Introducing default_tls_verify
TLS client verification used to be accidentally disabled in libvirt. This was fixed in libvirt-6.10.0-1. Which means, once you're using libvirt-6.10.0-1 or higher, a client certificate is mandatory during live migration with TLS. If we simply create the client certificate, this will fix live-migration of newly created instance but will not fix already created instances. This change will allow us to keep client certificate validation disabled during the train release cycle and re-enable it from Wallaby and onward. Related-Change: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/785438/ Related: https://bugzilla.redhat.com/show_bug.cgi?id=1945760 Change-Id: I628e5ef0a50799e44145fe4ed78303d0fdbf5838 (cherry picked from commite28a1b8b70
) (cherry picked from commite046a3bf63
)
This commit is contained in:
parent
b0c9f9c361
commit
2d198362d2
|
@ -28,6 +28,10 @@
|
||||||
# (optional) Enables TLS client cert verification when vnc_tls is enabled.
|
# (optional) Enables TLS client cert verification when vnc_tls is enabled.
|
||||||
# Defaults to true.
|
# Defaults to true.
|
||||||
#
|
#
|
||||||
|
# [*default_tls_verify*]
|
||||||
|
# (optional) Enables TLS client cert verification.
|
||||||
|
# Defaults to true.
|
||||||
|
#
|
||||||
# [*memory_backing_dir*]
|
# [*memory_backing_dir*]
|
||||||
# (optional) This directory is used for memoryBacking source if configured as file.
|
# (optional) This directory is used for memoryBacking source if configured as file.
|
||||||
# NOTE: big files will be stored here
|
# NOTE: big files will be stored here
|
||||||
|
@ -49,6 +53,7 @@ class nova::compute::libvirt::qemu(
|
||||||
$max_processes = 4096,
|
$max_processes = 4096,
|
||||||
$vnc_tls = false,
|
$vnc_tls = false,
|
||||||
$vnc_tls_verify = true,
|
$vnc_tls_verify = true,
|
||||||
|
$default_tls_verify = true,
|
||||||
$memory_backing_dir = undef,
|
$memory_backing_dir = undef,
|
||||||
$nbd_tls = false,
|
$nbd_tls = false,
|
||||||
$libvirt_version = $::nova::compute::libvirt::version::default,
|
$libvirt_version = $::nova::compute::libvirt::version::default,
|
||||||
|
@ -73,6 +78,11 @@ class nova::compute::libvirt::qemu(
|
||||||
$vnc_tls_value = 0
|
$vnc_tls_value = 0
|
||||||
$vnc_tls_verify_value = 0
|
$vnc_tls_verify_value = 0
|
||||||
}
|
}
|
||||||
|
if $default_tls_verify {
|
||||||
|
$default_tls_verify_value = $default_tls_verify ? { true => 1, false => 0 }
|
||||||
|
} else {
|
||||||
|
$default_tls_verify_value = 0
|
||||||
|
}
|
||||||
|
|
||||||
if $nbd_tls {
|
if $nbd_tls {
|
||||||
$nbd_tls_value = 1
|
$nbd_tls_value = 1
|
||||||
|
@ -85,6 +95,7 @@ class nova::compute::libvirt::qemu(
|
||||||
"set max_processes ${max_processes}",
|
"set max_processes ${max_processes}",
|
||||||
"set vnc_tls ${vnc_tls_value}",
|
"set vnc_tls ${vnc_tls_value}",
|
||||||
"set vnc_tls_x509_verify ${vnc_tls_verify_value}",
|
"set vnc_tls_x509_verify ${vnc_tls_verify_value}",
|
||||||
|
"set default_tls_x509_verify ${default_tls_verify_value}",
|
||||||
]
|
]
|
||||||
if $group and !empty($group) {
|
if $group and !empty($group) {
|
||||||
$augues_group_changes = ["set group ${group}"]
|
$augues_group_changes = ["set group ${group}"]
|
||||||
|
@ -117,6 +128,7 @@ class nova::compute::libvirt::qemu(
|
||||||
'rm group',
|
'rm group',
|
||||||
'rm vnc_tls',
|
'rm vnc_tls',
|
||||||
'rm vnc_tls_x509_verify',
|
'rm vnc_tls_x509_verify',
|
||||||
|
'rm default_tls_x509_verify',
|
||||||
'rm memory_backing_dir',
|
'rm memory_backing_dir',
|
||||||
]
|
]
|
||||||
if versioncmp($libvirt_version, '4.5') >= 0 {
|
if versioncmp($libvirt_version, '4.5') >= 0 {
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Introducing default_tls_verify for qemu.
