@@ -373,3 +373,43 @@ If you forgot to set the root password you can do this:
373373::
374374
375375 mysqladmin -u root -pnova password 'supersecret'
376+
377+ Live Migration
378+ --------------
379+
380+ In order for live migration to work with the default live migration URI::
381+
382+ [libvirt]
383+ live_migration_uri = qemu+ssh://stack@%s/system
384+
385+ SSH keys need to be exchanged between each compute node:
386+
387+ 1. The SOURCE root user's public RSA key (likely in /root/.ssh/id_rsa.pub)
388+ needs to be in the DESTINATION stack user's authorized_keys file
389+ (~stack/.ssh/authorized_keys). This can be accomplished by manually
390+ copying the contents from the file on the SOURCE to the DESTINATION. If
391+ you have a password configured for the stack user, then you can use the
392+ following command to accomplish the same thing::
393+
394+ ssh-copy-id -i /root/.ssh/id_rsa.pub stack@DESTINATION
395+
396+ 2. The DESTINATION host's public ECDSA key (/etc/ssh/ssh_host_ecdsa_key.pub)
397+ needs to be in the SOURCE root user's known_hosts file
398+ (/root/.ssh/known_hosts). This can be accomplished by running the
399+ following on the SOURCE machine (hostname must be used)::
400+
401+ ssh-keyscan -H DEST_HOSTNAME | sudo tee -a /root/.ssh/known_hosts
402+
403+ In essence, this means that every compute node's root user's public RSA key
404+ must exist in every other compute node's stack user's authorized_keys file and
405+ every compute node's public ECDSA key needs to be in every other compute
406+ node's root user's known_hosts file. Please note that if the root or stack
407+ user does not have a SSH key, one can be generated using::
408+
409+ ssh-keygen -t rsa
410+
411+ The above steps are necessary because libvirtd runs as root when the
412+ live_migration_uri uses the "qemu:///system" family of URIs. For more
413+ information, see the `libvirt documentation `_.
414+
415+ .. _libvirt documentation : https://libvirt.org/drvqemu.html#securitydriver
0 commit comments