tunnelled migration

Dan Kenigsberg danken at redhat.com
Sun Jan 13 10:50:30 UTC 2013


On Fri, Jan 11, 2013 at 02:05:10PM +0800, Mark Wu wrote:
> On 01/11/2013 04:14 AM, Caitlin Bestler wrote:
> >Dan Kenisberg wrote:
> >
> >
> >>Choosing tunnelled migration is thus a matter of policy. I would like to suggest a new cluster-level configurable in Engine,
> >>that controls whether migrations in this cluster are tunnelled. The configurable must be available only in new cluster levels
> >>where hosts support it.
> >Why not just dump this issue to network configuration?
> >
> >Migrations occur over a secure network. That security could be provided by port groups, VLANs or encrypted tunnels.
> Agreed. Is a separate vlan network not secure enough?  If yes, we
> could build a virtual encrypted network, like using openvpn +
> iptables.

I agree that separating migration traffic to a different,
optionally-encrypted network, is a noble goal. In fact, it is a parallel
effort that I am pushing for:
http://lists.ovirt.org/pipermail/arch/2013-January/001117.html

Building our own tunnel between hosts is cool, but using libvirt's
tunneling is here and now and easy, and should not wait just because
there's even better technology around the third next corner.

With my suggested API, we could even change the implementation of
"tunnelled" to "tunnel over our own vpn" if we need to. Now is the time
to eat the low-hanging fruit of VIR_MIGRATE_TUNNELLED.

Dan.



More information about the Arch mailing list