1. Creating and Using Oracle Solaris Kernel Zones
  2. Migrating an Oracle Solaris Kernel Zone
  3. Kernel Zone Migration Preparation
  4. Secure Migration

Secure Migration

By default, migration memory transfer data is encrypted when transferring between source and target hosts using an encryption cipher that is supported on both hosts. You can use zoneadm migrate -c cipher to specify a particular encryption cipher or disable encryption. cipher can be one of the following values:

encryption-cipher

Specifies one of the ciphers that is supported on the source and target hosts.

list

Lists supported ciphers on the source and target hosts.

none

Disables encryption.

If you do not specify a cipher, a cipher is automatically chosen based upon its support on both the source and target hosts.

Example 5-8 Live Migration Between Two Trusted Hosts

The following example demonstrates a live migration of the kernel zone kzone1 from the source host global1 to the destination host global2. 

global1$ zoneadm -z kzone1 migrate root@global2
Password: 
zoneadm: zone 'kzone1': Using existing zone configuration on destination.
zoneadm: zone 'kzone1': Attaching zone.
zoneadm: zone 'kzone1': Booting zone in 'migrating-in' mode.
zoneadm: zone 'kzone1': Checking migration compatibility.
zoneadm: zone 'kzone1': Starting migration.
zoneadm: zone 'kzone1': Suspending zone on source host.
zoneadm: zone 'kzone1': Waiting for migration to complete.
zoneadm: zone 'kzone1': Migration successful.
zoneadm: zone 'kzone1': Halting and detaching zone on source host.

Example 5-9 Confirming Cipher Compatibility Between Live Migration Source and Destination Hosts

The following example demonstrates an attempt to perform a live migration of the kernel zone kzone1 from the source host global1 to the destination host global2. The specified cipher aes-128-cbc is not supported on the destination host. 

global1$ zoneadm -z kzone1 migrate -c aes-128-cbc ssh://global2
zoneadm: zone 'kzone1': cipher aes-128-cbc not supported by destination
zoneadm: zone 'kzone1': destination supports: aes-128-ccm aes-128-gcm

Example 5-10 Listing Available Supported Ciphers on Live Migration Source and Destination Hosts

The following example lists the available supported ciphers during a live migration of the kernel zone kzone1. The zone is migrated from the source host global1 to the destination host global2. 

global1$ zoneadm -z kzone1 migrate -c list root@global2
Password:
source ciphers: aes-128-ccm aes-128-gcm none
destination ciphers: aes-128-cbc
# echo $?
0

Tip:

To prevent loss of the encryption key that is required to boot a migrated kernel zone, use the zonecfg export command on the source system to generate a command file to be used on the target system. For example: 
global$ pfbash zonecfg -z kzone1 export -f /net/example/path/kzone1.cfg
global$ zonecfg -z kzone1 -f /net/example/path/kzone1.cfg

For information about the encryption keys that enable the zone to boot, see Encryption Keys and Host Data.