Secure Migration
By default, migration memory transfer data is encrypted when transferring between source and target hosts using an encryption cipher that is supported on both hosts. You can use zoneadm migrate -c
cipher to specify a particular encryption cipher or disable encryption. cipher can be one of the following values:
- encryption-cipher
-
Specifies one of the ciphers that is supported on the source and target hosts.
-
list
-
Lists supported ciphers on the source and target hosts.
-
none
-
Disables encryption.
If you do not specify a cipher, a cipher is automatically chosen based upon its support on both the source and target hosts.
Example 5-8 Live Migration Between Two Trusted Hosts
The following example demonstrates a live migration of the kernel zone kzone1
from the source host global1
to the destination host global2
.
global1$ zoneadm -z kzone1 migrate root@global2
Password:
zoneadm: zone 'kzone1': Using existing zone configuration on destination.
zoneadm: zone 'kzone1': Attaching zone.
zoneadm: zone 'kzone1': Booting zone in 'migrating-in' mode.
zoneadm: zone 'kzone1': Checking migration compatibility.
zoneadm: zone 'kzone1': Starting migration.
zoneadm: zone 'kzone1': Suspending zone on source host.
zoneadm: zone 'kzone1': Waiting for migration to complete.
zoneadm: zone 'kzone1': Migration successful.
zoneadm: zone 'kzone1': Halting and detaching zone on source host.
Example 5-9 Confirming Cipher Compatibility Between Live Migration Source and Destination Hosts
The following example demonstrates an attempt to perform a live migration of the kernel zone kzone1
from the source host global1
to the destination host global2
. The specified cipher aes-128-cbc
is not supported on the destination host.
global1$ zoneadm -z kzone1 migrate -c aes-128-cbc ssh://global2
zoneadm: zone 'kzone1': cipher aes-128-cbc not supported by destination
zoneadm: zone 'kzone1': destination supports: aes-128-ccm aes-128-gcm
Example 5-10 Listing Available Supported Ciphers on Live Migration Source and Destination Hosts
The following example lists the available supported ciphers during a live migration of the kernel zone kzone1
. The zone is migrated from the source host global1
to the destination host global2
.
global1$ zoneadm -z kzone1 migrate -c list root@global2
Password:
source ciphers: aes-128-ccm aes-128-gcm none
destination ciphers: aes-128-cbc
# echo $?
0
Tip:
To prevent loss of the encryption key that is required to boot a migrated kernel zone, use thezonecfg export
command on the source system to generate a command file to be used on the target system. For example:
global$ pfbash zonecfg -z kzone1 export -f /net/example/path/kzone1.cfg global$ zonecfg -z kzone1 -f /net/example/path/kzone1.cfg
For information about the encryption keys that enable the zone to boot, see Encryption Keys and Host Data.