libvirt: support SASL authentication
Adds support for SASL authentication of libvirt TCP and TLS connections when using a compute host libvirt daemon. In line with the dependent Kolla Ansible patch, we enable SASL by default, and use DIGEST-MD5 with TCP and SCRAM-SHA-256 with TLS. Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/833022 Depends-On: https://github.com/stackhpc/ansible-role-libvirt-host/pull/52 Story: 2009858 Task: 44735 Change-Id: Id3972c24022aeb6421494c3cccdc8e7cbce802e6
This commit is contained in:
parent
c4b74f4801
commit
f4493e41ff
@ -20,6 +20,9 @@
|
||||
vars:
|
||||
libvirt_host_libvirtd_conf: "{{ compute_libvirt_conf }}"
|
||||
libvirt_host_qemu_conf: "{{ compute_qemu_conf }}"
|
||||
libvirt_host_enable_sasl_support: "{{ compute_libvirt_enable_sasl | bool }}"
|
||||
libvirt_host_sasl_authname: nova
|
||||
libvirt_host_sasl_password: "{{ compute_libvirt_sasl_password }}"
|
||||
libvirt_host_tcp_listen: "{{ not compute_libvirt_enable_tls | bool }}"
|
||||
libvirt_host_tcp_listen_address: "{{ internal_net_name | net_ip }}:16509"
|
||||
libvirt_host_tls_listen: "{{ compute_libvirt_enable_tls | bool }}"
|
||||
|
@ -172,7 +172,8 @@ compute_libvirt_enabled: "{{ kolla_enable_nova | bool and not kolla_enable_nova_
|
||||
# A dict of default configuration options to write to
|
||||
# /etc/libvirt/libvirtd.conf.
|
||||
compute_libvirt_conf_default:
|
||||
auth_tcp: "none"
|
||||
auth_tcp: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}"
|
||||
auth_tls: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}"
|
||||
log_level: "{{ compute_libvirtd_log_level }}"
|
||||
|
||||
# A dict of additional configuration options to write to
|
||||
@ -202,6 +203,12 @@ compute_qemu_conf_extra: {}
|
||||
# compute_qemu_conf_extra.
|
||||
compute_qemu_conf: "{{ compute_qemu_conf_default | combine(compute_qemu_conf_extra) }}"
|
||||
|
||||
# Whether to enable libvirt SASL authentication. Default is true.
|
||||
compute_libvirt_enable_sasl: true
|
||||
|
||||
# libvirt SASL password. Default is unset.
|
||||
compute_libvirt_sasl_password:
|
||||
|
||||
# Whether to enable a libvirt TLS listener. Default is false.
|
||||
compute_libvirt_enable_tls: false
|
||||
|
||||
|
@ -580,9 +580,9 @@ kolla_enable_zun: "no"
|
||||
###############################################################################
|
||||
# Passwords and credentials.
|
||||
|
||||
# Dictionary containing default custom passwords to add or override in the
|
||||
# Dictionary containing base custom passwords to add or override in the
|
||||
# Kolla passwords file.
|
||||
kolla_ansible_default_custom_passwords:
|
||||
kolla_ansible_base_custom_passwords:
|
||||
# SSH key authorized in hosts deployed by Bifrost.
|
||||
bifrost_ssh_key:
|
||||
private_key: "{{ lookup('file', ssh_private_key_path) }}"
|
||||
@ -593,6 +593,19 @@ kolla_ansible_default_custom_passwords:
|
||||
public_key: "{{ lookup('file', ssh_public_key_path) }}"
|
||||
docker_registry_password: "{{ kolla_docker_registry_password }}"
|
||||
|
||||
# Dictionary containing libvirt custom passwords to add or override in the
|
||||
# Kolla passwords file.
|
||||
kolla_ansible_libvirt_custom_passwords:
|
||||
libvirt_sasl_password: "{{ compute_libvirt_sasl_password }}"
