)]}'
{"doc/source/admin/index.rst":[{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1e43e5125ccadb20aa2631e8cc71b6c349e772f4","unresolved":false,"context_lines":[{"line_number":18,"context_line":"   adv-config.rst"},{"line_number":19,"context_line":"   arch.rst"},{"line_number":20,"context_line":"   availability-zones.rst"},{"line_number":21,"context_line":"   configuring-migrations.rst"},{"line_number":22,"context_line":"   cpu-topologies.rst"},{"line_number":23,"context_line":"   default-ports.rst"},{"line_number":24,"context_line":"   evacuate.rst"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_0846e624","line":21,"updated":"2019-01-14 15:43:26.000000000","message":"Similar to below, it would be useful to at least refer to the new doc from the kvm section of this doc about live migration - it can be frustrating to have to hunt all over the docs for related stuff when it could simply be linked from the main topics.","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"71103f6a3810af4e07aa9135c624a11c38b75297","unresolved":false,"context_lines":[{"line_number":18,"context_line":"   adv-config.rst"},{"line_number":19,"context_line":"   arch.rst"},{"line_number":20,"context_line":"   availability-zones.rst"},{"line_number":21,"context_line":"   configuring-migrations.rst"},{"line_number":22,"context_line":"   cpu-topologies.rst"},{"line_number":23,"context_line":"   default-ports.rst"},{"line_number":24,"context_line":"   evacuate.rst"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_68b8c075","line":21,"in_reply_to":"bfdaf3ff_0846e624","updated":"2019-01-15 11:04:55.000000000","message":"Yeah, I completely see what you mean.  And we should minimize that frustration of doc hunting as much as possible.\n\nWould you be okay if we do all the linking from relevant docs as a follow-up?","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"1e43e5125ccadb20aa2631e8cc71b6c349e772f4","unresolved":false,"context_lines":[{"line_number":40,"context_line":"   remote-console-access.rst"},{"line_number":41,"context_line":"   root-wrap-reference.rst"},{"line_number":42,"context_line":"   security-groups.rst"},{"line_number":43,"context_line":"   security.rst"},{"line_number":44,"context_line":"   service-groups.rst"},{"line_number":45,"context_line":"   services.rst"},{"line_number":46,"context_line":"   ssh-configuration.rst"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_48ee2e23","line":43,"updated":"2019-01-14 15:43:26.000000000","message":"Wouldn\u0027t you want to link to that new doc from this somewhere? If I\u0027m looking at security stuff, I likely want at least a reference to a doc about security that lives elsewhere.","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"71103f6a3810af4e07aa9135c624a11c38b75297","unresolved":false,"context_lines":[{"line_number":40,"context_line":"   remote-console-access.rst"},{"line_number":41,"context_line":"   root-wrap-reference.rst"},{"line_number":42,"context_line":"   security-groups.rst"},{"line_number":43,"context_line":"   security.rst"},{"line_number":44,"context_line":"   service-groups.rst"},{"line_number":45,"context_line":"   services.rst"},{"line_number":46,"context_line":"   ssh-configuration.rst"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_887084de","line":43,"in_reply_to":"bfdaf3ff_48ee2e23","updated":"2019-01-15 11:04:55.000000000","message":"Yeah, while writing my doc, I had nagging at the back of my head: \"Don\u0027t you want to link all the relevant material in one place to minimize cognitive overhead?\"\n\nAgain, this too, I\u0027ll do in a follow-up.","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"}],"doc/source/admin/secure-live-migration-with-qemu-native-tls.rst":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"dfd5e7cf_76d3b339","updated":"2019-01-10 11:14:07.000000000","message":"You need to add this to the index in doc/source/admin/index.rst to keep Sphinx happy, otherwise it\u0027s not discoverable","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Context"},{"line_number":6,"context_line":"~~~~~~~"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"The encryption offerred by Nova\u0027s ``[libvirt]/live_migration_tunnelled``"},{"line_number":9,"context_line":"does not secure all the different migration streams of a Nova instance,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_f6e6c316","line":6,"range":{"start_line":6,"start_character":0,"end_line":6,"end_character":7},"updated":"2019-01-10 11:14:07.000000000","message":"I was going to ask that we use \u0027---\u0027 here, as we do elsewhere, but it seems almost the entire admin guide uses \u0027~~~\u0027. We need to fix that.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Context"},{"line_number":6,"context_line":"~~~~~~~"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"The encryption offerred by Nova\u0027s ``[libvirt]/live_migration_tunnelled``"},{"line_number":9,"context_line":"does not secure all the different migration streams of a Nova instance,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_54178752","line":6,"range":{"start_line":6,"start_character":0,"end_line":6,"end_character":7},"in_reply_to":"dfd5e7cf_f6e6c316","updated":"2019-01-10 14:52:07.000000000","message":"Yeah, I checked that before doing that; I went with the existing pattern.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":5,"context_line":"Context"},{"line_number":6,"context_line":"~~~~~~~"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"The encryption offerred by Nova\u0027s ``[libvirt]/live_migration_tunnelled``"},{"line_number":9,"context_line":"does not secure all the different migration streams of a Nova instance,"},{"line_number":10,"context_line":"namely: guest RAM, device state, and disks (via NBD) when using"},{"line_number":11,"context_line":"non-shared storage.  Further, the \"tunnelling via libvirtd\" has inherent"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_96bf37cf","line":8,"range":{"start_line":8,"start_character":34,"end_line":8,"end_character":72},"updated":"2019-01-10 11:14:07.000000000","message":"Use\n\n  :oslo.config:option:`libvirt.live_migration_tunnelled`\n\nso we get cross-referencing","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":5,"context_line":"Context"},{"line_number":6,"context_line":"~~~~~~~"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"The encryption offerred by Nova\u0027s ``[libvirt]/live_migration_tunnelled``"},{"line_number":9,"context_line":"does not secure all the different migration streams of a Nova instance,"},{"line_number":10,"context_line":"namely: guest RAM, device state, and disks (via NBD) when using"},{"line_number":11,"context_line":"non-shared storage.  Further, the \"tunnelling via libvirtd\" has inherent"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_b6f03bcb","line":8,"range":{"start_line":8,"start_character":27,"end_line":8,"end_character":31},"updated":"2019-01-10 11:14:07.000000000","message":"nova, here and elsewhere","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5c67739c9e1391dc4a49643f7d58f2b8c34fafe9","unresolved":false,"context_lines":[{"line_number":5,"context_line":"Context"},{"line_number":6,"context_line":"~~~~~~~"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"The encryption offerred by Nova\u0027s ``[libvirt]/live_migration_tunnelled``"},{"line_number":9,"context_line":"does not secure all the different migration streams of a Nova instance,"},{"line_number":10,"context_line":"namely: guest RAM, device state, and disks (via NBD) when using"},{"line_number":11,"context_line":"non-shared storage.  Further, the \"tunnelling via libvirtd\" has inherent"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_0181cd8f","line":8,"range":{"start_line":8,"start_character":15,"end_line":8,"end_character":23},"updated":"2019-01-09 18:56:16.000000000","message":"offered","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":5,"context_line":"Context"},{"line_number":6,"context_line":"~~~~~~~"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"The encryption offerred by Nova\u0027s ``[libvirt]/live_migration_tunnelled``"},{"line_number":9,"context_line":"does not secure all the different migration streams of a Nova instance,"},{"line_number":10,"context_line":"namely: guest RAM, device state, and disks (via NBD) when using"},{"line_number":11,"context_line":"non-shared storage.  Further, the \"tunnelling via libvirtd\" has inherent"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_ef73427f","line":8,"range":{"start_line":8,"start_character":34,"end_line":8,"end_character":72},"in_reply_to":"dfd5e7cf_96bf37cf","updated":"2019-01-10 14:52:07.000000000","message":"TIL; done.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":5,"context_line":"Context"},{"line_number":6,"context_line":"~~~~~~~"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"The encryption offerred by Nova\u0027s ``[libvirt]/live_migration_tunnelled``"},{"line_number":9,"context_line":"does not secure all the different migration streams of a Nova instance,"},{"line_number":10,"context_line":"namely: guest RAM, device state, and disks (via NBD) when using"},{"line_number":11,"context_line":"non-shared storage.  Further, the \"tunnelling via libvirtd\" has inherent"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_eff822c5","line":8,"range":{"start_line":8,"start_character":27,"end_line":8,"end_character":31},"in_reply_to":"dfd5e7cf_b6f03bcb","updated":"2019-01-10 14:52:07.000000000","message":"Done.  Finally, I know the \"rationale\" for the lower case[*]:\n\n[quote]\nThe history of this decision is that the documentation contributors wanted the least amount of cognitive overhead when writing and reviewing. Learning rules about case can be difficult across multiple projects with hundreds of documentation contributors and thousands of changes and additions. Lowercase for project names as a rule is then easiest to review and enforce at this scale and growth pattern.\n[/quote]\n\n[*] https://governance.openstack.org/tc/reference/service-project-naming.html","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5c67739c9e1391dc4a49643f7d58f2b8c34fafe9","unresolved":false,"context_lines":[{"line_number":15,"context_line":"bandwidth due to increased number of data copies on both source and"},{"line_number":16,"context_line":"destination hosts."