28 lines
1.3 KiB
YAML
28 lines
1.3 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Adds support for libvirt SASL authentication. It is enabled by default.
|
|
`LP#1964013 <https://bugs.launchpad.net/kolla-ansible/+bug/1964013>`__
|
|
security:
|
|
- |
|
|
Fixes an issue where the default configuration of libvirt did not use
|
|
authentication for the API exposed over TCP on the internal API network.
|
|
This allowed anyone with access to the internal API network read-write
|
|
access to libvirt. While the internal API network is typically trusted,
|
|
other services on this network generally at least require authentication.
|
|
|
|
SASL authentication is now enabled for libvirt by default. Kolla Ansible
|
|
supports libvirt TLS since the Train release, and this is recommended to
|
|
provide a higher level of security. `LP#1964013
|
|
<https://bugs.launchpad.net/kolla-ansible/+bug/1964013>`__
|
|
upgrade:
|
|
- |
|
|
The addition of libvirt SASL authentication requires a new password in
|
|
``passwords.yml``, ``libvirt_sasl_password``. This may be generated using
|
|
the existing ``kolla-genpwd`` and ``kolla-mergepwd`` tooling.
|
|
- |
|
|
The addition of libvirt SASL authentication requires both the
|
|
``nova_libvirt`` and ``nova_compute`` containers to be updated
|
|
simultaneously, using new images with the necessary Cyrus SASL
|
|
dependencies, as well as configuration containing the SASL credentials.
|