From d01e013d8e3f9fafc6b389e73d7212e00f03bc68 Mon Sep 17 00:00:00 2001 From: Zuul Date: Mon, 26 Apr 2021 12:35:04 +0000 Subject: [PATCH] Update git submodules * Update tripleo-heat-templates from branch 'master' to 2b8479d3191de1943ddd72a48529060921a63b98 - Merge "Missing client certificate for live-migration with TLS" - Missing client certificate for live-migration with TLS TLS client verification used to be accidentally disabled in libvirt. This was fixed in libvirt-6.10.0-1[1]. Which means, once you're using libvirt-6.10.0-1 or higher, a client certificate is mandatory during live migration with TLS. In this case, the server certificate generated by TripleO is valid for client _and_ server: Key Purpose (not critical): TLS WWW Server. TLS WWW Client. So most deployments can re-use the same certificate for client and server. Why? Because if both migration ends points are located on the same infrastructure, it is reasonable to use the same certificate for both client and server roles. Introducing QemuDefaultTLSVerify parameter This parameter will allow operators to enable or disable TLS client certificate verification. Enabling this option will reject any client who does not have a certificate signed by the CA in /etc/pki/qemu/ca-cert.pem. The default is true and matches libvirt's. We will want to disable this by default in train. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1879477#c3 Depends-On: https://review.opendev.org/c/openstack/puppet-nova/+/785957/ Related: https://bugzilla.redhat.com/show_bug.cgi?id=1945760 Change-Id: I3b252854a0dbf121d69bab79543561da6be781f4 --- tripleo-heat-templates | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tripleo-heat-templates b/tripleo-heat-templates index a28c3e4c5e..2b8479d319 160000 --- a/tripleo-heat-templates +++ b/tripleo-heat-templates @@ -1 +1 @@ -Subproject commit a28c3e4c5eba9cf702559bcaf5776a97a1d29821 +Subproject commit 2b8479d3191de1943ddd72a48529060921a63b98