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt has recently gained"},{"line_number":19,"context_line":"(refer below for version details) support for \"native TLS\"—i.e. TLS"},{"line_number":20,"context_line":"built into QEMU).  This will secure all data transports, including disks"},{"line_number":21,"context_line":"that are not on shared storage—all of this without incurring the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_c131850d","line":18,"range":{"start_line":18,"start_character":56,"end_line":18,"end_character":64},"updated":"2019-01-09 18:56:16.000000000","message":"It\u0027s probably better to mention a version or date right here, as three years from now this will still say \"recently\u0027.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5c67739c9e1391dc4a49643f7d58f2b8c34fafe9","unresolved":false,"context_lines":[{"line_number":15,"context_line":"bandwidth due to increased number of data copies on both source and"},{"line_number":16,"context_line":"destination hosts."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt has recently gained"},{"line_number":19,"context_line":"(refer below for version details) support for \"native TLS\"—i.e. TLS"},{"line_number":20,"context_line":"built into QEMU).  This will secure all data transports, including disks"},{"line_number":21,"context_line":"that are not on shared storage—all of this without incurring the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_015a2d4e","line":18,"range":{"start_line":18,"start_character":52,"end_line":18,"end_character":55},"updated":"2019-01-09 18:56:16.000000000","message":"have","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"bb799ba7dcabc4486a7b7e3eefc993a24d1130b2","unresolved":false,"context_lines":[{"line_number":15,"context_line":"bandwidth due to increased number of data copies on both source and"},{"line_number":16,"context_line":"destination hosts."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt has recently gained"},{"line_number":19,"context_line":"(refer below for version details) support for \"native TLS\"—i.e. TLS"},{"line_number":20,"context_line":"built into QEMU).  This will secure all data transports, including disks"},{"line_number":21,"context_line":"that are not on shared storage—all of this without incurring the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_cc5f713f","line":18,"range":{"start_line":18,"start_character":56,"end_line":18,"end_character":64},"in_reply_to":"dfd5e7cf_c131850d","updated":"2019-01-10 09:33:24.000000000","message":"Hehe, I had the precise thought about the word \"recently\", even first added version details in brackets for each component.  But then I changed my mind and added \"refer below for version details\", pointing to the \"Prerequisites\" section, to not duplicate the same information.\n\nSo I\u0027ll remove the word \"recently\" and rephrase it as:\n\n    \"... QEMU and libvirt have gained (refer below \n    for version details) support for ...\"\n\nHope that\u0027s fine by you.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":16,"context_line":"destination hosts."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt has recently gained"},{"line_number":19,"context_line":"(refer below for version details) support for \"native TLS\"—i.e. TLS"},{"line_number":20,"context_line":"built into QEMU).  This will secure all data transports, including disks"},{"line_number":21,"context_line":"that are not on shared storage—all of this without incurring the"},{"line_number":22,"context_line":"limitations of the \"tunnelled via libvirtd\" transport."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_f6948346","line":19,"range":{"start_line":19,"start_character":7,"end_line":19,"end_character":12},"updated":"2019-01-10 11:14:07.000000000","message":"Guess you could link here?\n\n  `below \u003cPrerequisites\u003e`__","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":16,"context_line":"destination hosts."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt has recently gained"},{"line_number":19,"context_line":"(refer below for version details) support for \"native TLS\"—i.e. TLS"},{"line_number":20,"context_line":"built into QEMU).  This will secure all data transports, including disks"},{"line_number":21,"context_line":"that are not on shared storage—all of this without incurring the"},{"line_number":22,"context_line":"limitations of the \"tunnelled via libvirtd\" transport."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_b6c91b79","line":19,"range":{"start_line":19,"start_character":58,"end_line":19,"end_character":63},"updated":"2019-01-10 11:14:07.000000000","message":"TLS\", i.e. TLS\n\n(I think - I haven\u0027t seen a hyphen used like this before)","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":16,"context_line":"destination hosts."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt has recently gained"},{"line_number":19,"context_line":"(refer below for version details) support for \"native TLS\"—i.e. TLS"},{"line_number":20,"context_line":"built into QEMU).  This will secure all data transports, including disks"},{"line_number":21,"context_line":"that are not on shared storage—all of this without incurring the"},{"line_number":22,"context_line":"limitations of the \"tunnelled via libvirtd\" transport."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_8fbf16cf","line":19,"range":{"start_line":19,"start_character":58,"end_line":19,"end_character":63},"in_reply_to":"dfd5e7cf_b6c91b79","updated":"2019-01-10 14:52:07.000000000","message":"Fixed in the next iteration.  (Since we\u0027re English geeks: as we know, comma and em-dash, both provide the \"mental pause\" that is requires there; but in this case, the longer pause provided by the em-dash is not strictly required.  I admit that I tend to sometimes overuse the em-dash; training myself to be more mindful :-))","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5c67739c9e1391dc4a49643f7d58f2b8c34fafe9","unresolved":false,"context_lines":[{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt has recently gained"},{"line_number":19,"context_line":"(refer below for version details) support for \"native TLS\"—i.e. TLS"},{"line_number":20,"context_line":"built into QEMU).  This will secure all data transports, including disks"},{"line_number":21,"context_line":"that are not on shared storage—all of this without incurring the"},{"line_number":22,"context_line":"limitations of the \"tunnelled via libvirtd\" transport."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"To take advantage of the \"native TLS\" support in QEMU and libvirt, Nova"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_012f8da1","line":21,"range":{"start_line":21,"start_character":30,"end_line":21,"end_character":42},"updated":"2019-01-09 18:56:16.000000000","message":"this is awkward to my eyes, and would be better replaced with just a comma.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"bb799ba7dcabc4486a7b7e3eefc993a24d1130b2","unresolved":false,"context_lines":[{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt has recently gained"},{"line_number":19,"context_line":"(refer below for version details) support for \"native TLS\"—i.e. TLS"},{"line_number":20,"context_line":"built into QEMU).  This will secure all data transports, including disks"},{"line_number":21,"context_line":"that are not on shared storage—all of this without incurring the"},{"line_number":22,"context_line":"limitations of the \"tunnelled via libvirtd\" transport."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"To take advantage of the \"native TLS\" support in QEMU and libvirt, Nova"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_ac022d0a","line":21,"range":{"start_line":21,"start_character":30,"end_line":21,"end_character":42},"in_reply_to":"dfd5e7cf_012f8da1","updated":"2019-01-10 09:33:24.000000000","message":"Will do, it\u0027s briefer; \"rewriting is the essence of writing\" :D","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"To take advantage of the \"native TLS\" support in QEMU and libvirt, Nova"},{"line_number":25,"context_line":"has introduced new configuration attribute"},{"line_number":26,"context_line":"``[libvirt]/live_migration_with_native_tls``."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":".. _`Prerequisites`:"},{"line_number":29,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_96a417bb","line":26,"range":{"start_line":26,"start_character":0,"end_line":26,"end_character":45},"updated":"2019-01-10 11:14:07.000000000","message":"Use the :oslo.config:option: roles here too, and anywhere else in the doc","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"To take advantage of the \"native TLS\" support in QEMU and libvirt, Nova"},{"line_number":25,"context_line":"has introduced new configuration attribute"},{"line_number":26,"context_line":"``[libvirt]/live_migration_with_native_tls``."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":".. _`Prerequisites`:"},{"line_number":29,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_4f860ede","line":26,"range":{"start_line":26,"start_character":0,"end_line":26,"end_character":45},"in_reply_to":"dfd5e7cf_96a417bb","updated":"2019-01-10 14:52:07.000000000","message":"Fixed in v3.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Prerequisites"},{"line_number":31,"context_line":"~~~~~~~~~~~~~"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"(1) Version requirement: This feature needs at least: libvirt 4.4.0 and"},{"line_number":34,"context_line":"    QEMU 2.11."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"(2) A pre-configured TLS environment—i.e. CA, server, and client"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_3699ab6d","line":33,"range":{"start_line":33,"start_character":0,"end_line":33,"end_character":3},"updated":"2019-01-10 11:14:07.000000000","message":"Does this actually render (I haven\u0027t checked). I usually seen these done as:\n\n  1. Version requirement...