Go to main content

Creating and Using Oracle® Solaris Kernel Zones

Exit Print View

Updated: December 2018
 
 

About Secure Live Migration

By default, live migration memory transfer data is encrypted when transferring between source and target hosts by using an encryption cipher that is supported on both hosts. You can use the zoneadm migrate -c [cipher] command to specify a particular encryption cipher or disable encryption.

zoneadm migrate -c cipher has the following options:

none

Disables encryption

list

Lists supported ciphers on the source and target hosts.

encryption-cipher

Specifies one of the ciphers that is supported on the source and target hosts. The migrate -c list command shows the possible values.

If you do not specify a cipher, one is automatically chosen based upon support of both the source and target hosts.

Example 32  Live Migration Between Two Trusted Hosts

The following example demonstrates a live migration of the kernel zone kzone1 from the source host global1 to the destination host global2. Encryption has been disabled.

global1$ zoneadm -z kzone1 migrate -c none root@global2
    Password: 
    zoneadm: zone 'kzone1': Using existing zone configuration on destination.
    zoneadm: zone 'kzone1': Attaching zone.
    zoneadm: zone 'kzone1': Booting zone in 'migrating-in' mode.
    zoneadm: zone 'kzone1': Checking migration compatibility.
    zoneadm: zone 'kzone1': Starting migration.
    zoneadm: zone 'kzone1': Suspending zone on source host.
    zoneadm: zone 'kzone1': Waiting for migration to complete.
    zoneadm: zone 'kzone1': Migration successful.
    zoneadm: zone 'kzone1': Halting and detaching zone on source host.
Example 33  Confirming Cipher Compatibility Between Live Migration Source and Destination Hosts

The following example demonstrates a live migration of the kernel zone kzone1 from the source host global1 to the destination host global2. The specified cipher aes-128-cbc is not supported on the destination host.

global1$ zoneadm -z kzone1 migrate -c aes-128-cbc ssh://global2
zoneadm: zone 'kzone1': cipher aes-128-cbc not supported by destination
zoneadm: zone 'kzone1': destination supports: aes-128-ccm aes-128-gcm
Example 34  Listing Available Supported Ciphers on Live Migration Source and Destination Hosts

The following example lists the available supported ciphers during a live migration of the kernel zone kzone1. The zone is migrated from the source host global1 to the destination host global2.

global1$ zoneadm -z kzone1 migrate -c list root@global2
    Password: 
    source ciphers: aes-128-ccm aes-128-gcm none
    destination ciphers: none
    # echo $?
    0
Copyright © 2014, 2018, Oracle and/or its affiliates. All rights reserved. 
Previous
Next