HP Integrity Virtual Machines 4.2: Installation, Configuration, and Administration
10.3.1.4 Using NTP on VM Hosts
Using NTP to synchronize clocks is strongly recommended for Online VM Migration
environments. In addition to a typical NTP configuration, all the potential VM Hosts should use
each other as mutual peer NTP servers to help maintain time consistency between hosts.
10.3.2 SSH Setup Between the VM Hosts
Only superusers can execute the hpvmmigrate command. The migration of a guest is controlled
by a set of secure remote operations that must be enabled on both systems. The hpvmmigrate
command requires HP-UX Secure Shell (SSH) to be set up on both the source and target host
systems to provide a secure communication path between VM Hosts. SSH is installed on HP-UX
systems by default. Passwords-based and host-based authentication are not supported. SSH
security must be set up, so that superusers can use ssh commands between the source and target
VM Hosts without requiring interactive passwords.
The hpvmmigrate command uses SSH public-key based authentication between the source and
destination hosts. To enable secure communication between the source and target hosts, you
must generate SSH keys on both systems. You need root privileges to generate and set up the
SSH keys required for guest migration. The easiest way to do this is to use the secsetup script
provided by Integrity VM.
Execute the following command on both the source and target hosts:
# /opt/hpvm/bin/secsetup -r otherhost
Instead of using secsetup, SSH keys can be generated manually on the systems by using the
ssh-keygen command. The ssh-keygen command generates, manages, and converts
authentication keys for SSH. For information about manual SSH key generation, see the
ssh-keygen command HP-UX manpage.
10.3.2.1 Troubleshooting SSH Key Setup
If SSH is installed on both the source and the target system, you can run the ssh command on
the source host to establish a connection to the target host without providing a password. This
ability ensures that SSH keys are set up between the two hosts. If SSH keys are not set up properly,
the hpvmmigrate command produces an error message indicating that the SSH setup needs to
be checked.
If running the secsetup script does not work correctly, check the permissions on / to ensure
that superusers have write permissions. For example,
# 11 -d /
drwxr-xr-x 20 root root 8192 Apr 29 06:25 /
If your VM Host's root directory has different permissions than displayed in the previous example,
use the chmod command to correct them.
# chmod 755 /
If a VM Host is reinstalled at some point after using the secsetup script to configure SSH keys,
you might receive warning messages from ssh commands about keys changed, or bad keys in
your known_hosts file. In this case, use the ssh-keygen -R hostname command to remove
obsolete keys from the known_hosts file, and then use the secsetup command again to
configure new keys.
If you set up SSH security between VM Hosts before adding the conventional —hpvm-migr
host alias to the /etc/hosts file and you do not run secsetup on the host-alias addresses,
the hpvmmigrate command fails with the message, Host key verification failed,
when it attempts to use the conventional host alias.
A workaround is to run SSH once manually (for example, ssh -hpvm-migr date) and enter
yes to the question about whether or not you should continue. This action adds -hpvm-migr
to the list of known hosts, and subsequent hpvmmigrate commands will find the proper host
key.
178 Migrating Virtual Machines