tunnelled migration

[Omer Frenkel]

----- Original Message -----
> From: "Dan Kenigsberg" <danken at redhat.com>
> To: "Mark Wu" <wudxw at linux.vnet.ibm.com>
> Cc: arch at ovirt.org, "Michal Skrivanek" <mskrivan at redhat.com>
> Sent: Sunday, January 13, 2013 12:50:30 PM
> Subject: Re: tunnelled migration
> 
> On Fri, Jan 11, 2013 at 02:05:10PM +0800, Mark Wu wrote:
> > On 01/11/2013 04:14 AM, Caitlin Bestler wrote:
> > >Dan Kenisberg wrote:
> > >
> > >
> > >>Choosing tunnelled migration is thus a matter of policy. I would
> > >>like to suggest a new cluster-level configurable in Engine,
> > >>that controls whether migrations in this cluster are tunnelled.
> > >>The configurable must be available only in new cluster levels
> > >>where hosts support it.
> > >Why not just dump this issue to network configuration?
> > >
> > >Migrations occur over a secure network. That security could be
> > >provided by port groups, VLANs or encrypted tunnels.
> > Agreed. Is a separate vlan network not secure enough?  If yes, we
> > could build a virtual encrypted network, like using openvpn +
> > iptables.
> 
> I agree that separating migration traffic to a different,
> optionally-encrypted network, is a noble goal. In fact, it is a
> parallel
> effort that I am pushing for:
> http://lists.ovirt.org/pipermail/arch/2013-January/001117.html
> 
> Building our own tunnel between hosts is cool, but using libvirt's
> tunneling is here and now and easy, and should not wait just because
> there's even better technology around the third next corner.
> 
> With my suggested API, we could even change the implementation of
> "tunnelled" to "tunnel over our own vpn" if we need to. Now is the
> time
> to eat the low-hanging fruit of VIR_MIGRATE_TUNNELLED.
> 
> Dan.

suggested implementation for engine (without rest/ui):
http://gerrit.ovirt.org/#/c/11062/

> _______________________________________________
> Arch mailing list
> Arch at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/arch
>