openstack/kolla-ansible
Code Issues Proposed changes
a1eec2498a
kolla-ansible/releasenotes/notes/libvirt-sasl-404199143610fb75.yaml
Mark Goddard d2d4b53d47 libvirt: support SASL authentication 
In Kolla Ansible OpenStack deployments, by default, libvirt is
configured to allow read-write access via an unauthenticated,
unencrypted TCP connection, using the internal API network.  This is to
facilitate migration between hosts.

By default, Kolla Ansible does not use encryption for services on the
internal network (and did not support it until Ussuri). However, most
other services on the internal network are at least authenticated
(usually via passwords), ensuring that they cannot be used by anyone
with access to the network, unless they have credentials.

The main issue here is the lack of authentication. Any client with
access to the internal network is able to connect to the libvirt TCP
port and make arbitrary changes to the hypervisor. This could include
starting a VM, modifying an existing VM, etc. Given the flexibility of
the domain options, it could be seen as equivalent to having root access
to the hypervisor.

Kolla Ansible supports libvirt TLS [1] since the Train release, using
client and server certificates for mutual authentication and encryption.
However, this feature is not enabled by default, and requires
certificates to be generated for each compute host.

This change adds support for libvirt SASL authentication, and enables it
by default. This provides base level of security. Deployments requiring
further security should use libvirt TLS.

[1] https://docs.openstack.org/kolla-ansible/latest/reference/compute/libvirt-guide.html#libvirt-tls

Depends-On: https://review.opendev.org/c/openstack/kolla/+/833021
Closes-Bug: #1964013
Change-Id: Ia91ceeb609e4cdb144433122b443028c0278b71e
2022-03-10 16:57:16 +00:00

28 lines
1.3 KiB
YAML
Raw Blame History

---
features:
- |
Adds support for libvirt SASL authentication. It is enabled by default.
`LP#1964013 <https://bugs.launchpad.net/kolla-ansible/+bug/1964013>`__
security:
- |
Fixes an issue where the default configuration of libvirt did not use
authentication for the API exposed over TCP on the internal API network.
This allowed anyone with access to the internal API network read-write
access to libvirt. While the internal API network is typically trusted,
other services on this network generally at least require authentication.
SASL authentication is now enabled for libvirt by default. Kolla Ansible
supports libvirt TLS since the Train release, and this is recommended to
provide a higher level of security. `LP#1964013
<https://bugs.launchpad.net/kolla-ansible/+bug/1964013>`__
upgrade:
- |
The addition of libvirt SASL authentication requires a new password in
``passwords.yml``, ``libvirt_sasl_password``. This may be generated using
the existing ``kolla-genpwd`` and ``kolla-mergepwd`` tooling.
- |
The addition of libvirt SASL authentication requires both the
``nova_libvirt`` and ``nova_compute`` containers to be updated
simultaneously, using new images with the necessary Cyrus SASL
dependencies, as well as configuration containing the SASL credentials.
View Git Blame Copy Permalink