Revision a09b0f16 doc/move-instance.rst
b/doc/move-instance.rst | ||
---|---|---|
69 | 69 |
``--src-ca-file``/``--dest-ca-file`` |
70 | 70 |
Path to file containing source cluster Certificate Authority (CA) in |
71 | 71 |
PEM format. For self-signed certificates, this is the certificate |
72 |
itself. For certificates signed by a third party CA, the complete |
|
73 |
chain must be in the file (see documentation for |
|
72 |
itself (see more details below in :ref:`certificates`). For |
|
73 |
certificates signed by a third party CA, the complete chain must be in |
|
74 |
the file (see documentation for |
|
74 | 75 |
:manpage:`SSL_CTX_load_verify_locations(3)`). |
75 | 76 |
``--src-username``/``--dest-username`` |
76 | 77 |
RAPI username, must have write access to cluster. |
... | ... | |
96 | 97 |
The exit value of the tool is zero if and only if all instance moves |
97 | 98 |
were successful. |
98 | 99 |
|
100 |
.. _certificates: |
|
101 |
|
|
102 |
Certificates |
|
103 |
------------ |
|
104 |
|
|
105 |
If using certificates signed by a CA, then you need to pass the same CA |
|
106 |
certificate via both ``--src-ca-file`` and ``dest-ca-file``. |
|
107 |
|
|
108 |
However, if you're using self-signed certificates, this has a few |
|
109 |
(security) implications: |
|
110 |
|
|
111 |
- the certificates of both the source and destinations clusters |
|
112 |
(``rapi.pem`` from the Ganeti configuration directory, usually |
|
113 |
``/var/lib/ganeti/rapi.pem``) must be available to the tool |
|
114 |
- by default, the certificates include the private key as well, so |
|
115 |
simply copying them to a third machine means that machine can now |
|
116 |
impersonate both the source and destination clusters RAPI endpoint |
|
117 |
|
|
118 |
It is therefore recommended to copy only the certificate from the |
|
119 |
``rapi.pem`` files, and pass these to ``--src-ca-file`` and |
|
120 |
``--dest-ca-file`` appropriately. |
|
121 |
|
|
99 | 122 |
.. vim: set textwidth=72 : |
100 | 123 |
.. Local Variables: |
101 | 124 |
.. mode: rst |
Also available in: Unified diff