accomplished by manually + copying the contents from the file on the SOURCE to the DESTINATION. If + you have a password configured for the stack user, then you can use the + following command to accomplish the same thing:: + + ssh-copy-id -i /root/.ssh/id_rsa.pub stack@DESTINATION + +2. The DESTINATION host's public ECDSA key (/etc/ssh/ssh_host_ecdsa_key.pub) + needs to be in the SOURCE root user's known_hosts file + (/root/.ssh/known_hosts). This can be accomplished by running the + following on the SOURCE machine (hostname must be used):: + + ssh-keyscan -H DEST_HOSTNAME | sudo tee -a /root/.ssh/known_hosts + +In essence, this means that every compute node's root user's public RSA key +must exist in every other compute node's stack user's authorized_keys file and +every compute node's public ECDSA key needs to be in every other compute +node's root user's known_hosts file. Please note that if the root or stack +user does not have a SSH key, one can be generated using:: + + ssh-keygen -t rsa + +The above steps are necessary because libvirtd runs as root when the +live_migration_uri uses the "qemu:///system" family of URIs. For more +information, see the `libvirt documentation`_. + +.. _libvirt documentation: https://libvirt.org/drvqemu.html#securitydriver