Chapter 17. Virtualization live migration

Chapter 17. Virtualization live migration

17.1. A live migration example

Red Hat Virtualization includes the capabilities to support migration of para-virtualized guests between Red Hat Virtualization servers. Migration can either be performed in two ways:

Word usage note

Take note of the interchangeable use of relocation and migration throughout these section. The different terms are used to match the different naming conventions of certain configuration files. Both terms can be taken to mean the same thing, that is the relocation of one guest image from one server to another.

Itanium® support note

Virtual machine migration is presently unsupported on the Itanium® architecture.

To enable the use of migration a few changes must be made to configuration file /etc/xen/xend-config.sxp. By default migration is disabled due to the potentially harmful affects on the host's security. Opening the relocation port carries the potential ability of unauthorized hosts and users to initiate migrate or connect to the relocation ports. As there is no specific authentication for relocation requests and the only control mechanism is based on hostnames and IP addresses special care should be taken to make sure the migration port and server is not accessible to unauthorized hosts.

A note on virtualization migration security

IP address and hostname filters offer only minimal security. Both of these attributes can be forged if the attacker knows the address or hostname of the migration client. The best method for securing migration is to isolate the network the host and client are on from external and unauthorized internal connections.

Enabling migration

Modify the following entries in /etc/xen/xend-config.sxp to enable migration, remove the comments preceding the parameters in the configuration file:

(xend-relocation-server yes)

The default value is no to keep the migration server deactivated. Unless you are using a trusted network, the domain virtual memory will be exchanged in raw form without encryption of the communication.

You modify the xend-relocation-hosts-allow option to restrict access to the migration server.

(xend-relocation-port 8002)

The parameter, (xend-relocation-port), specifies the port xend should use for the relocation interface, if xend-relocation-server is set to yes

The default value of this variable should work for most installations. If you change the value make sure you are using an unused port on the relocation server.

(xend-relocation-address '')

(xend-relocation-address)is the address the xend should listen on for relocation-socket connections, if xend-relocation-server is set.

The default is listen on all active interfaces, the parameter can be used to restrict the relocation server to only listen to a specific interface. The default value in /etc/xen/xend-config.sxp is an empty string(''). This value should be replaced with a valid list of addresses or regular expressions surrounded by single quotes.

(xend-relocation-hosts-allow '')

The (xend-relocation-hosts-allow ) parameter is used to control the hosts who are allowed to talk to the relocation port.

If the value is empty, as denoted in the example above by an epty string surrounded by single quotes, then all connections are allowed. This assumes the connection arrives on a port and interface which the relocation server listens on, see also xend-relocation-port and xend-relocation-address above).

Otherwise, the (xend-relocation-hosts-allow ) parameter should be a sequence of regular expressions separated by spaces. Any host with a fully-qualified domain name or an IP address which matches one of these regular expressions will be accepted.

An example of a (xend-relocation-hosts-allow ) attribute:

(xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$')

After you have configured the parameters in your configuration file you should reboot the host to restart your environment with the new parameters.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.