root / doc / move-instance.rst @ 6a654276
History | View | Annotate | Download (3.9 kB)
1 | 6bf273d5 | Michael Hanselmann | ================================= |
---|---|---|---|
2 | 6bf273d5 | Michael Hanselmann | Moving instances between clusters |
3 | 6bf273d5 | Michael Hanselmann | ================================= |
4 | 6bf273d5 | Michael Hanselmann | |
5 | 6bf273d5 | Michael Hanselmann | Starting with Ganeti 2.2, instances can be moved between separate Ganeti |
6 | 6bf273d5 | Michael Hanselmann | clusters using a new tool, ``move-instance``. The tool has a number of |
7 | 6bf273d5 | Michael Hanselmann | features: |
8 | 6bf273d5 | Michael Hanselmann | |
9 | 6bf273d5 | Michael Hanselmann | - Moving a single or multiple instances |
10 | 6bf273d5 | Michael Hanselmann | - Moving instances in parallel (``--parallel`` option) |
11 | 6bf273d5 | Michael Hanselmann | - Renaming instance (only when moving a single instance) |
12 | 6bf273d5 | Michael Hanselmann | - SSL certificate verification for RAPI connections |
13 | 6bf273d5 | Michael Hanselmann | |
14 | 6bf273d5 | Michael Hanselmann | The design of the inter-cluster instances moves is described in detail |
15 | 6bf273d5 | Michael Hanselmann | in the :doc:`Ganeti 2.2 design document <design-2.2>`. The instance move |
16 | 6bf273d5 | Michael Hanselmann | tool talks to the Ganeti clusters via RAPI and can run on any machine |
17 | 6bf273d5 | Michael Hanselmann | which can connect to the cluster's RAPI. Despite their similar name, the |
18 | 6bf273d5 | Michael Hanselmann | instance move tool should not be confused with the ``gnt-instance move`` |
19 | 6bf273d5 | Michael Hanselmann | command, which is used to move without changes (instead of export/import |
20 | 6bf273d5 | Michael Hanselmann | plus rename) an instance within the cluster. |
21 | 6bf273d5 | Michael Hanselmann | |
22 | 6bf273d5 | Michael Hanselmann | |
23 | 6bf273d5 | Michael Hanselmann | Configuring clusters for instance moves |
24 | 6bf273d5 | Michael Hanselmann | --------------------------------------- |
25 | 6bf273d5 | Michael Hanselmann | |
26 | 6bf273d5 | Michael Hanselmann | To prevent third parties from accessing the instance data, all data |
27 | 6bf273d5 | Michael Hanselmann | exchanged between the clusters is signed using a secret key, the |
28 | 6bf273d5 | Michael Hanselmann | "cluster domain secret". It is recommended to assign the same domain |
29 | 6bf273d5 | Michael Hanselmann | secret to all clusters of the same security domain, so that instances |
30 | 6bf273d5 | Michael Hanselmann | can be easily moved between them. By checking the signatures, the |
31 | 6bf273d5 | Michael Hanselmann | destination cluster can be sure the third party (e.g. this tool) didn't |
32 | 6bf273d5 | Michael Hanselmann | modify the received crypto keys and connection information. |
33 | 6bf273d5 | Michael Hanselmann | |
34 | 1bf1ce3f | Iustin Pop | .. highlight:: shell-example |
35 | 6bf273d5 | Michael Hanselmann | |
36 | 6bf273d5 | Michael Hanselmann | To create a new, random cluster domain secret, run the following command |
37 | 6bf273d5 | Michael Hanselmann | on the master node:: |
38 | 6bf273d5 | Michael Hanselmann | |
39 | 1bf1ce3f | Iustin Pop | $ gnt-cluster renew-crypto --new-cluster-domain-secret |
40 | 6bf273d5 | Michael Hanselmann | |
41 | 6bf273d5 | Michael Hanselmann | |
42 | 1bf1ce3f | Iustin Pop | To read and set the cluster domain secret from the contents of a file, |
43 | 1bf1ce3f | Iustin Pop | run the following command on the master node:: |
44 | 6bf273d5 | Michael Hanselmann | |
45 | 1bf1ce3f | Iustin Pop | $ gnt-cluster renew-crypto --cluster-domain-secret=%/.../ganeti.cds% |
46 | 1bf1ce3f | Iustin Pop | |
47 | 1bf1ce3f | Iustin Pop | More information about the ``renew-crypto`` command can be found in |
48 | 1bf1ce3f | Iustin Pop | :manpage:`gnt-cluster(8)`. |
49 | 6bf273d5 | Michael Hanselmann | |
50 | 6bf273d5 | Michael Hanselmann | |
51 | 6bf273d5 | Michael Hanselmann | Moving instances |