|
||||||
|
This effectively allows operators to enable or disable TLS client certificate verification.
|
|
@ -25,6 +25,7 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"rm group",
|
"rm group",
|
||||||
"rm vnc_tls",
|
"rm vnc_tls",
|
||||||
"rm vnc_tls_x509_verify",
|
"rm vnc_tls_x509_verify",
|
||||||
|
"rm default_tls_x509_verify",
|
||||||
"rm memory_backing_dir",
|
"rm memory_backing_dir",
|
||||||
],
|
],
|
||||||
}).that_notifies('Service[libvirt]') }
|
}).that_notifies('Service[libvirt]') }
|
||||||
|
@ -45,6 +46,7 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"rm group",
|
"rm group",
|
||||||
"rm vnc_tls",
|
"rm vnc_tls",
|
||||||
"rm vnc_tls_x509_verify",
|
"rm vnc_tls_x509_verify",
|
||||||
|
"rm default_tls_x509_verify",
|
||||||
"rm memory_backing_dir",
|
"rm memory_backing_dir",
|
||||||
"rm nbd_tls",
|
"rm nbd_tls",
|
||||||
],
|
],
|
||||||
|
@ -65,6 +67,7 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"set max_processes 4096",
|
"set max_processes 4096",
|
||||||
"set vnc_tls 0",
|
"set vnc_tls 0",
|
||||||
"set vnc_tls_x509_verify 0",
|
"set vnc_tls_x509_verify 0",
|
||||||
|
"set default_tls_x509_verify 1",
|
||||||
],
|
],
|
||||||
:tag => 'qemu-conf-augeas',
|
:tag => 'qemu-conf-augeas',
|
||||||
}).that_notifies('Service[libvirt]') }
|
}).that_notifies('Service[libvirt]') }
|
||||||
|
@ -84,6 +87,7 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"set max_processes 4096",
|
"set max_processes 4096",
|
||||||
"set vnc_tls 0",
|
"set vnc_tls 0",
|
||||||
"set vnc_tls_x509_verify 0",
|
"set vnc_tls_x509_verify 0",
|
||||||
|
"set default_tls_x509_verify 1",
|
||||||
"set nbd_tls 0",
|
"set nbd_tls 0",
|
||||||
],
|
],
|
||||||
:tag => 'qemu-conf-augeas',
|
:tag => 'qemu-conf-augeas',
|
||||||
|
@ -106,6 +110,7 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"set max_processes 131072",
|
"set max_processes 131072",
|
||||||
"set vnc_tls 0",
|
"set vnc_tls 0",
|
||||||
"set vnc_tls_x509_verify 0",
|
"set vnc_tls_x509_verify 0",
|
||||||
|
"set default_tls_x509_verify 1",
|
||||||
],
|
],
|
||||||
:tag => 'qemu-conf-augeas',
|
:tag => 'qemu-conf-augeas',
|
||||||
}).that_notifies('Service[libvirt]') }
|
}).that_notifies('Service[libvirt]') }
|
||||||
|
@ -127,6 +132,7 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"set max_processes 131072",
|
"set max_processes 131072",
|
||||||
"set vnc_tls 0",
|
"set vnc_tls 0",
|
||||||
"set vnc_tls_x509_verify 0",
|
"set vnc_tls_x509_verify 0",
|
||||||
|
"set default_tls_x509_verify 1",
|
||||||
"set nbd_tls 0",
|
"set nbd_tls 0",
|
||||||
],
|
],
|
||||||
:tag => 'qemu-conf-augeas',
|
:tag => 'qemu-conf-augeas',
|
||||||
|
@ -151,6 +157,7 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"set max_processes 131072",
|
"set max_processes 131072",
|
||||||
"set vnc_tls 0",
|
"set vnc_tls 0",
|
||||||
"set vnc_tls_x509_verify 0",
|
"set vnc_tls_x509_verify 0",
|
||||||
|
"set default_tls_x509_verify 1",
|
||||||
"set group openvswitch",
|
"set group openvswitch",
|
||||||
"set memory_backing_dir /tmp",
|
"set memory_backing_dir /tmp",
|
||||||
],
|
],
|
||||||
|
@ -173,12 +180,34 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"set max_processes 4096",
|
"set max_processes 4096",
|
||||||
"set vnc_tls 1",
|
"set vnc_tls 1",
|
||||||
"set vnc_tls_x509_verify 1",
|
"set vnc_tls_x509_verify 1",
|
||||||
|
