doc/move-instance.rst - ganeti - Git at Google

 =================================
 Moving instances between clusters
 =================================

 Starting with Ganeti 2.2, instances can be moved between separate Ganeti
 clusters using a new tool, ``move-instance``. The tool has a number of
 features:

 - Moving a single or multiple instances
 - Moving instances in parallel (``--parallel`` option)
 - Renaming instance (only when moving a single instance)
 - SSL certificate verification for RAPI connections

 The design of the inter-cluster instances moves is described in detail
 in the :doc:`Ganeti 2.2 design document <design-2.2>`. The instance move
 tool talks to the Ganeti clusters via RAPI and can run on any machine
 which can connect to the cluster's RAPI. Despite their similar name, the
 instance move tool should not be confused with the ``gnt-instance move``
 command, which is used to move without changes (instead of export/import
 plus rename) an instance within the cluster.


 Configuring clusters for instance moves
 ---------------------------------------

 To prevent third parties from accessing the instance data, all data
 exchanged between the clusters is signed using a secret key, the
 "cluster domain secret". It is recommended to assign the same domain
 secret to all clusters of the same security domain, so that instances
 can be easily moved between them. By checking the signatures, the
 destination cluster can be sure the third party (e.g. this tool) didn't
 modify the received crypto keys and connection information.

 .. highlight:: shell-example

 To create a new, random cluster domain secret, run the following command
 on the master node::

   $ gnt-cluster renew-crypto --new-cluster-domain-secret


 To read and set the cluster domain secret from the contents of a file,
 run the following command on the master node::

   $ gnt-cluster renew-crypto --cluster-domain-secret=%/.../ganeti.cds%

 More information about the ``renew-crypto`` command can be found in
 :manpage:`gnt-cluster(8)`.


 Moving instances
 ----------------

 As soon as the clusters share a cluster domain secret, instances can be
 moved. The tool usage is as follows::

   $ move-instance %[options]% %source-cluster% %destination-cluster% %instance-name...%

 Multiple instances can be moved with one invocation of the instance move
 tool, though a few options are only available when moving a single
 instance.

 The most important options are listed below. Unless specified otherwise,
 destination-related options default to the source value (e.g. setting
 ``--src-rapi-port=1234`` will make ``--dest-rapi-port``'s default 1234).

 ``--src-rapi-port``/``--dest-rapi-port``
   RAPI server TCP port, defaults to 5080.
 ``--src-ca-file``/``--dest-ca-file``
   Path to file containing source cluster Certificate Authority (CA) in
   PEM format. For self-signed certificates, this is the certificate
   itself (see more details below in
   :ref:`instance-move-certificates`). For certificates signed by a third
   party CA, the complete chain must be in the file (see documentation
   for :manpage:`SSL_CTX_load_verify_locations(3)`).
 ``--src-username``/``--dest-username``
   RAPI username, must have write access to cluster.
 ``--src-password-file``/``--dest-password-file``
   Path to file containing RAPI password (make sure to restrict access to
   this file).
 ``--dest-instance-name``
   When moving a single instance: Change name of instance on destination
   cluster.
 ``--dest-primary-node``
   When moving a single instance: Primary node on destination cluster.
 ``--dest-secondary-node``
   When moving a single instance: Secondary node on destination cluster.
 ``--iallocator``
   Iallocator for creating instance on destination cluster.
 ``--hypervisor-parameters``/``--backend-parameters``/``--os-parameters``/``--net``
   When moving a single instance: Override instances' parameters.
 ``--parallel``
   Number of instance moves to run in parallel.
 ``--verbose``/``--debug``
   Increase output verbosity.

 The exit value of the tool is zero if and only if all instance moves
 were successful.

 .. _instance-move-certificates:

 Certificates
 ------------

 If using certificates signed by a CA, then you need to pass the same CA
 certificate via both ``--src-ca-file`` and ``dest-ca-file``.

 However, if you're using self-signed certificates, this has a few
 (security) implications:

 - the certificates of both the source and destinations clusters
   (``rapi.pem`` from the Ganeti configuration directory, usually
   ``/var/lib/ganeti/rapi.pem``) must be available to the tool
 - by default, the certificates include the private key as well, so
   simply copying them to a third machine means that machine can now
   impersonate both the source and destination clusters RAPI endpoint

 It is therefore recommended to copy only the certificate from the
 ``rapi.pem`` files, and pass these to ``--src-ca-file`` and
 ``--dest-ca-file`` appropriately.