\n\nor:\n\n  #. Version requirement...","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Prerequisites"},{"line_number":31,"context_line":"~~~~~~~~~~~~~"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"(1) Version requirement: This feature needs at least: libvirt 4.4.0 and"},{"line_number":34,"context_line":"    QEMU 2.11."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"(2) A pre-configured TLS environment—i.e. CA, server, and client"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_0f68061f","line":33,"range":{"start_line":33,"start_character":0,"end_line":33,"end_character":3},"in_reply_to":"dfd5e7cf_3699ab6d","updated":"2019-01-10 14:52:07.000000000","message":"It does render with (1)-style numbering :-)\n\nhttp://logs.openstack.org/27/629627/2/check/openstack-tox-docs/dc52e37/html/admin/secure-live-migration-with-qemu-native-tls.html","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":33,"context_line":"(1) Version requirement: This feature needs at least: libvirt 4.4.0 and"},{"line_number":34,"context_line":"    QEMU 2.11."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"(2) A pre-configured TLS environment—i.e. CA, server, and client"},{"line_number":37,"context_line":"    certificates, their file permissions, et al—must be \"correctly\""},{"line_number":38,"context_line":"    configured (typically by an installer tool) on all relevant Compute"},{"line_number":39,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_1690274e","line":36,"range":{"start_line":36,"start_character":36,"end_line":36,"end_character":37},"updated":"2019-01-10 11:14:07.000000000","message":"commas here too and elsewhere","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":33,"context_line":"(1) Version requirement: This feature needs at least: libvirt 4.4.0 and"},{"line_number":34,"context_line":"    QEMU 2.11."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"(2) A pre-configured TLS environment—i.e. CA, server, and client"},{"line_number":37,"context_line":"    certificates, their file permissions, et al—must be \"correctly\""},{"line_number":38,"context_line":"    configured (typically by an installer tool) on all relevant Compute"},{"line_number":39,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_2f3b8aeb","line":36,"range":{"start_line":36,"start_character":36,"end_line":36,"end_character":37},"in_reply_to":"dfd5e7cf_1690274e","updated":"2019-01-10 14:52:07.000000000","message":"I hope we sorted out the \"em-dash\" vs commas discussion on IRC.  Here the em-dash is used in place of two brackets (or two commas), IMHO, it is okay in this case :-)\n\nRendered doc:\nhttp://logs.openstack.org/27/629627/2/check/openstack-tox-docs/dc52e37/html/admin/secure-live-migration-with-qemu-native-tls.html","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":34,"context_line":"    QEMU 2.11."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"(2) A pre-configured TLS environment—i.e. CA, server, and client"},{"line_number":37,"context_line":"    certificates, their file permissions, et al—must be \"correctly\""},{"line_number":38,"context_line":"    configured (typically by an installer tool) on all relevant Compute"},{"line_number":39,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"},{"line_number":40,"context_line":"    deployment tools that takes care of handling all the certificate"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_b69efb60","line":37,"range":{"start_line":37,"start_character":47,"end_line":37,"end_character":48},"updated":"2019-01-10 11:14:07.000000000","message":"s/-/ /","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5c67739c9e1391dc4a49643f7d58f2b8c34fafe9","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"(2) A pre-configured TLS environment—i.e. CA, server, and client"},{"line_number":37,"context_line":"    certificates, their file permissions, et al—must be \"correctly\""},{"line_number":38,"context_line":"    configured (typically by an installer tool) on all relevant Compute"},{"line_number":39,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"},{"line_number":40,"context_line":"    deployment tools that takes care of handling all the certificate"},{"line_number":41,"context_line":"    lifecycle management.  E.g. refer to the: \"`TLS everywhere"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_c11ae57b","line":38,"range":{"start_line":38,"start_character":64,"end_line":38,"end_character":71},"updated":"2019-01-09 18:56:16.000000000","message":"de-capitalize this here and elsewhere.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"bb799ba7dcabc4486a7b7e3eefc993a24d1130b2","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"(2) A pre-configured TLS environment—i.e. CA, server, and client"},{"line_number":37,"context_line":"    certificates, their file permissions, et al—must be \"correctly\""},{"line_number":38,"context_line":"    configured (typically by an installer tool) on all relevant Compute"},{"line_number":39,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"},{"line_number":40,"context_line":"    deployment tools that takes care of handling all the certificate"},{"line_number":41,"context_line":"    lifecycle management.  E.g. refer to the: \"`TLS everywhere"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_4009052a","line":38,"range":{"start_line":38,"start_character":64,"end_line":38,"end_character":71},"in_reply_to":"dfd5e7cf_c11ae57b","updated":"2019-01-10 09:33:24.000000000","message":"Can do.  (My fingers feel an itch to capitalize such words to imply their specialness—e.g. distinguish \"to compute\" from \"a Compute node\".)","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"bb799ba7dcabc4486a7b7e3eefc993a24d1130b2","unresolved":false,"context_lines":[{"line_number":37,"context_line":"    certificates, their file permissions, et al—must be \"correctly\""},{"line_number":38,"context_line":"    configured (typically by an installer tool) on all relevant Compute"},{"line_number":39,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"},{"line_number":40,"context_line":"    deployment tools that takes care of handling all the certificate"},{"line_number":41,"context_line":"    lifecycle management.  E.g. refer to the: \"`TLS everywhere"},{"line_number":42,"context_line":"    \u003chttps://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/tls_everywhere.html\u003e`__\""},{"line_number":43,"context_line":"    guide from the TripleO project."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_c035f5db","line":40,"range":{"start_line":40,"start_character":26,"end_line":40,"end_character":31},"updated":"2019-01-10 09:33:24.000000000","message":"Spotted one more: s/takes/take/","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":38,"context_line":"    configured (typically by an installer tool) on all relevant Compute"},{"line_number":39,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"},{"line_number":40,"context_line":"    deployment tools that takes care of handling all the certificate"},{"line_number":41,"context_line":"    lifecycle management.  E.g. refer to the: \"`TLS everywhere"},{"line_number":42,"context_line":"    \u003chttps://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/tls_everywhere.html\u003e`__\""},{"line_number":43,"context_line":"    guide from the TripleO project."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_768ad31b","line":41,"range":{"start_line":41,"start_character":26,"end_line":41,"end_character":31},"updated":"2019-01-10 11:14:07.000000000","message":"For example,","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":38,"context_line":"    configured (typically by an installer tool) on all relevant Compute"},{"line_number":39,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"},{"line_number":40,"context_line":"    deployment tools that takes care of handling all the certificate"},{"line_number":41,"context_line":"    lifecycle management.  E.g. refer to the: \"`TLS everywhere"},{"line_number":42,"context_line":"    \u003chttps://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/tls_everywhere.html\u003e`__\""},{"line_number":43,"context_line":"    guide from the TripleO project."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_6f1af27d","line":41,"range":{"start_line":41,"start_character":26,"end_line":41,"end_character":31},"in_reply_to":"dfd5e7cf_768ad31b","updated":"2019-01-10 14:52:07.000000000","message":"Will do; clearer to a global audience.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":57,"context_line":"Validating your TLS environment on Compute nodes"},{"line_number":58,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Assuming you have two Compute hosts — ComputeNode1, and ComputeNode2 —"},{"line_number":61,"context_line":"run the `virt-pki-validate` tool (comes with the \u0027libvirt-client\u0027"},{"line_number":62,"context_line":"package on your Linux distribution) on both the nodes to ensure all the"},{"line_number":63,"context_line":"necessary PKI files are configured are configured::"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_f6a2439a","line":60,"range":{"start_line":60,"start_character":38,"end_line":60,"end_character":50},"updated":"2019-01-10 11:14:07.000000000","message":"Should be ``literals``, IMO","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":58,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Assuming you have two Compute hosts — ComputeNode1, and ComputeNode2 —"},{"line_number":61,"context_line":"run the `virt-pki-validate` tool (comes with the \u0027libvirt-client\u0027"},{"line_number":62,"context_line":"package on your Linux distribution) on both the nodes to ensure all the"},{"line_number":63,"context_line":"necessary PKI files are configured are configured::"},{"line_number":64,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_76b893c7","line":61,"range":{"start_line":61,"start_character":49,"end_line":61,"end_character":65},"updated":"2019-01-10 11:14:07.000000000","message":"``libvirt-client``","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":58,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Assuming you have two Compute hosts — ComputeNode1, and ComputeNode2 —"},{"line_number":61,"context_line":"run the `virt-pki-validate` tool (comes with the \u0027libvirt-client\u0027"},{"line_number":62,"context_line":"package on your Linux distribution) on both the nodes to ensure all the"},{"line_number":63,"context_line":"necessary PKI files are configured are configured::"},{"line_number":64,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_d6a7ffa6","line":61,"range":{"start_line":61,"start_character":8,"end_line":61,"end_character":27},"updated":"2019-01-10 11:14:07.000000000","message":"two backticks, or use the :command: role if this is a command:\n\n  :command:`virt-pki-validate`","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":58,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Assuming you have two Compute hosts — ComputeNode1, and ComputeNode2 —"},{"line_number":61,"context_line":"run the `virt-pki-validate` tool (comes with the \u0027libvirt-client\u0027"},{"line_number":62,"context_line":"package on your Linux distribution) on both the nodes to ensure all the"},{"line_number":63,"context_line":"necessary PKI files are configured are configured::"},{"line_number":64,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_4f17ee52","line":61,"range":{"start_line":61,"start_character":8,"end_line":61,"end_character":27},"in_reply_to":"dfd5e7cf_d6a7ffa6","updated":"2019-01-10 14:52:07.000000000","message":"Fixed in v3.