[dm-crypt] dm-crypt on top of DRBD for live migration
Berengar Lehr
berengarlehr at googlemail.com
Wed Dec 7 13:30:37 CET 2011
We want to use LVM, dm-crypt and DRBD in a 2-machine setup for KVM.
We think, a proper setup could be something like this (dm-crypt below DRBD):
Machine 1 Machine 2
KVM -> -> -> -> -> -> KVM
| (live migration) .
| .
DRBD - - - - - - - - - DRBD
| |
LVM LVM
| |
dm-crypt dm-crypt
| |
Disk/Partition Disk/Partition
The KVM guest machines should run on machine 1. Live migration to
machine 2 should be supported.
Using this setup, every write to DRBD would be (independently) crypted
on both machines,
leading to additional (unnecessary?) cpu load on machine 2 before live
migrating, and additional
cpu load on machine 1 after live migration.
Could these additional cpu loads be avoided using a setup like this
(dm-crypt in top of DRBD):
Machine 1 Machine 2
KVM -> -> -> -> -> -> KVM
| (live migration) .
| .(b)
dm-crypt dm-crypt
| |(a)
DRBD - - - - - - - - - DRBD
| |
LVM LVM
| |
Disk/Partition Disk/Partition
In this setup, dm-crypt runs on both machines, too, but is not used on
machine 2 until KVM
guests send write-requests after the live migration. So crypting is
done only by one machine
at every time point.
Is such a setup safe and stable?
What about caching at points (a) or (b) on machine 2?
Can KVM read cached, outdated data from dm-crypt after live migration?
Is there a workaround?
Thank You
B. Lehr & M. Müller
--
Mate ist gesunder Schlaf in Halbliterflaschen
More information about the dm-crypt
mailing list