 .. vim: set textwidth=72 :
 .. Local Variables:
 .. mode: rst
 .. fill-column: 72
 .. End:
	=================================
	Moving instances between clusters
	=================================

	Starting with Ganeti 2.2, instances can be moved between separate Ganeti
	clusters using a new tool, ``move-instance``. The tool has a number of
	features:

	- Moving a single or multiple instances
	- Moving instances in parallel (``--parallel`` option)
	- Renaming instance (only when moving a single instance)
	- SSL certificate verification for RAPI connections

	The design of the inter-cluster instances moves is described in detail
	in the :doc:`Ganeti 2.2 design document <design-2.2>`. The instance move
	tool talks to the Ganeti clusters via RAPI and can run on any machine
	which can connect to the cluster's RAPI. Despite their similar name, the
	instance move tool should not be confused with the ``gnt-instance move``
	command, which is used to move without changes (instead of export/import
	plus rename) an instance within the cluster.


	Configuring clusters for instance moves
	---------------------------------------

	To prevent third parties from accessing the instance data, all data
	exchanged between the clusters is signed using a secret key, the
	"cluster domain secret". It is recommended to assign the same domain
	secret to all clusters of the same security domain, so that instances
	can be easily moved between them. By checking the signatures, the
	destination cluster can be sure the third party (e.g. this tool) didn't
	modify the received crypto keys and connection information.

	.. highlight:: shell-example

	To create a new, random cluster domain secret, run the following command
	on the master node::

	$ gnt-cluster renew-crypto --new-cluster-domain-secret


	To read and set the cluster domain secret from the contents of a file,
	run the following command on the master node::

	$ gnt-cluster renew-crypto --cluster-domain-secret=%/.../ganeti.cds%

	More information about the ``renew-crypto`` command can be found in
	:manpage:`gnt-cluster(8)`.


	Moving instances
	----------------

	As soon as the clusters share a cluster domain secret, instances can be
	moved. The tool usage is as follows::

	$ move-instance %[options]% %source-cluster% %destination-cluster% %instance-name...%

	Multiple instances can be moved with one invocation of the instance move
	tool, though a few options are only available when moving a single
	instance.

	The most important options are listed below. Unless specified otherwise,
	destination-related options default to the source value (e.g. setting
	``--src-rapi-port=1234`` will make ``--dest-rapi-port``'s default 1234).

	``--src-rapi-port``/``--dest-rapi-port``
	RAPI server TCP port, defaults to 5080.
	``--src-ca-file``/``--dest-ca-file``
	Path to file containing source cluster Certificate Authority (CA) in
	PEM format. For self-signed certificates, this is the certificate
	itself (see more details below in
	:ref:`instance-move-certificates`). For certificates signed by a third
	party CA, the complete chain must be in the file (see documentation
	for :manpage:`SSL_CTX_load_verify_locations(3)`).
	``--src-username``/``--dest-username``
	RAPI username, must have write access to cluster.
	``--src-password-file``/``--dest-password-file``
	Path to file containing RAPI password (make sure to restrict access to
	this file).
	``--dest-instance-name``
	When moving a single instance: Change name of instance on destination
	cluster.
	``--dest-primary-node``
	When moving a single instance: Primary node on destination cluster.
	``--dest-secondary-node``
	When moving a single instance: Secondary node on destination cluster.
	``--iallocator``
	Iallocator for creating instance on destination cluster.
	``--hypervisor-parameters``/``--backend-parameters``/``--os-parameters``/``--net``
	When moving a single instance: Override instances' parameters.
	``--parallel``
	Number of instance moves to run in parallel.
	``--verbose``/``--debug``
	Increase output verbosity.

	The exit value of the tool is zero if and only if all instance moves
	were successful.

	.. _instance-move-certificates:

	Certificates
	------------

	If using certificates signed by a CA, then you need to pass the same CA
	certificate via both ``--src-ca-file`` and ``dest-ca-file``.

	However, if you're using self-signed certificates, this has a few
	(security) implications:

	- the certificates of both the source and destinations clusters
	(``rapi.pem`` from the Ganeti configuration directory, usually
	``/var/lib/ganeti/rapi.pem``) must be available to the tool
	- by default, the certificates include the private key as well, so
	simply copying them to a third machine means that machine can now
	impersonate both the source and destination clusters RAPI endpoint

	It is therefore recommended to copy only the certificate from the
	``rapi.pem`` files, and pass these to ``--src-ca-file`` and
	``--dest-ca-file`` appropriately.

	.. vim: set textwidth=72 :
	.. Local Variables:
	.. mode: rst
	.. fill-column: 72
	.. End: