Support QEMU Native TLS for migration and disks over NBD

Registered by Kashyap Chamarthy on 2018-12-14

Why?
--------

The encryption offerred by Nova (via `live_migration_tunnelled`) today does not secure all the different migration streams of a Nova instance, namely: guest RAM, device state, and disks (via NBD) when using non-shared storage. Further, the "tunnelling via libvirtd" has inherent limitations: (a) it cannot handle live migration of disks in a non-shared storage setup (a.k.a. "block migration"); and (b) has a huge performance overhead and latency, because it burns more CPU and memory bandwidth due to increased number of data copies on both source and destination hosts.

This change
------------------

To solve the existing limitation, this patch introduces a new config option `live_migration_with_native_tls`, which will use the "native TLS" (i.e. TLS built into QEMU, and relevant support in libvirt). This will secure all migration streams, including disks that are not on shared storage—all of this without incurring the limitations of the "tunnelled via libvirtd" transport.

Prerequisites
-------------------

(1) This needs at least: libvirt 4.4.0 and QEMU 2.11.

(2) A TLS environment—i.e. CA, server, and client certificates, their file permissions, et al—must be "correctly" configured (typically by an installer tool) on all relevant Compute nodes.

(3) Ensure the following TLS-related config attributes in /etc/libvirt/qemu.conf/ are in place on all relevant Compute nodes, e.g.:

      default_tls_x509_cert_dir = "/etc/pki/qemu/"
      default_tls_x509_verify = 1

Note that there are other TLS-related config attributes in `/etc/libvirt/qemu.conf`. But if you set the both `default_*` parameters for all certificates, then there is no need to specify any of the others. In OpenStack's case, we just stick to setting up only the `default_*` case.

    * * *

NB: In the long-term, we will depreprecate the existing `live_migration_tunnelled` config option, as tunnelling via 'libvirtd' has little compelling reasons, if any, due to problems discussed in the "Why?" section earlier.

Blueprint information

Status:
Complete
Approver:
Dan Smith
Priority:
Low
Drafter:
Kashyap Chamarthy
Direction:
Approved
Assignee:
Kashyap Chamarthy
Definition:
Approved
Series goal:
Accepted for stein
Implementation:
Implemented
Milestone target:
milestone icon stein-3
Started by
melanie witt on 2019-01-10
Completed by
Matt Riedemann on 2019-01-22

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bug/1798796,n,z

Addressed by: https://review.openstack.org/625216
    libvirt: Support native TLS for migration and disks over NBD

Gerrit topic: https://review.openstack.org/#q,topic:bp/support-qemu-native-tls-for-live-migration,n,z

Addressed by: https://review.openstack.org/629627
    docs: Secure live migration with QEMU-native TLS

We were holding approval of this blueprint pending the preliminary review of a docs patch for the series. That has been done at this point, and so now we're approving the blueprint. -- melwitt 20190110

Gerrit topic: https://review.openstack.org/#q,topic:Native_TLS,n,z

Addressed by: https://review.openstack.org/630980
    libvirt: A few miscellaneous items related to "native TLS"

Addressed by: https://review.openstack.org/631283
    docs: Update references to "QEMU-native TLS" document

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.