[nova] Why nova needs password-less SSH to do live migraiton?

Sean Mooney smooney at redhat.com
Wed Nov 4 13:10:59 UTC 2020

On Tue, 2020-11-03 at 11:15 +0000, Zhi CZ Chang wrote:
> Alright, do you mean that the libvirtd daemon is started by the nova user? And the nova user has the same privilege as the root user?

nova need ssh on live migration to do a few things.
first is to test if the storage is shared. nova create a temp dir on the souce node then sshs to the dest
node and checks if its visable. this is needed to determin if you mounted the instance state dir on nfs for example.
the second reason is to copy some files that wont be copied by libvirt like vtpm data and in the past i think it also
copied the config drive or console log.

the third and most important usecase is establising the connection over which the qemu data is transfered.
before libvirt/qemu supported native tls encryption of the transfered data ssh was the primary way to transfer
the vm data in an encrypted form. the ssh tunnel was used to pipe the data form one qemu to another instead of using
plain text tcp.  in all 3 of these cases you only need to use the nova user not root.
the nova user needs to be part of the libvit/qemu/kvm group depending on what OS you are on to manage vms but that
also provides it with the requried permissions to live migrate the vm and update the instance state dir.

root should not be needed and the nova user does not need full root permisions for live migration.
> Thanks
> Zhi Chang
> > ----- Original message -----
> > From: Thomas Goirand <zigo at debian.org>
> > To: "openstack-discuss at lists.openstack.org" <OpenStack-discuss at lists.openstack.org>
> > Cc:
> > Subject: [EXTERNAL] Re: [nova] Why nova needs password-less SSH to do live migraiton?
> > Date: Tue, Nov 3, 2020 18:27
> >  
> > On 11/3/20 9:18 AM, Zhi CZ Chang wrote:
> > > Hi, Thomas
> > >  
> > > Thanks for your reply.
> > >  
> > > In your environment, you use the "root" user for authenticating with
> > > each other compute node, rather than the "nova" user, right?
> > > If so, why use the "root" user rather than the "nova" user then
> > > privilege the root permission to the "nova" user?
> > >  
> > > Thanks
> > > Zhi Chang
> > 
> > Hi,
> > 
> > No, the username is "nova", not "root".
> > 
> > Thomas Goirand (zigo)
> > 
> > P.S: Please don't CC me, I'm registered to the list.
> >  

More information about the openstack-discuss mailing list