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":86,"context_line":"Other TLS environemnt related checks on Compute nodes"},{"line_number":87,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"(1) On *both*, ComputeNode1, and ComputeNode2, update \u0027x509\u0027 config"},{"line_number":90,"context_line":"    options in ``/etc/libvirt/qemu.conf/``::"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"        default_tls_x509_cert_dir \u003d \"/etc/pki/qemu\""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_56b54fcc","line":89,"range":{"start_line":89,"start_character":13,"end_line":89,"end_character":14},"updated":"2019-01-10 11:14:07.000000000","message":"nit: drop","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":92,"context_line":"        default_tls_x509_cert_dir \u003d \"/etc/pki/qemu\""},{"line_number":93,"context_line":"        default_tls_x509_verify \u003d 1"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"      And modify /etc/sysconfig/libvirtd on both (ComputeNode1 \u0026"},{"line_number":96,"context_line":"      ComputeNode2)::"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"        LIBVIRTD_ARGS\u003d\"--listen\""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_b6c59b3e","line":95,"range":{"start_line":95,"start_character":4,"end_line":95,"end_character":6},"updated":"2019-01-10 11:14:07.000000000","message":"This indent shouldn\u0027t be here, I suspect. This is probably rendering as part of the literal","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":92,"context_line":"        default_tls_x509_cert_dir \u003d \"/etc/pki/qemu\""},{"line_number":93,"context_line":"        default_tls_x509_verify \u003d 1"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"      And modify /etc/sysconfig/libvirtd on both (ComputeNode1 \u0026"},{"line_number":96,"context_line":"      ComputeNode2)::"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"        LIBVIRTD_ARGS\u003d\"--listen\""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_eaaed0e5","line":95,"range":{"start_line":95,"start_character":4,"end_line":95,"end_character":6},"in_reply_to":"dfd5e7cf_b6c59b3e","updated":"2019-01-10 14:52:07.000000000","message":"Yeah, good catch; fixed in v3.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5c67739c9e1391dc4a49643f7d58f2b8c34fafe9","unresolved":false,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"        $ systemctl restart libvirtd"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"(2) **IMPORTANT**: Ensure that the  permissions of certificate files"},{"line_number":105,"context_line":"    and keys in ``/etc/pki/qemu/*`` directory on both source *and*"},{"line_number":106,"context_line":"    destination Compute nodes to be the following::"},{"line_number":107,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_5c0edc32","line":104,"range":{"start_line":104,"start_character":19,"end_line":104,"end_character":47},"updated":"2019-01-09 18:56:16.000000000","message":"This is probably specific to RHEL, right? Maybe we should just describe what the permissions should be (i.e. whatever user libvirt runs qemu as, right?)?","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"bb799ba7dcabc4486a7b7e3eefc993a24d1130b2","unresolved":false,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"        $ systemctl restart libvirtd"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"(2) **IMPORTANT**: Ensure that the  permissions of certificate files"},{"line_number":105,"context_line":"    and keys in ``/etc/pki/qemu/*`` directory on both source *and*"},{"line_number":106,"context_line":"    destination Compute nodes to be the following::"},{"line_number":107,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_00dd3d6f","line":104,"range":{"start_line":104,"start_character":19,"end_line":104,"end_character":47},"in_reply_to":"dfd5e7cf_5c0edc32","updated":"2019-01-10 09:33:24.000000000","message":"Not particularly RHEL/Fedora/CentOS—any distribution that supports UNIX file permissions :-).  (And just to get it out of the way, in this bullet point, I\u0027m not including SELinux context as part of \"file permissions\")\n\nAs you say, we _can_ describe what the owner/group/other file permissions would be, and the user libvirt runs QEMU as (\u0027qemu\u0027), but I think it\u0027s far more convenient for an operator to just see the permissions from a working example.\n\nI\u0027ll describe in words, and probably sanitize the below output to show only relevant parts.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":17216,"name":"Martin Schuppert","email":"mschuppert@redhat.com","username":"mcschupp"},"change_message_id":"f0794ccaa407d171074a79cccff4fb3fbc0d4f23","unresolved":false,"context_lines":[{"line_number":123,"context_line":"        4 -r--r--r--.  1 qemu qemu unconfined_u:object_r:cert_t:s0 1558 Dec 10 11:10 server-cert.pem"},{"line_number":124,"context_line":"        8 -rw-------.  1 qemu qemu unconfined_u:object_r:cert_t:s0 8170 Dec 10 11:10 server-key.pem"},{"line_number":125,"context_line":"        4 -r-----r--.  1 qemu qemu unconfined_u:object_r:cert_t:s0 1619 Dec 10 11:10 client-cert.pem"},{"line_number":126,"context_line":"        8 -rw-r--r--.  1 qemu qemu unconfined_u:object_r:cert_t:s0 8180 Dec 10 11:10 client-key.pem"},{"line_number":127,"context_line":"        0 drwxr-xr-x.  2 root root unconfined_u:object_r:cert_t:s0  115 Dec 10 11:10 ."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_43702fa6","line":126,"range":{"start_line":126,"start_character":10,"end_line":126,"end_character":20},"updated":"2019-01-10 10:15:55.000000000","message":"private keys should not be world readable. In general we could say certs as the public part to have permissions of 0644 with an owner/group be root:root and private keys 0640 with an owner/group be root:qemu.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"bdd57dbe6e937979a4a979b8d22d13e5860cdc43","unresolved":false,"context_lines":[{"line_number":123,"context_line":"        4 -r--r--r--.  1 qemu qemu unconfined_u:object_r:cert_t:s0 1558 Dec 10 11:10 server-cert.pem"},{"line_number":124,"context_line":"        8 -rw-------.  1 qemu qemu unconfined_u:object_r:cert_t:s0 8170 Dec 10 11:10 server-key.pem"},{"line_number":125,"context_line":"        4 -r-----r--.  1 qemu qemu unconfined_u:object_r:cert_t:s0 1619 Dec 10 11:10 client-cert.pem"},{"line_number":126,"context_line":"        8 -rw-r--r--.  1 qemu qemu unconfined_u:object_r:cert_t:s0 8180 Dec 10 11:10 client-key.pem"},{"line_number":127,"context_line":"        0 drwxr-xr-x.  2 root root unconfined_u:object_r:cert_t:s0  115 Dec 10 11:10 ."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_635f7372","line":126,"range":{"start_line":126,"start_character":10,"end_line":126,"end_character":20},"in_reply_to":"dfd5e7cf_43702fa6","updated":"2019-01-10 10:39:33.000000000","message":"Good catch; thought I fixed all occurrences of it.  And on the permissions part, that\u0027s correct, too. So \n \n  - for all the keys:  0640 (with root:qemu)\n  - for all the certs: 0644 (with root:root)","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"c7017dfeaa7692f5d664955321769ef91f1774e4","unresolved":false,"context_lines":[{"line_number":123,"context_line":"        4 -r--r--r--.  1 qemu qemu unconfined_u:object_r:cert_t:s0 1558 Dec 10 11:10 server-cert.pem"},{"line_number":124,"context_line":"        8 -rw-------.  1 qemu qemu unconfined_u:object_r:cert_t:s0 8170 Dec 10 11:10 server-key.pem"},{"line_number":125,"context_line":"        4 -r-----r--.  1 qemu qemu unconfined_u:object_r:cert_t:s0 1619 Dec 10 11:10 client-cert.pem"},{"line_number":126,"context_line":"        8 -rw-r--r--.  1 qemu qemu unconfined_u:object_r:cert_t:s0 8180 Dec 10 11:10 client-key.pem"},{"line_number":127,"context_line":"        0 drwxr-xr-x.  2 root root unconfined_u:object_r:cert_t:s0  115 Dec 10 11:10 ."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_b6b83b2a","line":126,"range":{"start_line":126,"start_character":10,"end_line":126,"end_character":20},"in_reply_to":"dfd5e7cf_635f7372","updated":"2019-01-10 10:44:06.000000000","message":"So, after a chat with DanPB, he suggested something even simpler:  because QEMU needs access to both certs _and_ keys, just go with:\n\n   0640 (root:qemu) \n\nfor all the keys _and_ certs.