openstack/openstack-ansible-os_nova
Code Issues Proposed changes
7589b7b66b
openstack-ansible-os_nova/templates/qemu.conf.j2
James Gibson 2b8d5a0b88 Enable TLS for VNC from novncproxy to compute hosts 
To secure communications from the proxy server to the compute
nodes using VeNCrypt authentication scheme.

In a previous patch a TLS server certificate was deployed to
compute nodes, this patch makes use of this same server cert for
securing VNC sessions on compute nodes. It is recommended that
this certificate be issued by a dedicated certificate authority
solely for the VNC service, as libvirt does not currently have a
mechanism to restrict what certificates can be presented by the
proxy server. This has not been implemented to reduce complexity.

In addition the noVNC proxy needs to present a client certificate
so only approved VNC proxy servers can connect to the Compute nodes.
The PKI role has been used to create a client certificate for the
nova console nodes.

Related Nova docs:
https://docs.openstack.org/nova/latest/admin/remote-console-access.html

To help with the transition from from unencrypted VNC to VeNCrypt,
initially compute nodes auth scheme allows for both encrypted and
unencrypted sessions using the variable `nova_vencrypt_auth_scheme`, this
will be removed in future releases.

Change-Id: Iafb788f80fd401c6ce6e4576bafd06c92431bd65
2021-11-11 14:23:27 +00:00

78 lines
2.7 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
{% if nova_network_type == 'calico' %}
# Calico specific qemu settings
# Information available at:
# http://docs.projectcalico.org/en/latest/ubuntu-opens-install.html
clear_emulator_capabilities = 0
user = "root"
group = "root"
cgroup_device_acl = [
"/dev/null", "/dev/full", "/dev/zero",
"/dev/random", "/dev/urandom",
"/dev/ptmx", "/dev/kvm", "/dev/kqemu",
"/dev/rtc", "/dev/hpet", "/dev/net/tun",
]
{% endif %}
{% if nova_libvirtd_listen_tls == 1 %}
# Use of TLS requires that x509 certificates be issued. The default is
# to keep them in /etc/pki/qemu. This directory must contain
#
# ca-cert.pem - the CA master certificate
# server-cert.pem - the server certificate signed with ca-cert.pem
# server-key.pem - the server private key
#
# and optionally may contain
#
# dh-params.pem - the DH params configuration file
#
# If the directory does not exist, libvirtd will fail to start. If the
# directory doesn't contain the necessary files, QEMU domains will fail
# to start if they are configured to use TLS.
#
# In order to overwrite the default path alter the following. This path
# definition will be used as the default path for other *_tls_x509_cert_dir
# configuration settings if their default path does not exist or is not
# specifically set.
#
default_tls_x509_cert_dir = "{{ nova_qemu_ssl_dir }}"
# The default TLS configuration only uses certificates for the server
# allowing the client to verify the server's identity and establish
# an encrypted channel.
#
# It is possible to use x509 certificates for authentication too, by
# issuing an x509 certificate to every client who needs to connect.
#
# Enabling this option will reject any client who does not have a
# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
#
# The default_tls_x509_cert_dir directory must also contain
#
# client-cert.pem - the client certificate signed with the ca-cert.pem
# client-key.pem - the client private key
#
# If this option is supplied it provides the default for the "_verify" option
# of specific TLS users such as vnc, backups, migration, etc. The specific
# users of TLS may override this by setting the specific "_verify" option.
#
# When not supplied the specific TLS users provide their own defaults.
#
default_tls_x509_verify = 1
{% endif %}
# Enable use of TLS encryption on the VNC server. This requires
# a VNC client which supports the VeNCrypt protocol extension.
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
# itself. UltraVNC, RealVNC, TightVNC do not support this
#
# It is necessary to setup CA and issue a server certificate
# before enabling this.
#
vnc_tls = {{ nova_qemu_vnc_tls }}
{% for key, value in _nova_qemu_conf.items() %}
{{ key }} = {{ value }}
{% endfor %}
View Git Blame Copy Permalink