move-instance.rst 5.07 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
Moving instances between clusters

Starting with Ganeti 2.2, instances can be moved between separate Ganeti
clusters using a new tool, ``move-instance``. The tool has a number of

- Moving a single or multiple instances
- Moving instances in parallel (``--parallel`` option)
- Renaming instance (only when moving a single instance)
- SSL certificate verification for RAPI connections

The design of the inter-cluster instances moves is described in detail
in the :doc:`Ganeti 2.2 design document <design-2.2>`. The instance move
tool talks to the Ganeti clusters via RAPI and can run on any machine
which can connect to the cluster's RAPI. Despite their similar name, the
instance move tool should not be confused with the ``gnt-instance move``
command, which is used to move without changes (instead of export/import
plus rename) an instance within the cluster.

Configuring clusters for instance moves

To prevent third parties from accessing the instance data, all data
exchanged between the clusters is signed using a secret key, the
"cluster domain secret". It is recommended to assign the same domain
secret to all clusters of the same security domain, so that instances
can be easily moved between them. By checking the signatures, the
destination cluster can be sure the third party (e.g. this tool) didn't
modify the received crypto keys and connection information.

.. highlight:: shell-example
35 36 37 38

To create a new, random cluster domain secret, run the following command
on the master node::

  $ gnt-cluster renew-crypto --new-cluster-domain-secret
40 41

42 43
To read and set the cluster domain secret from the contents of a file,
run the following command on the master node::

45 46 47 48
  $ gnt-cluster renew-crypto --cluster-domain-secret=%/.../ganeti.cds%

More information about the ``renew-crypto`` command can be found in
49 50 51 52 53 54 55 56

Moving instances

As soon as the clusters share a cluster domain secret, instances can be
moved. The tool usage is as follows::

  $ move-instance %[options]% %source-cluster% %destination-cluster% %instance-name...%
58 59 60 61 62 63 64 65 66 67 68 69 70 71

Multiple instances can be moved with one invocation of the instance move
tool, though a few options are only available when moving a single

The most important options are listed below. Unless specified otherwise,
destination-related options default to the source value (e.g. setting
``--src-rapi-port=1234`` will make ``--dest-rapi-port``'s default 1234).

  RAPI server TCP port, defaults to 5080.
  Path to file containing source cluster Certificate Authority (CA) in
  PEM format. For self-signed certificates, this is the certificate
Iustin Pop's avatar
Iustin Pop committed
72 73 74 75
  itself (see more details below in
  :ref:`instance-move-certificates`). For certificates signed by a third
  party CA, the complete chain must be in the file (see documentation
  for :manpage:`SSL_CTX_load_verify_locations(3)`).
76 77 78 79 80 81 82 83 84 85 86 87
  RAPI username, must have write access to cluster.
  Path to file containing RAPI password (make sure to restrict access to
  this file).
  When moving a single instance: Change name of instance on destination
  When moving a single instance: Primary node on destination cluster.
  When moving a single instance: Secondary node on destination cluster.
88 89
  Disk template to use after the move. Can be used to change disk templates.
90 91 92
  Compression mode to use during the instance move. This mode has to be
  supported by both the source and the destination cluster.
93 94
  Iallocator for creating instance on destination cluster.
95 96
  When moving a single instance: Override instances' parameters.
97 98 99 100 101 102 103 104
  Number of instance moves to run in parallel.
  Increase output verbosity.

The exit value of the tool is zero if and only if all instance moves
were successful.

Iustin Pop's avatar
Iustin Pop committed
.. _instance-move-certificates:
106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126


If using certificates signed by a CA, then you need to pass the same CA
certificate via both ``--src-ca-file`` and ``dest-ca-file``.

However, if you're using self-signed certificates, this has a few
(security) implications:

- the certificates of both the source and destinations clusters
  (``rapi.pem`` from the Ganeti configuration directory, usually
  ``/var/lib/ganeti/rapi.pem``) must be available to the tool
- by default, the certificates include the private key as well, so
  simply copying them to a third machine means that machine can now
  impersonate both the source and destination clusters RAPI endpoint

It is therefore recommended to copy only the certificate from the
``rapi.pem`` files, and pass these to ``--src-ca-file`` and
``--dest-ca-file`` appropriately.

127 128 129 130 131
.. vim: set textwidth=72 :
.. Local Variables:
.. mode: rst
.. fill-column: 72
.. End: