/usr/share/doc/ganeti/html/move-instance.html is in ganeti-doc 2.16.0~rc2-1build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Moving instances between clusters — Ganeti 2.16.0~rc2 documentation</title>
<link rel="stylesheet" href="_static/style.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: './',
VERSION: '2.16.0~rc2',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="News" href="news.html" />
<link rel="prev" title="/" href="monitoring-query-format.html" />
</head>
<body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="news.html" title="News"
accesskey="N">next</a></li>
<li class="right" >
<a href="monitoring-query-format.html" title="/"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="index.html">Ganeti 2.16.0~rc2 documentation</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="moving-instances-between-clusters">
<h1>Moving instances between clusters<a class="headerlink" href="#moving-instances-between-clusters" title="Permalink to this headline">¶</a></h1>
<p>Starting with Ganeti 2.2, instances can be moved between separate Ganeti
clusters using a new tool, <code class="docutils literal"><span class="pre">move-instance</span></code>. The tool has a number of
features:</p>
<ul class="simple">
<li>Moving a single or multiple instances</li>
<li>Moving instances in parallel (<code class="docutils literal"><span class="pre">--parallel</span></code> option)</li>
<li>Renaming instance (only when moving a single instance)</li>
<li>SSL certificate verification for RAPI connections</li>
</ul>
<p>The design of the inter-cluster instances moves is described in detail
in the <a class="reference internal" href="design-2.2.html"><span class="doc">Ganeti 2.2 design document</span></a>. The instance move
tool talks to the Ganeti clusters via RAPI and can run on any machine
which can connect to the cluster’s RAPI. Despite their similar name, the
instance move tool should not be confused with the <code class="docutils literal"><span class="pre">gnt-instance</span> <span class="pre">move</span></code>
command, which is used to move without changes (instead of export/import
plus rename) an instance within the cluster.</p>
<div class="section" id="configuring-clusters-for-instance-moves">
<h2>Configuring clusters for instance moves<a class="headerlink" href="#configuring-clusters-for-instance-moves" title="Permalink to this headline">¶</a></h2>
<p>To prevent third parties from accessing the instance data, all data
exchanged between the clusters is signed using a secret key, the
“cluster domain secret”. It is recommended to assign the same domain
secret to all clusters of the same security domain, so that instances
can be easily moved between them. By checking the signatures, the
destination cluster can be sure the third party (e.g. this tool) didn’t
modify the received crypto keys and connection information.</p>
<p>To create a new, random cluster domain secret, run the following command
on the master node:</p>
<div class="highlight-shell-example"><div class="highlight"><pre><span></span>$ <span class="gs">gnt-cluster</span> <span class="gs">renew-crypto</span> <span class="gs">--new-cluster-domain-secret</span>
</pre></div>
</div>
<p>To read and set the cluster domain secret from the contents of a file,
run the following command on the master node:</p>
<div class="highlight-shell-example"><div class="highlight"><pre><span></span>$ <span class="gs">gnt-cluster</span> <span class="gs">renew-crypto</span> <span class="gs">--cluster-domain-secret=</span><span class="nv">/.../ganeti.cds</span>
</pre></div>
</div>
<p>More information about the <code class="docutils literal"><span class="pre">renew-crypto</span></code> command can be found in
<em class="manpage">gnt-cluster(8)</em>.</p>
</div>
<div class="section" id="moving-instances">
<h2>Moving instances<a class="headerlink" href="#moving-instances" title="Permalink to this headline">¶</a></h2>
<p>As soon as the clusters share a cluster domain secret, instances can be
moved. The tool usage is as follows:</p>
<div class="highlight-shell-example"><div class="highlight"><pre><span></span>$ <span class="gs">move-instance</span> <span class="nv">[options]</span> <span class="nv">source-cluster</span> <span class="nv">destination-cluster</span> <span class="nv">instance-name...</span>
</pre></div>
</div>
<p>Multiple instances can be moved with one invocation of the instance move
tool, though a few options are only available when moving a single
instance.</p>
<p>The most important options are listed below. Unless specified otherwise,
destination-related options default to the source value (e.g. setting
<code class="docutils literal"><span class="pre">--src-rapi-port=1234</span></code> will make <code class="docutils literal"><span class="pre">--dest-rapi-port</span></code>’s default 1234).</p>
<dl class="docutils">
<dt><code class="docutils literal"><span class="pre">--src-rapi-port</span></code>/<code class="docutils literal"><span class="pre">--dest-rapi-port</span></code></dt>
<dd>RAPI server TCP port, defaults to 5080.</dd>
<dt><code class="docutils literal"><span class="pre">--src-ca-file</span></code>/<code class="docutils literal"><span class="pre">--dest-ca-file</span></code></dt>
<dd>Path to file containing source cluster Certificate Authority (CA) in
PEM format. For self-signed certificates, this is the certificate
itself (see more details below in
