I want to use LVM, dm-crypt and DRBD in a 2-machine setup for KVM.
I think, a proper setup could be something like this (dm-crypt below DRBD):
Machine 1 Machine 2
KVM -> -> -> -> -> -> KVM
| (live migration) .
| .
DRBD - - - - - - - - - DRBD
| |
LVM LVM
| |
dm-crypt dm-crypt
| |
Disk/Partition Disk/Partition
The KVM guest machines should run on machine 1. Live migration to machine 2 should be supported.
Using this setup, every write to DRBD would be (independently) crypted on both machines,
leading to additional (unnecessary?) cpu load on machine 2 before live migrating, and additional
cpu load on machine 1 after live migration.
Could these additional cpu loads be avoided using a setup like this (dm-crypt in top of DRBD):
Machine 1 Machine 2
KVM -> -> -> -> -> -> KVM
| (live migration) .
| .(b)
dm-crypt dm-crypt
| |(a)
DRBD - - - - - - - - - DRBD
| |
LVM LVM
| |
Disk/Partition Disk/Partition
In this setup, dm-crypt runs on both machines, too, but is not used on machine 2 until KVM
guests send write-requests after the live migration. So crypting is done only by one machine
at every time point.
Is such a setup safe and stable?
What about caching at points (a) or (b) on machine 2?
Can KVM read cached, outdated data from dm-crypt after live migration?
Is there a workaround?
Thank You
--
 |
Dipl.-Phys. Berengar Lehr IT-Abteilung Friedrich-Schiller-Universität Jena Projekt kompetenztest.de |
Kontakt: address@hidden Fon: 03641 / 945284 Fax: 03641 / 945286 |
Besucheranschrift: August-Bebel-Straße 4 07743 Jena |
Postanschrift: Am Steiger 3, Haus 1 07743 Jena |