|
||||
|
||||
# Dictionary containing default custom passwords to add or override in the
|
||||
# Kolla passwords file.
|
||||
kolla_ansible_default_custom_passwords: >-
|
||||
{{ kolla_ansible_base_custom_passwords |
|
||||
combine(kolla_ansible_libvirt_custom_passwords
|
||||
if compute_libvirt_enabled | bool and compute_libvirt_enable_sasl | bool
|
||||
else {}) }}
|
||||
|
||||
# Dictionary containing custom passwords to add or override in the Kolla
|
||||
# passwords file.
|
||||
kolla_ansible_custom_passwords: "{{ kolla_ansible_default_custom_passwords }}"
|
||||
|
@ -238,6 +238,8 @@ kolla_nova_compute_ironic_host:
|
||||
|
||||
kolla_libvirt_tls:
|
||||
|
||||
kolla_libvirt_enable_sasl:
|
||||
|
||||
###############################################################################
|
||||
# Extra free-form configuraton.
|
||||
|
||||
|
@ -397,6 +397,9 @@ enable_{{ feature_flag }}: {{ hostvars[inventory_hostname]['kolla_enable_' ~ fea
|
||||
libvirt_tls: {{ kolla_libvirt_tls | bool }}
|
||||
{% endif %}
|
||||
|
||||
{% if kolla_libvirt_enable_sasl is not none %}
|
||||
libvirt_enable_sasl: {{ kolla_libvirt_enable_sasl | bool }}
|
||||
{% endif %}
|
||||
#################
|
||||
# Hyper-V options
|
||||
#################
|
||||
|
@ -1094,6 +1094,12 @@ are relevant only when using the libvirt daemon rather than the
|
||||
A dict of configuration options to write to ``/etc/libvirt/qemu.conf``.
|
||||
Default is a combination of ``compute_qemu_conf_default`` and
|
||||
``compute_qemu_conf_extra``.
|
||||
``compute_libvirt_enable_sasl``
|
||||
Whether to enable libvirt SASL authentication. Default is the same as
|
||||
``compute_libvirt_tcp_listen``.
|
||||
``compute_libvirt_sasl_password``
|
||||
libvirt SASL password. Default is unset. This must be defined when
|
||||
``compute_libvirt_enable_sasl`` is ``true``.
|
||||
``compute_libvirt_enable_tls``
|
||||
Whether to enable a libvirt TLS listener. Default is false.
|
||||
``compute_libvirt_ceph_repo_install``
|
||||
@ -1125,6 +1131,24 @@ To customise QEMU to avoid adding timestamps to logs:
|
||||
compute_qemu_conf_extra:
|
||||
log_timestamp: 0
|
||||
|
||||
Example: SASL
|
||||
-------------
|
||||
|
||||
SASL authentication is enabled by default. This provides authentication for
|
||||
TCP and TLS connections to the libvirt API. A password is required, and should
|
||||
be encrypted using Ansible Vault.
|
||||
|
||||
.. code-block:: yaml
|
||||
:caption: ``compute.yml``
|
||||
|
||||
compute_libvirt_sasl_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
63363937303539373738356236393563636466313130633435353933613637343231303836343933
|
||||
3463623265653030323665383337376462363434396361320a653737376237353261303066616637
|
||||
66613562316533313632613433643537346463303363376664396661343835373033326261383065
|
||||
3731643633656636360a623534313665343066656161333866613338313266613465336332376463
|
||||
3234
|
||||
|
||||
Example: enabling libvirt TLS listener
|
||||
--------------------------------------
|
||||
|
||||
|
@ -31,6 +31,9 @@ pip_trusted_hosts:
|
||||
aio_bridge_ports:
|
||||
- dummy1
|
||||
|
||||
# Generate a password for libvirt SASL authentication.
|
||||
compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}"
|
||||
|
||||
# Enable ironic for testing baremetal compute.
|
||||
kolla_enable_ironic: true
|
||||
|
||||
|
@ -187,3 +187,6 @@ controller_firewalld_rules:
|
||||
- service: cockpit
|
||||
state: disabled
|
||||
zone: public
|
||||
|
||||
# Generate a password for libvirt SASL authentication.
|
||||
compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}"
|
||||
|
@ -35,6 +35,9 @@ pip_trusted_hosts:
|
||||
aio_bridge_ports:
|
||||
- dummy1
|
||||
|
||||
# Generate a password for libvirt SASL authentication.
|
||||
compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}"
|
||||
|
||||
# Enable ironic for testing baremetal compute.
|
||||
kolla_enable_ironic: true
|
||||
|
||||
|
@ -32,7 +32,7 @@ roles:
|
||||
- src: stackhpc.grafana-conf
|
||||
version: 1.1.1
|
||||
- src: stackhpc.libvirt-host
|
||||
version: v1.10.0
|
||||
version: v1.11.0
|
||||
- src: stackhpc.libvirt-vm
|
||||
version: v1.14.2
|
||||
- src: stackhpc.luks
|
||||
|
Loading…
Reference in New Issue
Block a user