<a class="reference internal" href="#instance-move-certificates"><span class="std std-ref">Certificates</span></a>). For certificates signed by a third
party CA, the complete chain must be in the file (see documentation
for <em class="manpage">SSL_CTX_load_verify_locations(3)</em>).</dd>
<dt><code class="docutils literal"><span class="pre">--src-username</span></code>/<code class="docutils literal"><span class="pre">--dest-username</span></code></dt>
<dd>RAPI username, must have write access to cluster.</dd>
<dt><code class="docutils literal"><span class="pre">--src-password-file</span></code>/<code class="docutils literal"><span class="pre">--dest-password-file</span></code></dt>
<dd>Path to file containing RAPI password (make sure to restrict access to
this file).</dd>
<dt><code class="docutils literal"><span class="pre">--dest-instance-name</span></code></dt>
<dd>When moving a single instance: Change name of instance on destination
cluster.</dd>
<dt><code class="docutils literal"><span class="pre">--dest-primary-node</span></code></dt>
<dd>When moving a single instance: Primary node on destination cluster.</dd>
<dt><code class="docutils literal"><span class="pre">--dest-secondary-node</span></code></dt>
<dd>When moving a single instance: Secondary node on destination cluster.</dd>
<dt><code class="docutils literal"><span class="pre">--dest-disk-template</span></code></dt>
<dd>Disk template to use after the move. Can be used to change disk templates.</dd>
<dt><code class="docutils literal"><span class="pre">--compress</span></code></dt>
<dd>Compression mode to use during the instance move. This mode has to be
supported by both the source and the destination cluster.</dd>
<dt><code class="docutils literal"><span class="pre">--iallocator</span></code></dt>
<dd>Iallocator for creating instance on destination cluster.</dd>
<dt><code class="docutils literal"><span class="pre">--hypervisor-parameters</span></code>/<code class="docutils literal"><span class="pre">--backend-parameters</span></code>/<code class="docutils literal"><span class="pre">--os-parameters</span></code>/<code class="docutils literal"><span class="pre">--net</span></code></dt>
<dd>When moving a single instance: Override instances’ parameters.</dd>
<dt><code class="docutils literal"><span class="pre">--parallel</span></code></dt>
<dd>Number of instance moves to run in parallel.</dd>
<dt><code class="docutils literal"><span class="pre">--verbose</span></code>/<code class="docutils literal"><span class="pre">--debug</span></code></dt>
<dd>Increase output verbosity.</dd>
</dl>
<p>The exit value of the tool is zero if and only if all instance moves
were successful.</p>
</div>
<div class="section" id="certificates">
<span id="instance-move-certificates"></span><h2>Certificates<a class="headerlink" href="#certificates" title="Permalink to this headline">¶</a></h2>
<p>If using certificates signed by a CA, then you need to pass the same CA
certificate via both <code class="docutils literal"><span class="pre">--src-ca-file</span></code> and <code class="docutils literal"><span class="pre">dest-ca-file</span></code>.</p>
<p>However, if you’re using self-signed certificates, this has a few
(security) implications:</p>
<ul class="simple">
<li>the certificates of both the source and destinations clusters
(<code class="docutils literal"><span class="pre">rapi.pem</span></code> from the Ganeti configuration directory, usually
<code class="docutils literal"><span class="pre">/var/lib/ganeti/rapi.pem</span></code>) must be available to the tool</li>
<li>by default, the certificates include the private key as well, so
simply copying them to a third machine means that machine can now
impersonate both the source and destination clusters RAPI endpoint</li>
</ul>
<p>It is therefore recommended to copy only the certificate from the
<code class="docutils literal"><span class="pre">rapi.pem</span></code> files, and pass these to <code class="docutils literal"><span class="pre">--src-ca-file</span></code> and
<code class="docutils literal"><span class="pre">--dest-ca-file</span></code> appropriately.</p>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Moving instances between clusters</a><ul>
<li><a class="reference internal" href="#configuring-clusters-for-instance-moves">Configuring clusters for instance moves</a></li>
<li><a class="reference internal" href="#moving-instances">Moving instances</a></li>
<li><a class="reference internal" href="#certificates">Certificates</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="monitoring-query-format.html"
title="previous chapter"><code class="docutils literal"><span class="pre">/</span></code></a></p>
<h4>Next topic</h4>
<p class="topless"><a href="news.html"
title="next chapter">News</a></p>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="_sources/move-instance.rst.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<form class="search" action="search.html" method="get">
<div><input type="text" name="q" /></div>
<div><input type="submit" value="Go" /></div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="news.html" title="News"
>next</a></li>
<li class="right" >
<a href="monitoring-query-format.html" title="/"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="index.html">Ganeti 2.16.0~rc2 documentation</a> »</li>
</ul>
</div>
<div class="footer" role="contentinfo">
© Copyright 2018, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Google Inc..
Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.6.7.
</div>
</body>
</html>
|