需求
虚机内存或者硬盘里存有敏感信息,live migrate时网络抓包就会获取这些信息。
版本要求
libvirt >= 4.5.0 qeme>=2.12.0
利用libvirt加密
#安装证书生成工具
yum install gnutls-utilsCA证书就一份,服务端和客户端证书每个计算节点都要生成一份,然后scp到对应的计算节点,这里以test25g05计算节点为例。
代码语言:javascript复制#CA证书生成
certtool --generate-privkey > cakey.pem
[root@test25g05 /home/huiwei]# cat ca.info
cn = Qihoo
ca
cert_signing_key
expiration_days = 700
certtool --generate-self-signed --load-privkey cakey.pem --template ca.info --outfile cacert.pem
#服务端证书生成
certtool --generate-privkey > test25g05_serverkey.pem
[root@test25g05 /home/huiwei]# cat test25g05_server.info
organization = Qihoo
cn = test25g05.ops.lycc.qihoo.net
ip_address = 10.162.97.117
tls_www_server
encryption_key
signing_key
expiration_days = 700
certtool --generate-certificate --load-privkey test25g05_serverkey.pem
--load-ca-certificate cacert.pem --load-ca-privkey cakey.pem
--template test25g05_server.info --outfile test25g05_servercert.pem
#客户端证书
certtool --generate-privkey > test25g05_clientkey.pem
[root@test25g05 /home/huiwei]# cat test25g05_client.info
country = CN
state = BJ
locality = BJ
organization = Qihoo
cn = test25g05.ops.lycc.qihoo.net
tls_www_server
encryption_key
signing_key
expiration_days = 700
certtool --generate-certificate --load-privkey test25g05_clientkey.pem
--load-ca-certificate cacert.pem --load-ca-privkey cakey.pem
--template test25g05_client.info --outfile test25g05_clientcert.pem
#证书分发
cp cacert.pem /etc/pki/CA/
chmod 444 /etc/pki/CA/cacert.pem
restorecon /etc/pki/CA/cacert.pem
mkdir -p /etc/pki/libvirt
mkdir -p /etc/pki/libvirt/private
chmod 755 /etc/pki/libvirt
chmod 750 /etc/pki/libvirt/private
cp -f test25g05_servercert.pem /etc/pki/libvirt/servercert.pem
cp -f test25g05_serverkey.pem /etc/pki/libvirt/private/serverkey.pem
chgrp qemu /etc/pki/libvirt
/etc/pki/libvirt/servercert.pem
/etc/pki/libvirt/private
/etc/pki/libvirt/private/serverkey.pem
chmod 600 /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem
restorecon -R /etc/pki/libvirt /etc/pki/libvirt/private
cp -f test25g05_clientcert.pem /etc/pki/libvirt/clientcert.pem
cp -f test25g05_clientkey.pem /etc/pki/libvirt/private/clientkey.pem
chmod 644 /etc/pki/libvirt/clientcert.pem /etc/pki/libvirt/private/clientkey.pem
restorecon /etc/pki/libvirt/clientcert.pem /etc/pki/libvirt/private/clientkey.pem
#修改libvirt的配置,其它保持不变
vim /etc/libvirt/libvirtd.conf
listen_tls = 1
配置nova
vim /etc/nova/nova.conf
[libvirt]
live_migration_tunnelled = true存在的问题:
1.非share storage,硬盘迁移时不能加密
2.性能比较低
利用qemu加密
#其它步骤同上,证书多往一个地方放置
#证书分发
mkdir /var/lib/nova/qemu
cp -f cacert.pem /var/lib/nova/qemu/ca-cert.pem
cp -f test25g05_servercert.pem /var/lib/nova/qemu/server-cert.pem
cp -f test25g05_serverkey.pem /var/lib/nova/server-key.pem
cp -f test25g05_clientcert.pem /var/lib/nova/qemu/client-cert.pem
cp -f test25g05_clientkey.pem /var/lib/nova/qemu/client-key.pem
#修改配置
vim /etc/libvirt/qemu.conf
migrate_tls_x509_cert_dir = "/var/lib/nova/qemu"
migrate_tls_x509_verify = 1
#修改nova-compute的配置
vim /etc/nova/nova.conf
[libvirt]
#live_migration_tunnelled = true //注释或者删除掉用libvirt加密
live_migration_with_native_tls = trueqemu tls加密除了可利用在虚机热迁移,还可以用于nbd,vnc等
参考文献
https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html
https://docs.openstack.org/nova/pike/admin/live-migration-usage.html
https://docs.openstack.org/nova/pike/admin/configuring-migrations.html#section-configuring-compute-migrations
https://libvirt.org/tlscerts.html
https://wiki.libvirt.org/page/TLSDaemonConfiguration
https://wiki.qemu.org/Features/MigrationTLS
https://www.berrange.com/posts/2016/08/16/improving-qemu-security-part-7-tls-support-for-migration/
https://libvirt.org/migration.html
https://www.qemu.org/docs/master/system/tls.html
