Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable live-migration NBD TLS #626

Merged
merged 1 commit into from
Apr 16, 2024
Merged

Enable live-migration NBD TLS #626

merged 1 commit into from
Apr 16, 2024

Conversation

olliewalsh
Copy link
Contributor

@olliewalsh olliewalsh commented Apr 16, 2024
edited
Loading

MUST set live_migration_uri as it's already set to qemu+ssh://... in the 01 nova conf file

Disable post-copy when NBD TLS is enabled until
https://issues.redhat.com/browse/LIBVIRT-1113 is resolved.

Fix qemu cert path and permissions. Qemu is expecting the ca cert to be in a single dir and root:qemu 0640.
https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html#other-tls-environment-related-checks-on-compute-nodes

Related: OSPRH-6173
Depends-On: openstack-k8s-operators/install_yamls#804
Depends-On: openstack-k8s-operators/dataplane-operator#827

@olliewalsh olliewalsh mentioned this pull request Apr 16, 2024
Closed
@olliewalsh
Enable live-migration NBD TLS
eb57c79 
MUST set live_migration_uri as it's already set to qemu+ssh://...
in the 01 nova conf file

Disable post-copy when NBD TLS is enabled until
https://issues.redhat.com/browse/LIBVIRT-1113 is resolved.

Fix qemu cert path and permissions. Qemu is expecting the ca cert
to be in a single dir and root:qemu 0640.
https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html#other-tls-environment-related-checks-on-compute-nodes

Related: OSPRH-6173
@olliewalsh olliewalsh mentioned this pull request Apr 16, 2024
Closed
@olliewalsh
Copy link
Contributor Author

olliewalsh commented Apr 16, 2024
edited
Loading

Live-migration with NBD TLS is working with these changes, first migration failed with what looks like a nova bug:

sh-5.1$ openstack server migration list
+----+--------------------------------------+-------------------------------------+-------------------------------------+-------------------------------------+-------------------------------------+-----------+-----------+--------------------------------------+------------+------------+----------------+----------------------------+----------------------------+
| Id | UUID                                 | Source Node                         | Dest Node                           | Source Compute                      | Dest Compute                        | Dest Host | Status    | Server UUID                          | Old Flavor | New Flavor | Type           | Created At                 | Updated At                 |
+----+--------------------------------------+-------------------------------------+-------------------------------------+-------------------------------------+-------------------------------------+-----------+-----------+--------------------------------------+------------+------------+----------------+----------------------------+----------------------------+
|  3 | 924aad99-c862-4a0d-b9fa-fa70919f2556 | edpm-compute-1.ctlplane.example.com | edpm-compute-0.ctlplane.example.com | edpm-compute-1.ctlplane.example.com | edpm-compute-0.ctlplane.example.com | None      | completed | 84488727-df3f-46dc-9a68-aef049acb2c5 |          1 |          1 | live-migration | 2024-04-16T01:10:12.000000 | 2024-04-16T01:10:28.000000 |
|  2 | 13597919-5938-4991-bb54-1a7d51738896 | edpm-compute-0.ctlplane.example.com | edpm-compute-1.ctlplane.example.com | edpm-compute-0.ctlplane.example.com | edpm-compute-1.ctlplane.example.com | None      | completed | 84488727-df3f-46dc-9a68-aef049acb2c5 |          1 |          1 | live-migration | 2024-04-16T01:07:14.000000 | 2024-04-16T01:07:28.000000 |
|  1 | 144974c7-c910-4efc-b52d-df9133014c3f | edpm-compute-0.ctlplane.example.com | edpm-compute-1.ctlplane.example.com | edpm-compute-0.ctlplane.example.com | edpm-compute-1.ctlplane.example.com | None      | failed    | 84488727-df3f-46dc-9a68-aef049acb2c5 |          1 |          1 | live-migration | 2024-04-16T01:01:06.000000 | 2024-04-16T01:01:14.000000 |
+----+--------------------------------------+-------------------------------------+-------------------------------------+-------------------------------------+-------------------------------------+-----------+-----------+--------------------------------------+------------+------------+----------------+----------------------------+----------------------------+

Raised https://bugs.launchpad.net/nova/+bug/2061701 for the nova issue

@olliewalsh
Copy link
Contributor Author

Tempest live migration test passing https://logserver.rdoproject.org/36/736/20943694ebd04eb822d529cf8a2a7c1cf3d86866/github-check/openstack-operator-tempest-multinode/dbb1a45/controller/ci-framework-data/tests/tempest/tempest/stestr_results.html

@olliewalsh olliewalsh requested a review from stuggi April 16, 2024 09:18
stuggi
stuggi approved these changes Apr 16, 2024
View reviewed changes
Copy link
Contributor

@stuggi stuggi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Apr 16, 2024
bshephar
bshephar approved these changes Apr 16, 2024
View reviewed changes
Copy link
Contributor

@bshephar bshephar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make sure we capture this with a QE job as well. Particularly while we have that FIXME libvirt issue open.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 16, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bshephar, olliewalsh, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [bshephar,olliewalsh,stuggi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 9a6b6a7 into openstack-k8s-operators:main Apr 16, 2024
34 checks passed
SeanMooney
SeanMooney reviewed Apr 16, 2024
View reviewed changes
roles/edpm_nova/templates/02-nova-host-specific.conf.j2
{% if edpm_nova_live_migration_tls|bool %}
live_migration_scheme = tls
live_migration_uri = qemu+tls://%s/system
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 we had talks about replaceing this with the URI during the ptg last week so I'm glad to see this included here

roles/edpm_nova/templates/02-nova-host-specific.conf.j2 Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bogdando bogdando bogdando left review comments

@SeanMooney SeanMooney SeanMooney left review comments

@bshephar bshephar bshephar approved these changes

@stuggi stuggi stuggi approved these changes

@gibizer gibizer Awaiting requested review from gibizer

@vakwetu vakwetu Awaiting requested review from vakwetu

@frenzyfriday frenzyfriday Awaiting requested review from frenzyfriday

@jpodivin jpodivin Awaiting requested review from jpodivin

Assignees

@stuggi stuggi

@bshephar bshephar

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@olliewalsh @SeanMooney @bogdando @stuggi @bshephar