Open Stack

On 1 August 2016 at 13:30, Marcus Furlong <furlongm at gmail.com> wrote:
> Looks like there is a bug open which suggests that it should be using
> RPC calls, rather than commands executed over ssh:
>
> https://bugs.launchpad.net/nova/+bug/1459782

I agree, no operator in their right mind wants to turn this on for a
production cloud, but it's a capability that a lot of useful higher
level tooling wants to exploit (e.g. right-sizing solutions). IIRC
this was discussed some time ago and I thought there was something in
the dev pipeline to address it. Looking at the bug it does mention the
related live-migration cleanup work that happened ~Havana or so, I
guess the cold-migrate/resize pathway was missed or did it get stuck
in review?

On this point in the bug report:
==
There's a complication though. In virt.libvirt.utils.copy_image() we
also rely on passwordless authentication to do either "rsync" or "scp"
to copy the image file over when doing cold migration with local
storage. So for the case of local storage we'd still need to set up
passwordless ssh between compute nodes to handle cold migration.
==

Passwordless ssh for services need not be so scary, it just needs to
be managed right... Fortunately OpenSSH has a rather cool feature
(that lots of people seem not to know about) - it supports auth by
certificate, by which I mean an appropriately configured sshd can
authenticate a client's cert based on the fact that it was signed by a
trusted SSH CA without any need to have a record of the client's
public key. Signed certs are valid for a limited time, so you can
imagine building some automation that created a short-lived cert on
demand that was valid just long enough to establish the scp connection
needed to complete a cold-migration or resize. See "man ssh-keygen" ->
CERTIFICATES.

-- 
Cheers,
~Blairo