From f4493e41ff6383dba8967b881362bee2cb7a5794 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 9 Mar 2022 12:36:35 +0000 Subject: [PATCH] libvirt: support SASL authentication Adds support for SASL authentication of libvirt TCP and TLS connections when using a compute host libvirt daemon. In line with the dependent Kolla Ansible patch, we enable SASL by default, and use DIGEST-MD5 with TCP and SCRAM-SHA-256 with TLS. Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/833022 Depends-On: https://github.com/stackhpc/ansible-role-libvirt-host/pull/52 Story: 2009858 Task: 44735 Change-Id: Id3972c24022aeb6421494c3cccdc8e7cbce802e6 --- ansible/compute-libvirt-host.yml | 3 +++ ansible/group_vars/all/compute | 9 ++++++- ansible/group_vars/all/kolla | 17 +++++++++++-- ansible/roles/kolla-ansible/defaults/main.yml | 2 ++ .../kolla-ansible/templates/kolla/globals.yml | 3 +++ doc/source/configuration/reference/hosts.rst | 24 +++++++++++++++++++ .../kayobe-overcloud-base/overrides.yml.j2 | 3 +++ .../overrides.yml.j2 | 3 +++ .../overrides.yml.j2 | 3 +++ requirements.yml | 2 +- 10 files changed, 65 insertions(+), 4 deletions(-) diff --git a/ansible/compute-libvirt-host.yml b/ansible/compute-libvirt-host.yml index 7e5501938..9b3900c22 100644 --- a/ansible/compute-libvirt-host.yml +++ b/ansible/compute-libvirt-host.yml @@ -20,6 +20,9 @@ vars: libvirt_host_libvirtd_conf: "{{ compute_libvirt_conf }}" libvirt_host_qemu_conf: "{{ compute_qemu_conf }}" + libvirt_host_enable_sasl_support: "{{ compute_libvirt_enable_sasl | bool }}" + libvirt_host_sasl_authname: nova + libvirt_host_sasl_password: "{{ compute_libvirt_sasl_password }}" libvirt_host_tcp_listen: "{{ not compute_libvirt_enable_tls | bool }}" libvirt_host_tcp_listen_address: "{{ internal_net_name | net_ip }}:16509" libvirt_host_tls_listen: "{{ compute_libvirt_enable_tls | bool }}" diff --git a/ansible/group_vars/all/compute b/ansible/group_vars/all/compute index b8b1e8161..d07d6d211 100644 --- a/ansible/group_vars/all/compute +++ b/ansible/group_vars/all/compute @@ -172,7 +172,8 @@ compute_libvirt_enabled: "{{ kolla_enable_nova | bool and not kolla_enable_nova_ # A dict of default configuration options to write to # /etc/libvirt/libvirtd.conf. compute_libvirt_conf_default: - auth_tcp: "none" + auth_tcp: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}" + auth_tls: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}" log_level: "{{ compute_libvirtd_log_level }}" # A dict of additional configuration options to write to @@ -202,6 +203,12 @@ compute_qemu_conf_extra: {} # compute_qemu_conf_extra. compute_qemu_conf: "{{ compute_qemu_conf_default | combine(compute_qemu_conf_extra) }}" +# Whether to enable libvirt SASL authentication. Default is true. +compute_libvirt_enable_sasl: true + +# libvirt SASL password. Default is unset. +compute_libvirt_sasl_password: + # Whether to enable a libvirt TLS listener. Default is false. compute_libvirt_enable_tls: false diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla index ede0e5b33..1e3623d40 100644 --- a/ansible/group_vars/all/kolla +++ b/ansible/group_vars/all/kolla @@ -580,9 +580,9 @@ kolla_enable_zun: "no" ############################################################################### # Passwords and credentials. -# Dictionary containing default custom passwords to add or override in the +# Dictionary containing base custom passwords to add or override in the # Kolla passwords file. -kolla_ansible_default_custom_passwords: +kolla_ansible_base_custom_passwords: # SSH key authorized in hosts deployed by Bifrost. bifrost_ssh_key: private_key: "{{ lookup('file', ssh_private_key_path) }}" @@ -593,6 +593,19 @@ kolla_ansible_default_custom_passwords: public_key: "{{ lookup('file', ssh_public_key_path) }}" docker_registry_password: "{{ kolla_docker_registry_password }}" +# Dictionary containing libvirt custom passwords to add or override in the +# Kolla passwords file. +kolla_ansible_libvirt_custom_passwords: + libvirt_sasl_password: "{{ compute_libvirt_sasl_password }}" + +# Dictionary containing default custom passwords to add or override in the +# Kolla passwords file. +kolla_ansible_default_custom_passwords: >- + {{ kolla_ansible_base_custom_passwords | + combine(kolla_ansible_libvirt_custom_passwords + if