\n\n(Now I recall from my test, that\u0027s the reason I had to allow the \u0027qemu\u0027 user access to both keys and certs :-))","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":130,"context_line":"Test"},{"line_number":131,"context_line":"~~~~"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"(1) On all relevant Compute nodes, ensure to enable the"},{"line_number":134,"context_line":"    ``live_migration_with_native_tls`` configuration attribute (and"},{"line_number":135,"context_line":"    restart the libvirt daemon)::"},{"line_number":136,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_96e097ce","line":133,"range":{"start_line":133,"start_character":35,"end_line":133,"end_character":44},"updated":"2019-01-10 11:14:07.000000000","message":"this reads weird. Maybe \"ensure you enable the\" or just \"enable the\"","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":130,"context_line":"Test"},{"line_number":131,"context_line":"~~~~"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"(1) On all relevant Compute nodes, ensure to enable the"},{"line_number":134,"context_line":"    ``live_migration_with_native_tls`` configuration attribute (and"},{"line_number":135,"context_line":"    restart the libvirt daemon)::"},{"line_number":136,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_4a811c4a","line":133,"range":{"start_line":133,"start_character":35,"end_line":133,"end_character":44},"in_reply_to":"dfd5e7cf_96e097ce","updated":"2019-01-10 14:52:07.000000000","message":"Yep, you\u0027re right; I\u0027ll use the latter.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":131,"context_line":"~~~~"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"(1) On all relevant Compute nodes, ensure to enable the"},{"line_number":134,"context_line":"    ``live_migration_with_native_tls`` configuration attribute (and"},{"line_number":135,"context_line":"    restart the libvirt daemon)::"},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"       [libvirt]"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_36e76be7","line":134,"range":{"start_line":134,"start_character":4,"end_line":134,"end_character":38},"updated":"2019-01-10 11:14:07.000000000","message":"oslo.config role","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":142,"context_line":"      ``live_migration_with_native_tls`` at the same time is invalid"},{"line_number":143,"context_line":"      (and disallowed)."},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"(2) Migrate guests with and without  shared storage from ComputeNode1 to"},{"line_number":146,"context_line":"    ComputeNode2 *with* TLS.  Refer to the :doc:`live-migration-usage`"},{"line_number":147,"context_line":"    document on details on live migration."},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_f6d003fa","line":145,"range":{"start_line":145,"start_character":57,"end_line":145,"end_character":69},"updated":"2019-01-10 11:14:07.000000000","message":"literals","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":147,"context_line":"    document on details on live migration."},{"line_number":148,"context_line":""},{"line_number":149,"context_line":""},{"line_number":150,"context_line":".. _`Additional information`:"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"Additional information"},{"line_number":153,"context_line":"----------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_b6da7b14","line":150,"range":{"start_line":150,"start_character":0,"end_line":150,"end_character":29},"updated":"2019-01-10 11:14:07.000000000","message":"You don\u0027t need this unless you\u0027re actually referencing it, which I don\u0027t think you are?","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":147,"context_line":"    document on details on live migration."},{"line_number":148,"context_line":""},{"line_number":149,"context_line":""},{"line_number":150,"context_line":".. _`Additional information`:"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"Additional information"},{"line_number":153,"context_line":"----------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_6ae98018","line":150,"range":{"start_line":150,"start_character":0,"end_line":150,"end_character":29},"in_reply_to":"dfd5e7cf_b6da7b14","updated":"2019-01-10 14:52:07.000000000","message":"I _am_ referencing it from the \"Prerequisites\" section.  (In the next iteration, I renamed it to \"Related information\", as it encourages the reader to read it a bit more than \"additional\" (which can come across as \"spurious\" :D).","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":153,"context_line":"----------------------"},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"- If you have the relevant libvirt and QEMU versions (mentioned in the"},{"line_number":156,"context_line":"  \"`Prerequisites`_\" section earlier), then using the"},{"line_number":157,"context_line":"  ``live_migration_with_native_tls`` is strongly recommended over the"},{"line_number":158,"context_line":"  more limited ``live_migration_tunnelled`` option—which is intended to"},{"line_number":159,"context_line":"  be deprecated in future."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_16cca75f","line":156,"range":{"start_line":156,"start_character":1,"end_line":156,"end_character":36},"updated":"2019-01-10 11:14:07.000000000","message":"You can cross-reference this","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":155,"context_line":"- If you have the relevant libvirt and QEMU versions (mentioned in the"},{"line_number":156,"context_line":"  \"`Prerequisites`_\" section earlier), then using the"},{"line_number":157,"context_line":"  ``live_migration_with_native_tls`` is strongly recommended over the"},{"line_number":158,"context_line":"  more limited ``live_migration_tunnelled`` option—which is intended to"},{"line_number":159,"context_line":"  be deprecated in future."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"- There are in total *nine* TLS-related config options in"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_76065389","line":158,"range":{"start_line":158,"start_character":50,"end_line":158,"end_character":51},"updated":"2019-01-10 11:14:07.000000000","message":",","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":159,"context_line":"  be deprecated in future."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"- There are in total *nine* TLS-related config options in"},{"line_number":162,"context_line":"  ``a/etc/libvirt/qemu.conf``::"},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"      default_tls_x509_cert_dir"},{"line_number":165,"context_line":"      default_tls_x509_verify"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_56030f74","line":162,"range":{"start_line":162,"start_character":4,"end_line":162,"end_character":5},"updated":"2019-01-10 11:14:07.000000000","message":"typo?","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":159,"context_line":"  be deprecated in future."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"- There are in total *nine* TLS-related config options in"},{"line_number":162,"context_line":"  ``a/etc/libvirt/qemu.conf``::"},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"      default_tls_x509_cert_dir"},{"line_number":165,"context_line":"      default_tls_x509_verify"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_8aece429","line":162,"range":{"start_line":162,"start_character":4,"end_line":162,"end_character":5},"in_reply_to":"dfd5e7cf_56030f74","updated":"2019-01-10 14:52:07.000000000","message":"Yeah, fixed.","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":173,"context_line":"      chardev_tls_x509_cert_dir"},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"  If you set both ``default_tls_x509_cert_dir`` and"},{"line_number":176,"context_line":"  ``default_tls_x509_verify`` parameters for all certificates, then no"},{"line_number":177,"context_line":"  need to specify any of the other ``*_tls*`` config options."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"  The intention (of libvirt) is that you can just use the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_d6ee1fb3","line":176,"updated":"2019-01-10 11:14:07.000000000","message":"there is no","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":173,"context_line":"      chardev_tls_x509_cert_dir"},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"  If you set both ``default_tls_x509_cert_dir`` and"},{"line_number":176,"context_line":"  ``default_tls_x509_verify`` parameters for all certificates, then no"},{"line_number":177,"context_line":"  need to specify any of the other ``*_tls*`` config options."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"  The intention (of libvirt) is that you can just use the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_aa6d2899","line":176,"in_reply_to":"dfd5e7cf_d6ee1fb3","updated":"2019-01-10 14:52:07.000000000","message":"Yep","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5c67739c9e1391dc4a49643f7d58f2b8c34fafe9","unresolved":false,"context_lines":[{"line_number":177,"context_line":"  need to specify any of the other ``*_tls*`` config options."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"  The intention (of libvirt) is that you can just use the"},{"line_number":180,"context_line":"  ``default_tls_x509_*`` config attributes—that way you don\u0027t need to"},{"line_number":181,"context_line":"  set any other ``*_tls*`` parameters, _unless_ you need different"},{"line_number":182,"context_line":"  certificates for some services.  The rationale for that is that some"},{"line_number":183,"context_line":"  services (e.g.  migration / NBD)  are only exposed to internal"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_dc2bac7f","line":180,"range":{"start_line":180,"start_character":42,"end_line":180,"end_character":51},"updated":"2019-01-09 18:56:16.000000000","message":"\" so that\"","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5c67739c9e1391dc4a49643f7d58f2b8c34fafe9","unresolved":false,"context_lines":[{"line_number":183,"context_line":"  services (e.g.  migration / NBD)  are only exposed to internal"},{"line_number":184,"context_line":"  infrastructure; while some sevices (VNC, Spice) might be exposed"},{"line_number":185,"context_line":"  publically, so might need different certificates.  For OpenStack this"},{"line_number":186,"context_line":"  doesn\u0027t matter, though, we\u0027ll stick with the defaults."