52 | 6bf273d5 | Michael Hanselmann | ---------------- |
53 | 6bf273d5 | Michael Hanselmann | |
54 | 6bf273d5 | Michael Hanselmann | As soon as the clusters share a cluster domain secret, instances can be |
55 | 6bf273d5 | Michael Hanselmann | moved. The tool usage is as follows:: |
56 | 6bf273d5 | Michael Hanselmann | |
57 | 1bf1ce3f | Iustin Pop | $ move-instance %[options]% %source-cluster% %destination-cluster% %instance-name...% |
58 | 6bf273d5 | Michael Hanselmann | |
59 | 6bf273d5 | Michael Hanselmann | Multiple instances can be moved with one invocation of the instance move |
60 | 6bf273d5 | Michael Hanselmann | tool, though a few options are only available when moving a single |
61 | 6bf273d5 | Michael Hanselmann | instance. |
62 | 6bf273d5 | Michael Hanselmann | |
63 | 6bf273d5 | Michael Hanselmann | The most important options are listed below. Unless specified otherwise, |
64 | 6bf273d5 | Michael Hanselmann | destination-related options default to the source value (e.g. setting |
65 | 6bf273d5 | Michael Hanselmann | ``--src-rapi-port=1234`` will make ``--dest-rapi-port``'s default 1234). |
66 | 6bf273d5 | Michael Hanselmann | |
67 | 6bf273d5 | Michael Hanselmann | ``--src-rapi-port``/``--dest-rapi-port`` |
68 | 6bf273d5 | Michael Hanselmann | RAPI server TCP port, defaults to 5080. |
69 | 6bf273d5 | Michael Hanselmann | ``--src-ca-file``/``--dest-ca-file`` |
70 | 6bf273d5 | Michael Hanselmann | Path to file containing source cluster Certificate Authority (CA) in |
71 | 6bf273d5 | Michael Hanselmann | PEM format. For self-signed certificates, this is the certificate |
72 | 6bf273d5 | Michael Hanselmann | itself. For certificates signed by a third party CA, the complete |
73 | 6bf273d5 | Michael Hanselmann | chain must be in the file (see documentation for |
74 | 1bf1ce3f | Iustin Pop | :manpage:`SSL_CTX_load_verify_locations(3)`). |
75 | 6bf273d5 | Michael Hanselmann | ``--src-username``/``--dest-username`` |
76 | 6bf273d5 | Michael Hanselmann | RAPI username, must have write access to cluster. |
77 | 6bf273d5 | Michael Hanselmann | ``--src-password-file``/``--dest-password-file`` |
78 | 6bf273d5 | Michael Hanselmann | Path to file containing RAPI password (make sure to restrict access to |
79 | 6bf273d5 | Michael Hanselmann | this file). |
80 | 6bf273d5 | Michael Hanselmann | ``--dest-instance-name`` |
81 | 6bf273d5 | Michael Hanselmann | When moving a single instance: Change name of instance on destination |
82 | 6bf273d5 | Michael Hanselmann | cluster. |
83 | 6bf273d5 | Michael Hanselmann | ``--dest-primary-node`` |
84 | 6bf273d5 | Michael Hanselmann | When moving a single instance: Primary node on destination cluster. |
85 | 6bf273d5 | Michael Hanselmann | ``--dest-secondary-node`` |
86 | 6bf273d5 | Michael Hanselmann | When moving a single instance: Secondary node on destination cluster. |
87 | 6bf273d5 | Michael Hanselmann | ``--iallocator`` |
88 | 6bf273d5 | Michael Hanselmann | Iallocator for creating instance on destination cluster. |
89 | a111ebde | Michael Hanselmann | ``--hypervisor-parameters``/``--backend-parameters``/``--os-parameters``/``--net`` |
90 | a111ebde | Michael Hanselmann | When moving a single instance: Override instances' parameters. |
91 | 6bf273d5 | Michael Hanselmann | ``--parallel`` |
92 | 6bf273d5 | Michael Hanselmann | Number of instance moves to run in parallel. |
93 | 6bf273d5 | Michael Hanselmann | ``--verbose``/``--debug`` |
94 | 6bf273d5 | Michael Hanselmann | Increase output verbosity. |
95 | 6bf273d5 | Michael Hanselmann | |
96 | 6bf273d5 | Michael Hanselmann | The exit value of the tool is zero if and only if all instance moves |
97 | 6bf273d5 | Michael Hanselmann | were successful. |
98 | 6bf273d5 | Michael Hanselmann | |
99 | 6bf273d5 | Michael Hanselmann | .. vim: set textwidth=72 : |
100 | 6bf273d5 | Michael Hanselmann | .. Local Variables: |
101 | 6bf273d5 | Michael Hanselmann | .. mode: rst |
102 | 6bf273d5 | Michael Hanselmann | .. fill-column: 72 |
103 | 6bf273d5 | Michael Hanselmann | .. End: |