compute_libvirt_enabled | bool and compute_libvirt_enable_sasl | bool + else {}) }} + # Dictionary containing custom passwords to add or override in the Kolla # passwords file. kolla_ansible_custom_passwords: "{{ kolla_ansible_default_custom_passwords }}" diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 9e0774482..6bff33bc1 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -238,6 +238,8 @@ kolla_nova_compute_ironic_host: kolla_libvirt_tls: +kolla_libvirt_enable_sasl: + ############################################################################### # Extra free-form configuraton. diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index 04d5e33b3..a68273da0 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -397,6 +397,9 @@ enable_{{ feature_flag }}: {{ hostvars[inventory_hostname]['kolla_enable_' ~ fea libvirt_tls: {{ kolla_libvirt_tls | bool }} {% endif %} +{% if kolla_libvirt_enable_sasl is not none %} +libvirt_enable_sasl: {{ kolla_libvirt_enable_sasl | bool }} +{% endif %} ################# # Hyper-V options ################# diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index 7cda51e2b..fcc6cb0b3 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -1094,6 +1094,12 @@ are relevant only when using the libvirt daemon rather than the A dict of configuration options to write to ``/etc/libvirt/qemu.conf``. Default is a combination of ``compute_qemu_conf_default`` and ``compute_qemu_conf_extra``. +``compute_libvirt_enable_sasl`` + Whether to enable libvirt SASL authentication. Default is the same as + ``compute_libvirt_tcp_listen``. +``compute_libvirt_sasl_password`` + libvirt SASL password. Default is unset. This must be defined when + ``compute_libvirt_enable_sasl`` is ``true``. ``compute_libvirt_enable_tls`` Whether to enable a libvirt TLS listener. Default is false. ``compute_libvirt_ceph_repo_install`` @@ -1125,6 +1131,24 @@ To customise QEMU to avoid adding timestamps to logs: compute_qemu_conf_extra: log_timestamp: 0 +Example: SASL +------------- + +SASL authentication is enabled by default. This provides authentication for +TCP and TLS connections to the libvirt API. A password is required, and should +be encrypted using Ansible Vault. + +.. code-block:: yaml + :caption: ``compute.yml`` + + compute_libvirt_sasl_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63363937303539373738356236393563636466313130633435353933613637343231303836343933 + 3463623265653030323665383337376462363434396361320a653737376237353261303066616637 + 66613562316533313632613433643537346463303363376664396661343835373033326261383065 + 3731643633656636360a623534313665343066656161333866613338313266613465336332376463 + 3234 + Example: enabling libvirt TLS listener -------------------------------------- diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2 index 864e29b96..db69a00cf 100644 --- a/playbooks/kayobe-overcloud-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2 @@ -31,6 +31,9 @@ pip_trusted_hosts: aio_bridge_ports: - dummy1 +# Generate a password for libvirt SASL authentication. +compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}" + # Enable ironic for testing baremetal compute. kolla_enable_ironic: true diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 index 34bf2a29f..fed315141 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 @@ -187,3 +187,6 @@ controller_firewalld_rules: - service: cockpit state: disabled zone: public + +# Generate a password for libvirt SASL authentication. +compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}" diff --git a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 index f679ce135..5972bdfd6 100644 --- a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 @@ -35,6 +35,9 @@ pip_trusted_hosts: aio_bridge_ports: - dummy1 +# Generate a password for libvirt SASL authentication. +compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}" + # Enable ironic for testing baremetal compute. kolla_enable_ironic: true diff --git a/requirements.yml b/requirements.yml index 86c765150..1818ef1a6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -32,7 +32,7 @@ roles: - src: stackhpc.grafana-conf version: 1.1.1 - src: stackhpc.libvirt-host - version: v1.10.0 + version: v1.11.0 - src: stackhpc.libvirt-vm version: v1.14.2 - src: stackhpc.luks