"set default_tls_x509_verify 1",
|
||||||
],
|
],
|
||||||
:tag => 'qemu-conf-augeas',
|
:tag => 'qemu-conf-augeas',
|
||||||
}).that_notifies('Service[libvirt]') }
|
}).that_notifies('Service[libvirt]') }
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when configuring qemu without vnc_tls_verify' do
|
context 'when configuring qemu with default_tls_verify enabled' do
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:configure_qemu => true,
|
||||||
|
:default_tls_verify => true,
|
||||||
|
:libvirt_version => '3.9',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
it { is_expected.to contain_augeas('qemu-conf-limits').with({
|
||||||
|
:context => '/files/etc/libvirt/qemu.conf',
|
||||||
|
:changes => [
|
||||||
|
"set max_files 1024",
|
||||||
|
"set max_processes 4096",
|
||||||
|
"set vnc_tls 0",
|
||||||
|
"set vnc_tls_x509_verify 0",
|
||||||
|
"set default_tls_x509_verify 1",
|
||||||
|
],
|
||||||
|
:tag => 'qemu-conf-augeas',
|
||||||
|
}).that_notifies('Service[libvirt]') }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when configuring qemu with vnc_tls_verify disabled' do
|
||||||
let :params do
|
let :params do
|
||||||
{
|
{
|
||||||
:configure_qemu => true,
|
:configure_qemu => true,
|
||||||
|
@ -194,6 +223,28 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"set max_processes 4096",
|
"set max_processes 4096",
|
||||||
"set vnc_tls 1",
|
"set vnc_tls 1",
|
||||||
"set vnc_tls_x509_verify 0",
|
"set vnc_tls_x509_verify 0",
|
||||||
|
"set default_tls_x509_verify 1",
|
||||||
|
],
|
||||||
|
:tag => 'qemu-conf-augeas',
|
||||||
|
}).that_notifies('Service[libvirt]') }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when configuring qemu with default_tls_verify disabled' do
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:configure_qemu => true,
|
||||||
|
:default_tls_verify => false,
|
||||||
|
:libvirt_version => '3.9',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
it { is_expected.to contain_augeas('qemu-conf-limits').with({
|
||||||
|
:context => '/files/etc/libvirt/qemu.conf',
|
||||||
|
:changes => [
|
||||||
|
"set max_files 1024",
|
||||||
|
"set max_processes 4096",
|
||||||
|
"set vnc_tls 0",
|
||||||
|
"set vnc_tls_x509_verify 0",
|
||||||
|
"set default_tls_x509_verify 0",
|
||||||
],
|
],
|
||||||
:tag => 'qemu-conf-augeas',
|
:tag => 'qemu-conf-augeas',
|
||||||
}).that_notifies('Service[libvirt]') }
|
}).that_notifies('Service[libvirt]') }
|
||||||
|
@ -214,6 +265,7 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"set max_processes 4096",
|
"set max_processes 4096",
|
||||||
"set vnc_tls 0",
|
"set vnc_tls 0",
|
||||||
"set vnc_tls_x509_verify 0",
|
"set vnc_tls_x509_verify 0",
|
||||||
|
"set default_tls_x509_verify 1",
|
||||||
],
|
],
|
||||||
:tag => 'qemu-conf-augeas',
|
:tag => 'qemu-conf-augeas',
|
||||||
}).that_notifies('Service[libvirt]') }
|
}).that_notifies('Service[libvirt]') }
|
||||||
|
@ -234,6 +286,7 @@ describe 'nova::compute::libvirt::qemu' do
|
||||||
"set max_processes 4096",
|
"set max_processes 4096",
|
||||||
"set vnc_tls 0",
|
"set vnc_tls 0",
|
||||||
"set vnc_tls_x509_verify 0",
|
"set vnc_tls_x509_verify 0",
|
||||||
|
"set default_tls_x509_verify 1",
|
||||||
"set nbd_tls 1",
|
"set nbd_tls 1",
|
||||||
],
|
],
|
||||||
:tag => 'qemu-conf-augeas',
|
:tag => 'qemu-conf-augeas',
|
||||||
|
|
Loading…
Reference in New Issue