[nova] Why nova needs password-less SSH to do live migraiton?
On 11/3/20 6:51 AM, Zhi CZ Chang wrote:
Hi, all In the nova live migration doc[1], there is some description of libvirt configuration: " Enable password-less SSH so that root on one compute host can log on to any other compute host without providing a password. The |libvirtd| daemon, which runs as root, uses the SSH protocol to copy the instance to the destination and can’t know the passwords of all compute hosts. " According to the description, I understand that the libvirtd daemon runs as the root user for remote copy the instance to the destination. My question is, why make the libvirtd daemon runs as the "root" user for copy instance rather than other users, like the "nova" user? Thanks Zhi Chang
Hi, What's needed is password-less (ie: key authentication) under the nova user, not root. What I did was having the ssh host keys signed, so that nodes can authenticate with each other in a secure way. I strongly recommend doing that, instead of blindly trusting ssh keys, which could potentially mean someone could be in the middle. Cheers, Thomas Goirand (zigo)
On 11/3/20 9:18 AM, Zhi CZ Chang wrote:
Hi, Thomas Thanks for your reply. In your environment, you use the "root" user for authenticating with each other compute node, rather than the "nova" user, right? If so, why use the "root" user rather than the "nova" user then privilege the root permission to the "nova" user? Thanks Zhi Chang
Hi, No, the username is "nova", not "root". Thomas Goirand (zigo) P.S: Please don't CC me, I'm registered to the list.
On Tue, 2020-11-03 at 11:15 +0000, Zhi CZ Chang wrote:
Alright, do you mean that the libvirtd daemon is started by the nova user? And the nova user has the same privilege as the root user?
nova need ssh on live migration to do a few things. first is to test if the storage is shared. nova create a temp dir on the souce node then sshs to the dest node and checks if its visable. this is needed to determin if you mounted the instance state dir on nfs for example. the second reason is to copy some files that wont be copied by libvirt like vtpm data and in the past i think it also copied the config drive or console log. the third and most important usecase is establising the connection over which the qemu data is transfered. before libvirt/qemu supported native tls encryption of the transfered data ssh was the primary way to transfer the vm data in an encrypted form. the ssh tunnel was used to pipe the data form one qemu to another instead of using plain text tcp. in all 3 of these cases you only need to use the nova user not root. the nova user needs to be part of the libvit/qemu/kvm group depending on what OS you are on to manage vms but that also provides it with the requried permissions to live migrate the vm and update the instance state dir. root should not be needed and the nova user does not need full root permisions for live migration.
Thanks Zhi Chang
----- Original message ----- From: Thomas Goirand <zigo@debian.org> To: "openstack-discuss@lists.openstack.org" <OpenStack-discuss@lists.openstack.org> Cc: Subject: [EXTERNAL] Re: [nova] Why nova needs password-less SSH to do live migraiton? Date: Tue, Nov 3, 2020 18:27 On 11/3/20 9:18 AM, Zhi CZ Chang wrote:
Hi, Thomas Thanks for your reply. In your environment, you use the "root" user for authenticating with each other compute node, rather than the "nova" user, right? If so, why use the "root" user rather than the "nova" user then privilege the root permission to the "nova" user? Thanks Zhi Chang
Hi,
No, the username is "nova", not "root".
Thomas Goirand (zigo)
P.S: Please don't CC me, I'm registered to the list.
participants (3)
-
Sean Mooney
-
Thomas Goirand
-
Zhi CZ Chang