},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"- Sometimes you may need to stop ``firewalld`` on both ComputeNode1 and"},{"line_number":189,"context_line":"  ComputeNode2 (otherwise you get: ``error: internal error: unable to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_3c41983a","line":186,"range":{"start_line":186,"start_character":2,"end_line":186,"end_character":9},"updated":"2019-01-09 18:56:16.000000000","message":"It is generally bad to use contractions in documents that will be read by non-native speakers. Not all of them have the masterful command of the language that you do :)","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"bb799ba7dcabc4486a7b7e3eefc993a24d1130b2","unresolved":false,"context_lines":[{"line_number":183,"context_line":"  services (e.g.  migration / NBD)  are only exposed to internal"},{"line_number":184,"context_line":"  infrastructure; while some sevices (VNC, Spice) might be exposed"},{"line_number":185,"context_line":"  publically, so might need different certificates.  For OpenStack this"},{"line_number":186,"context_line":"  doesn\u0027t matter, though, we\u0027ll stick with the defaults."},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"- Sometimes you may need to stop ``firewalld`` on both ComputeNode1 and"},{"line_number":189,"context_line":"  ComputeNode2 (otherwise you get: ``error: internal error: unable to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_c0765507","line":186,"range":{"start_line":186,"start_character":2,"end_line":186,"end_character":9},"in_reply_to":"dfd5e7cf_3c41983a","updated":"2019-01-10 09:33:24.000000000","message":"Yeah, yeah, got the veiled jab—\"masterful command\" by the guy who mixed up \u0027has\u0027 and \u0027have\u0027 :D","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"3bc1825889bd1350c79d6b140b43f617ab72e5d7","unresolved":false,"context_lines":[{"line_number":183,"context_line":"  services (e.g.  migration / NBD)  are only exposed to internal"},{"line_number":184,"context_line":"  infrastructure; while some sevices (VNC, Spice) might be exposed"},{"line_number":185,"context_line":"  publically, so might need different certificates.  For OpenStack this"},{"line_number":186,"context_line":"  doesn\u0027t matter, though, we\u0027ll stick with the defaults."},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"- Sometimes you may need to stop ``firewalld`` on both ComputeNode1 and"},{"line_number":189,"context_line":"  ComputeNode2 (otherwise you get: ``error: internal error: unable to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_2a0ff8e1","line":186,"range":{"start_line":186,"start_character":2,"end_line":186,"end_character":9},"in_reply_to":"dfd5e7cf_b6483bcc","updated":"2019-01-10 14:52:07.000000000","message":"I was referring to the mistake I made at the top of the file where I used \"has\" instead of \"have\".  (Not referring to Dan\u0027s usage.)","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"55e5a4e06608027adf8dc06d56b0b15866ecd591","unresolved":false,"context_lines":[{"line_number":183,"context_line":"  services (e.g.  migration / NBD)  are only exposed to internal"},{"line_number":184,"context_line":"  infrastructure; while some sevices (VNC, Spice) might be exposed"},{"line_number":185,"context_line":"  publically, so might need different certificates.  For OpenStack this"},{"line_number":186,"context_line":"  doesn\u0027t matter, though, we\u0027ll stick with the defaults."},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"- Sometimes you may need to stop ``firewalld`` on both ComputeNode1 and"},{"line_number":189,"context_line":"  ComputeNode2 (otherwise you get: ``error: internal error: unable to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_b6483bcc","line":186,"range":{"start_line":186,"start_character":2,"end_line":186,"end_character":9},"in_reply_to":"dfd5e7cf_c0765507","updated":"2019-01-10 11:14:07.000000000","message":"Wait, isn\u0027t \"have\" correct (we\u0027re talking about speakers, plural)? :confused:","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":17216,"name":"Martin Schuppert","email":"mschuppert@redhat.com","username":"mcschupp"},"change_message_id":"f0794ccaa407d171074a79cccff4fb3fbc0d4f23","unresolved":false,"context_lines":[{"line_number":185,"context_line":"  publically, so might need different certificates.  For OpenStack this"},{"line_number":186,"context_line":"  doesn\u0027t matter, though, we\u0027ll stick with the defaults."},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"- Sometimes you may need to stop ``firewalld`` on both ComputeNode1 and"},{"line_number":189,"context_line":"  ComputeNode2 (otherwise you get: ``error: internal error: unable to"},{"line_number":190,"context_line":"  execute QEMU command \u0027drive-mirror\u0027: Failed to connect socket: No"},{"line_number":191,"context_line":"  route to host``)::"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_c3489fcd","line":188,"range":{"start_line":188,"start_character":2,"end_line":188,"end_character":32},"updated":"2019-01-10 10:15:55.000000000","message":"it should be enough to open port 16514/tcp [1] and 49152-49215/tcp [2]\n\n[1] https://libvirt.org/remote.html#Remote_transports\n[2] https://wiki.libvirt.org/page/FAQ#What_setup_is_required_for_QEMU.2FKVM_migration.3F","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"bdd57dbe6e937979a4a979b8d22d13e5860cdc43","unresolved":false,"context_lines":[{"line_number":185,"context_line":"  publically, so might need different certificates.  For OpenStack this"},{"line_number":186,"context_line":"  doesn\u0027t matter, though, we\u0027ll stick with the defaults."},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"- Sometimes you may need to stop ``firewalld`` on both ComputeNode1 and"},{"line_number":189,"context_line":"  ComputeNode2 (otherwise you get: ``error: internal error: unable to"},{"line_number":190,"context_line":"  execute QEMU command \u0027drive-mirror\u0027: Failed to connect socket: No"},{"line_number":191,"context_line":"  route to host``)::"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dfd5e7cf_769bb3c8","line":188,"range":{"start_line":188,"start_character":2,"end_line":188,"end_character":32},"in_reply_to":"dfd5e7cf_c3489fcd","updated":"2019-01-10 10:39:33.000000000","message":"Good point; I\u0027ll add the port opening details (and consider adding the error message as a potential addendum).","commit_id":"b5b26726aa3a5ab58cc563c4ae1dd8126fb33523"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"962372cf8fb83b6ecd0a9be15ef66e6a09f8e062","unresolved":false,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"Secure live migration with QEMU-native TLS"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Context"},{"line_number":6,"context_line":"~~~~~~~"},{"line_number":7,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfd5e7cf_6528d385","line":4,"updated":"2019-01-10 15:23:59.000000000","message":"You might want to include the note from the \"Customizing instance NUMA placement policies\" section in [1].\n\n\n[1] https://github.com/openstack/nova/blob/1351f031/doc/source/admin/cpu-topologies.rst","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"784fe365a892261e8baad0dbd16cfdc8c3e48b1a","unresolved":false,"context_lines":[{"line_number":1,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":2,"context_line":"Secure live migration with QEMU-native TLS"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"Context"},{"line_number":6,"context_line":"~~~~~~~"},{"line_number":7,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfd5e7cf_25b2cbe7","line":4,"in_reply_to":"dfd5e7cf_6528d385","updated":"2019-01-10 15:40:09.000000000","message":"Interesting; can do.  Hope it\u0027s okay if I do it as a follow-up.","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"21b0586302a397b3ba12dc0aad21a018d891af3a","unresolved":false,"context_lines":[{"line_number":16,"context_line":"number of data copies on both source and destination hosts."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt have gained (refer"},{"line_number":19,"context_line":"`below \u003cPrerequisites\u003e`_ for version details) support for \"native TLS\","},{"line_number":20,"context_line":"i.e. TLS built into QEMU.  This will secure all data transports,"},{"line_number":21,"context_line":"including disks that are not on shared storage, without incurring the"},{"line_number":22,"context_line":"limitations of the \"tunnelled via libvirtd\" transport."}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_0a24cf0c","line":19,"range":{"start_line":19,"start_character":8,"end_line":19,"end_character":21},"updated":"2019-01-11 03:04:56.000000000","message":"#prerequisites","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"21b0586302a397b3ba12dc0aad21a018d891af3a","unresolved":false,"context_lines":[{"line_number":39,"context_line":"    configured (typically by an installer tool) on all relevant compute"},{"line_number":40,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"},{"line_number":41,"context_line":"    deployment tools that take care of handling all the certificate"},{"line_number":42,"context_line":"    lifecycle management.  For example, refer to the \"`TLS everywhere"},{"line_number":43,"context_line":"    \u003chttps://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/tls_everywhere.html\u003e`__\""},{"line_number":44,"context_line":"    guide from the TripleO project."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"(3) Password-less SSH setup for all relevant compute nodes."}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_2a82f3c9","line":43,"range":{"start_line":42,"start_character":53,"end_line":43,"end_character":104},"updated":"2019-01-11 03:04:56.000000000","message":"\":tripleo-docs-doc:`TLS everywhere \u003cinstall/advanced_deployment/tls_everywhere.html\u003e`\"\n\nAdd \u0027tripleo-docs\u0027 in \u0027openstack_projects\u0027 in doc/source/conf.py.","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"43c5102503db74af57bd58b7ee2d3ff784ba7440","unresolved":false,"context_lines":[{"line_number":39,"context_line":"    configured (typically by an installer tool) on all relevant compute"},{"line_number":40,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"},{"line_number":41,"context_line":"    deployment tools that take care of handling all the certificate"},{"line_number":42,"context_line":"    lifecycle management.  For example, refer to the \"`TLS everywhere"},{"line_number":43,"context_line":"    \u003chttps://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/tls_everywhere.html\u003e`__\""},{"line_number":44,"context_line":"    guide from the TripleO project."