On 11/3/20 6:51 AM, Zhi CZ Chang wrote:
Hi, all In the nova live migration doc[1], there is some description of libvirt configuration: " Enable password-less SSH so that root on one compute host can log on to any other compute host without providing a password. The |libvirtd| daemon, which runs as root, uses the SSH protocol to copy the instance to the destination and can’t know the passwords of all compute hosts. " According to the description, I understand that the libvirtd daemon runs as the root user for remote copy the instance to the destination. My question is, why make the libvirtd daemon runs as the "root" user for copy instance rather than other users, like the "nova" user? Thanks Zhi Chang
Hi, What's needed is password-less (ie: key authentication) under the nova user, not root. What I did was having the ssh host keys signed, so that nodes can authenticate with each other in a secure way. I strongly recommend doing that, instead of blindly trusting ssh keys, which could potentially mean someone could be in the middle. Cheers, Thomas Goirand (zigo)