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"(3) Password-less SSH setup for all relevant compute nodes."}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_4b6f36c5","line":43,"range":{"start_line":42,"start_character":53,"end_line":43,"end_character":104},"in_reply_to":"bfdaf3ff_2a82f3c9","updated":"2019-01-11 09:14:36.000000000","message":"IMHO, this stylistic change can be done as a follow-up, and does not merit a -1.","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"add0ddc84853e7d5d17ed45e33d4c79f66be8344","unresolved":false,"context_lines":[{"line_number":39,"context_line":"    configured (typically by an installer tool) on all relevant compute"},{"line_number":40,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"},{"line_number":41,"context_line":"    deployment tools that take care of handling all the certificate"},{"line_number":42,"context_line":"    lifecycle management.  For example, refer to the \"`TLS everywhere"},{"line_number":43,"context_line":"    \u003chttps://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/tls_everywhere.html\u003e`__\""},{"line_number":44,"context_line":"    guide from the TripleO project."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"(3) Password-less SSH setup for all relevant compute nodes."}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_e11729ed","line":43,"range":{"start_line":42,"start_character":53,"end_line":43,"end_character":104},"in_reply_to":"bfdaf3ff_4b6f36c5","updated":"2019-01-11 10:52:14.000000000","message":"It\u0027s more functional than that: this role ensures that links like this point to the same version of doc as you\u0027re currently checking, i.e. the pike nova docs link to the pike neutron docs. I was going to call this out myself but TripleO docs do not appear to be versioned so I didn\u0027t. As such, I don\u0027t think this comment is valid","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"319a10e3375036de03ce1e2ae176476323695d38","unresolved":false,"context_lines":[{"line_number":39,"context_line":"    configured (typically by an installer tool) on all relevant compute"},{"line_number":40,"context_line":"    nodes.  To simplify your PKI (Public Key Infrastructure) setup, use"},{"line_number":41,"context_line":"    deployment tools that take care of handling all the certificate"},{"line_number":42,"context_line":"    lifecycle management.  For example, refer to the \"`TLS everywhere"},{"line_number":43,"context_line":"    \u003chttps://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/tls_everywhere.html\u003e`__\""},{"line_number":44,"context_line":"    guide from the TripleO project."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"(3) Password-less SSH setup for all relevant compute nodes."}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_82d09c52","line":43,"range":{"start_line":42,"start_character":53,"end_line":43,"end_character":104},"in_reply_to":"bfdaf3ff_e11729ed","updated":"2019-01-11 12:18:00.000000000","message":"Hmm, I just made a follow-up[*] that Takashi suggested, and the linked TLS TripleO doc renders correctly—but as you (Stephen) pointed out on IRC, it only points to the latest (https://docs.openstack.org/nova/rocky/), but not to versioned (https://docs.openstack.org/tripleo-docs/rocky/).\n\nSo, as discussed, I\u0027ll undo that bit of change in the follow-up, and instead add a NOTE.\n\n[*] https://review.openstack.org/630183 -- docs: \n    Address minor comments for the QEMU-native TLS document","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"21b0586302a397b3ba12dc0aad21a018d891af3a","unresolved":false,"context_lines":[{"line_number":46,"context_line":"(3) Password-less SSH setup for all relevant compute nodes."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"(4) On all relevant compute nodes, ensure the following TLS-related"},{"line_number":49,"context_line":"    config attributes in ``/etc/libvirt/qemu.conf/`` are in place::"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"      default_tls_x509_cert_dir \u003d \"/etc/pki/qemu/\""},{"line_number":52,"context_line":"      default_tls_x509_verify \u003d 1"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_ca4b27ae","line":49,"range":{"start_line":49,"start_character":49,"end_line":49,"end_character":50},"updated":"2019-01-11 03:04:56.000000000","message":"unnecessary","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"21b0586302a397b3ba12dc0aad21a018d891af3a","unresolved":false,"context_lines":[{"line_number":90,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"(1) On *both* ``ComputeNode1``, and ``ComputeNode2``, update the"},{"line_number":93,"context_line":"    \u0027x509\u0027-related config options in ``/etc/libvirt/qemu.conf/``::"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"        default_tls_x509_cert_dir \u003d \"/etc/pki/qemu\""},{"line_number":96,"context_line":"        default_tls_x509_verify \u003d 1"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_6ac6bb19","line":93,"range":{"start_line":93,"start_character":61,"end_line":93,"end_character":62},"updated":"2019-01-11 03:04:56.000000000","message":"ditto","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"21b0586302a397b3ba12dc0aad21a018d891af3a","unresolved":false,"context_lines":[{"line_number":132,"context_line":"       [libvirt]"},{"line_number":133,"context_line":"       live_migration_with_native_tls \u003d true"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"   .. note::"},{"line_number":136,"context_line":"       Setting both"},{"line_number":137,"context_line":"       :oslo.config:option:`libvirt.live_migration_with_native_tls` and"},{"line_number":138,"context_line":"       :oslo.config:option:`libvirt.live_migration_tunnelled` at the"},{"line_number":139,"context_line":"       same time is invalid (and disallowed)."},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"(2) Now that all TLS-related configuration is in place, migrate guests"},{"line_number":142,"context_line":"    (with or without shared storage) from ``ComputeNode1`` to"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_e5497c32","line":139,"range":{"start_line":135,"start_character":0,"end_line":139,"end_character":45},"updated":"2019-01-11 03:04:56.000000000","message":"It is not good appearance.\n\nhttp://logs.openstack.org/27/629627/4/check/openstack-tox-docs/5bc0591/html/admin/secure-live-migration-with-qemu-native-tls.html#performing-the-migration","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"319a10e3375036de03ce1e2ae176476323695d38","unresolved":false,"context_lines":[{"line_number":132,"context_line":"       [libvirt]"},{"line_number":133,"context_line":"       live_migration_with_native_tls \u003d true"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"   .. note::"},{"line_number":136,"context_line":"       Setting both"},{"line_number":137,"context_line":"       :oslo.config:option:`libvirt.live_migration_with_native_tls` and"},{"line_number":138,"context_line":"       :oslo.config:option:`libvirt.live_migration_tunnelled` at the"},{"line_number":139,"context_line":"       same time is invalid (and disallowed)."},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"(2) Now that all TLS-related configuration is in place, migrate guests"},{"line_number":142,"context_line":"    (with or without shared storage) from ``ComputeNode1`` to"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_22c5308f","line":139,"range":{"start_line":135,"start_character":0,"end_line":139,"end_character":45},"in_reply_to":"bfdaf3ff_01cfcd7f","updated":"2019-01-11 12:18:00.000000000","message":"Ah, let me see about that in the follow-up.","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"add0ddc84853e7d5d17ed45e33d4c79f66be8344","unresolved":false,"context_lines":[{"line_number":132,"context_line":"       [libvirt]"},{"line_number":133,"context_line":"       live_migration_with_native_tls \u003d true"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"   .. note::"},{"line_number":136,"context_line":"       Setting both"},{"line_number":137,"context_line":"       :oslo.config:option:`libvirt.live_migration_with_native_tls` and"},{"line_number":138,"context_line":"       :oslo.config:option:`libvirt.live_migration_tunnelled` at the"},{"line_number":139,"context_line":"       same time is invalid (and disallowed)."},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"(2) Now that all TLS-related configuration is in place, migrate guests"},{"line_number":142,"context_line":"    (with or without shared storage) from ``ComputeNode1`` to"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_01cfcd7f","line":139,"range":{"start_line":135,"start_character":0,"end_line":139,"end_character":45},"in_reply_to":"bfdaf3ff_ab9fc2b2","updated":"2019-01-11 10:52:14.000000000","message":"Yeah, it looks like you need to remove a space before each line of this block, because as Takashi has pointed out, this is rendering as a blockquote","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"43c5102503db74af57bd58b7ee2d3ff784ba7440","unresolved":false,"context_lines":[{"line_number":132,"context_line":"       [libvirt]"},{"line_number":133,"context_line":"       live_migration_with_native_tls \u003d true"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"   .. note::"},{"line_number":136,"context_line":"       Setting both"},{"line_number":137,"context_line":"       :oslo.config:option:`libvirt.live_migration_with_native_tls` and"},{"line_number":138,"context_line":"       :oslo.config:option:`libvirt.live_migration_tunnelled` at the"},{"line_number":139,"context_line":"       same time is invalid (and disallowed)."},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"(2) Now that all TLS-related configuration is in place, migrate guests"},{"line_number":142,"context_line":"    (with or without shared storage) from ``ComputeNode1`` to"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfdaf3ff_ab9fc2b2","line":139,"range":{"start_line":135,"start_character":0,"end_line":139,"end_character":45},"in_reply_to":"bfdaf3ff_e5497c32","updated":"2019-01-11 09:14:36.000000000","message":"Sorry, I don\u0027t get you mean.  Are you talking about how the \u0027note\u0027 renders in slightly larger font?  If so I don\u0027t think I can do anything about that stylistic nit.","commit_id":"10c52f933c694ab330f2a5801c7f6487b95f49c9"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f37c58f1fc8b0a3db8405059feda674d592e8d0b","unresolved":false,"context_lines":[{"line_number":16,"context_line":"number of data copies on both source and destination hosts."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt have gained (refer"},{"line_number":19,"context_line":"`below \u003cPrerequisites\u003e`_ for version details) support for \"native TLS\","},{"line_number":20,"context_line":"i.e. TLS built into QEMU.  This will secure all data transports,"},{"line_number":21,"context_line":"including disks that are not on shared storage, without incurring the"},{"line_number":22,"context_line":"limitations of the \"tunnelled via libvirtd\" transport."}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_1cf88bc2","line":19,"updated":"2019-01-11 16:56:22.000000000","message":"This link does not seems to work in the generated doc as it points to http://logs.openstack.org/27/629627/5/check/openstack-tox-docs/bde0494/html/admin/Prerequisites\n\nThis works later in the doc:\n\n    \"`Prerequisites`_\"","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"a66b221fdc5342e23102306dbabe07bad4e1a1ab","unresolved":false,"context_lines":[{"line_number":16,"context_line":"number of data copies on both source and destination hosts."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"To solve this existing limitation, QEMU and libvirt have gained (refer"},{"line_number":19,"context_line":"`below \u003cPrerequisites\u003e`_ for version details) support for \"native TLS\","},{"line_number":20,"context_line":"i.e. TLS built into QEMU.  This will secure all data transports,"},{"line_number":21,"context_line":"including disks that are not on shared storage, without incurring the"},{"line_number":22,"context_line":"limitations of the \"tunnelled via libvirtd\" transport."}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_8844041d","line":19,"in_reply_to":"bfdaf3ff_1cf88bc2","updated":"2019-01-15 10:44:15.000000000","message":"Damn, the rST syntax strikes me again; I built it locally and missed to noticed it.  Will address.","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f37c58f1fc8b0a3db8405059feda674d592e8d0b","unresolved":false,"context_lines":[{"line_number":89,"context_line":"Other TLS environment related checks on compute nodes"},{"line_number":90,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"(1) On *both* ``ComputeNode1``, and ``ComputeNode2``, update the"},{"line_number":93,"context_line":"    \u0027x509\u0027-related config options in ``/etc/libvirt/qemu.conf/``::"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"        default_tls_x509_cert_dir \u003d \"/etc/pki/qemu\""},{"line_number":96,"context_line":"        default_tls_x509_verify \u003d 1"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"    If it is not already configured, modify ``/etc/sysconfig/libvirtd``"},{"line_number":99,"context_line":"    on both (ComputeNode1 \u0026 ComputeNode2) to listen for TCP/IP"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_fce02799","line":96,"range":{"start_line":92,"start_character":0,"end_line":96,"end_character":35},"updated":"2019-01-11 16:56:22.000000000","message":"This seems to be the same as Prerequisites (4). If this repetition is intentional then I\u0027m OK with it.","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"a66b221fdc5342e23102306dbabe07bad4e1a1ab","unresolved":false,"context_lines":[{"line_number":89,"context_line":"Other TLS environment related checks on compute nodes"},{"line_number":90,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"(1) On *both* ``ComputeNode1``, and ``ComputeNode2``, update the"},{"line_number":93,"context_line":"    \u0027x509\u0027-related config options in ``/etc/libvirt/qemu.conf/``::"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"        default_tls_x509_cert_dir \u003d \"/etc/pki/qemu\""},{"line_number":96,"context_line":"        default_tls_x509_verify \u003d 1"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"    If it is not already configured, modify ``/etc/sysconfig/libvirtd``"},{"line_number":99,"context_line":"    on both (ComputeNode1 \u0026 ComputeNode2) to listen for TCP/IP"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_443700b2","line":96,"range":{"start_line":92,"start_character":0,"end_line":96,"end_character":35},"in_reply_to":"bfdaf3ff_fce02799","updated":"2019-01-15 10:44:15.000000000","message":"That was not intentional; will elimiate this duplication in the follow-up.","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f37c58f1fc8b0a3db8405059feda674d592e8d0b","unresolved":false,"context_lines":[{"line_number":127,"context_line":""},{"line_number":128,"context_line":"(1) On all relevant compute nodes, enable the"},{"line_number":129,"context_line":"    :oslo.config:option:`libvirt.live_migration_with_native_tls`"},{"line_number":130,"context_line":"    configuration attribute (and restart the libvirt daemon)::"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"       [libvirt]"},{"line_number":133,"context_line":"       live_migration_with_native_tls \u003d true"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_bc993f20","line":130,"range":{"start_line":130,"start_character":29,"end_line":130,"end_character":59},"updated":"2019-01-11 16:56:22.000000000","message":"Why the libvirt daemon and not the nova-compute service?","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"bb725e2ad633c582534c19b90242d01b32b8b7da","unresolved":false,"context_lines":[{"line_number":127,"context_line":""},{"line_number":128,"context_line":"(1) On all relevant compute nodes, enable the"},{"line_number":129,"context_line":"    :oslo.config:option:`libvirt.live_migration_with_native_tls`"},{"line_number":130,"context_line":"    configuration attribute (and restart the libvirt daemon)::"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"       [libvirt]"},{"line_number":133,"context_line":"       live_migration_with_native_tls \u003d true"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_436a7db3","line":130,"range":{"start_line":130,"start_character":29,"end_line":130,"end_character":59},"in_reply_to":"bfdaf3ff_88b964ea","updated":"2019-01-15 11:15:11.000000000","message":"Not \"IIRC\", the ``nova-compute`` service definitely _needs_ restarting :-)","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"a66b221fdc5342e23102306dbabe07bad4e1a1ab","unresolved":false,"context_lines":[{"line_number":127,"context_line":""},{"line_number":128,"context_line":"(1) On all relevant compute nodes, enable the"},{"line_number":129,"context_line":"    :oslo.config:option:`libvirt.live_migration_with_native_tls`"},{"line_number":130,"context_line":"    configuration attribute (and restart the libvirt daemon)::"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"       [libvirt]"},{"line_number":133,"context_line":"       live_migration_with_native_tls \u003d true"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bfdaf3ff_88b964ea","line":130,"range":{"start_line":130,"start_character":29,"end_line":130,"end_character":59},"in_reply_to":"bfdaf3ff_bc993f20","updated":"2019-01-15 10:44:15.000000000","message":"It\u0027s an oversight on my part.  IIRC, the `nova-compute` service also needs restarting.","commit_id":"9f0dd822ee401f3bd2e52de6159631dd95859e05"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e58f6f5644eb93de06f2f80d4e500ae1470c9ad8","unresolved":false,"context_lines":[{"line_number":90,"context_line":"Other TLS environment related checks on compute nodes"},{"line_number":91,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"(1) On *both* ``ComputeNode1``, and ``ComputeNode2``, update the"},{"line_number":94,"context_line":"    \u0027x509\u0027-related config options in ``/etc/libvirt/qemu.conf``::"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"        default_tls_x509_cert_dir \u003d \"/etc/pki/qemu\""},{"line_number":97,"context_line":"        default_tls_x509_verify \u003d 1"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"    If it is not already configured, modify ``/etc/sysconfig/libvirtd``"},{"line_number":100,"context_line":"    on both (ComputeNode1 \u0026 ComputeNode2) to listen for TCP/IP"}],"source_content_type":"text/x-rst","patch_set":6,"id":"bfdaf3ff_34fa0d75","line":97,"range":{"start_line":93,"start_character":0,"end_line":97,"end_character":35},"updated":"2019-01-15 14:00:42.000000000","message":"This is still here. I thought either this or prerequisite (4) would go","commit_id":"d1041d47d5741c309438199406c1427ee8103412"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"120ba8a55e9b550719efa302db2b8d8d83635b9e","unresolved":false,"context_lines":[{"line_number":90,"context_line":"Other TLS environment related checks on compute nodes"},{"line_number":91,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"(1) On *both* ``ComputeNode1``, and ``ComputeNode2``, update the"},{"line_number":94,"context_line":"    \u0027x509\u0027-related config options in ``/etc/libvirt/qemu.conf``::"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"        default_tls_x509_cert_dir \u003d \"/etc/pki/qemu\""},{"line_number":97,"context_line":"        default_tls_x509_verify \u003d 1"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"    If it is not already configured, modify ``/etc/sysconfig/libvirtd``"},{"line_number":100,"context_line":"    on both (ComputeNode1 \u0026 ComputeNode2) to listen for TCP/IP"}],"source_content_type":"text/x-rst","patch_set":6,"id":"bfdaf3ff_20b648fc","line":97,"range":{"start_line":93,"start_character":0,"end_line":97,"end_character":35},"in_reply_to":"bfdaf3ff_34fa0d75","updated":"2019-01-15 16:09:44.000000000","message":"This was intentional.  If you notice the `diff`, I mentioned at a high-level that these configs to be set in the prerequisites, and then referred to the details here.\n\nBut on re-re-re-reading, I don\u0027t like the flow of the document.  Let me put this in the prerequisites, and delete this.  And then I\u0027ll stop painting the bikeshed.","commit_id":"d1041d47d5741c309438199406c1427ee8103412"}]}