Introducing default_tls_verify

TLS client verification used to be accidentally disabled in libvirt. This was fixed in libvirt-6.10.0-1. Which means, once you're using libvirt-6.10.0-1 or higher, a client certificate is mandatory during live migration with TLS. If we simply create the client certificate, this will fix live-migration of newly created instance but will not fix already created instances. This change will allow us to keep client certificate validation disabled during the train release cycle and re-enable it from Wallaby and onward. Related-Change: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/785438/ Related: https://bugzilla.redhat.com/show_bug.cgi?id=1945760 Change-Id: I628e5ef0a50799e44145fe4ed78303d0fdbf5838 (cherry picked from commit e28a1b8b70) (cherry picked from commit e046a3bf63)
2021-04-12 14:55:19 -04:00
parent b0c9f9c361
commit 2d198362d2
3 changed files with 71 additions and 1 deletions
--- a/manifests/compute/libvirt/qemu.pp
+++ b/manifests/compute/libvirt/qemu.pp
@@ -28,6 +28,10 @@
 #   (optional) Enables TLS client cert verification when vnc_tls is enabled.
 #   Defaults to true.
 #
+# [*default_tls_verify*]
+#   (optional) Enables TLS client cert verification.
+#   Defaults to true.
+#
 # [*memory_backing_dir*]
 #   (optional) This directory is used for memoryBacking source if configured as file.
 #   NOTE: big files will be stored here
@@ -49,6 +53,7 @@ class nova::compute::libvirt::qemu(
  $max_processes      = 4096,
  $vnc_tls            = false,
  $vnc_tls_verify     = true,
+  $default_tls_verify = true,
  $memory_backing_dir = undef,
  $nbd_tls            = false,
  $libvirt_version    = $::nova::compute::libvirt::version::default,
@@ -73,6 +78,11 @@ class nova::compute::libvirt::qemu(
      $vnc_tls_value = 0
      $vnc_tls_verify_value = 0
    }
+    if $default_tls_verify {
+      $default_tls_verify_value = $default_tls_verify ? { true => 1, false => 0 }
+    } else {
+      $default_tls_verify_value = 0
+    }

    if $nbd_tls {
      $nbd_tls_value = 1
@@ -85,6 +95,7 @@ class nova::compute::libvirt::qemu(
      "set max_processes ${max_processes}",
      "set vnc_tls ${vnc_tls_value}",
      "set vnc_tls_x509_verify ${vnc_tls_verify_value}",
+      "set default_tls_x509_verify ${default_tls_verify_value}",
    ]
    if $group and !empty($group) {
      $augues_group_changes = ["set group ${group}"]
@@ -117,6 +128,7 @@ class nova::compute::libvirt::qemu(
      'rm group',
      'rm vnc_tls',
      'rm vnc_tls_x509_verify',
+      'rm default_tls_x509_verify',
      'rm memory_backing_dir',
    ]
    if versioncmp($libvirt_version, '4.5') >= 0 {
--- a/releasenotes/notes/qemu-default_tls_verify-57e7afd6670afec2.yaml
+++ b/releasenotes/notes/qemu-default_tls_verify-57e7afd6670afec2.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Introducing default_tls_verify for qemu.
+    This effectively allows operators to enable or disable TLS client certificate verification.
--- a/spec/classes/nova_compute_libvirt_qemu_spec.rb
+++ b/spec/classes/nova_compute_libvirt_qemu_spec.rb
@@ -25,6 +25,7 @@ describe 'nova::compute::libvirt::qemu' do
            "rm group",
            "rm vnc_tls",
            "rm vnc_tls_x509_verify",
+            "rm default_tls_x509_verify",
            "rm memory_backing_dir",
        ],
      }).that_notifies('Service[libvirt]') }
@@ -45,6 +46,7 @@ describe 'nova::compute::libvirt::qemu' do
            "rm group",
            "rm vnc_tls",
            "rm vnc_tls_x509_verify",
+            "rm default_tls_x509_verify",
            "rm memory_backing_dir",
            "rm nbd_tls",
        ],
@@ -65,6 +67,7 @@ describe 'nova::compute::libvirt::qemu' do
            "set max_processes 4096",
            "set vnc_tls 0",
            "set vnc_tls_x509_verify 0",
+            "set default_tls_x509_verify 1",
        ],
        :tag     => 'qemu-conf-augeas',
      }).that_notifies('Service[libvirt]') }
@@ -84,6 +87,7 @@ describe 'nova::compute::libvirt::qemu' do
            "set max_processes 4096",
            "set vnc_tls 0",
            "set vnc_tls_x509_verify 0",
+            "set default_tls_x509_verify 1",
            "set nbd_tls 0",
        ],
        :tag     => 'qemu-conf-augeas',
@@ -106,6 +110,7 @@ describe 'nova::compute::libvirt::qemu' do
            "set max_processes 131072",
            "set vnc_tls 0",
            "set vnc_tls_x509_verify 0",
+            "set default_tls_x509_verify 1",
        ],
        :tag     => 'qemu-conf-augeas',
      }).that_notifies('Service[libvirt]') }
@@ -127,6 +132,7 @@ describe 'nova::compute::libvirt::qemu' do
            "set max_processes 131072",
            "set vnc_tls 0",
            "set vnc_tls_x509_verify 0",
+            "set default_tls_x509_verify 1",
            "set nbd_tls 0",
        ],
        :tag     => 'qemu-conf-augeas',
@@ -151,6 +157,7 @@ describe 'nova::compute::libvirt::qemu' do
            "set max_processes 131072",
            "set vnc_tls 0",
            "set vnc_tls_x509_verify 0",
+            "set default_tls_x509_verify 1",
            "set group openvswitch",
            "set memory_backing_dir /tmp",
        ],
@@ -173,12 +180,34 @@ describe 'nova::compute::libvirt::qemu' do
            "set max_processes 4096",
            "set vnc_tls 1",
            "set vnc_tls_x509_verify 1",
+            "set default_tls_x509_verify 1",
        ],
        :tag     => 'qemu-conf-augeas',
      }).that_notifies('Service[libvirt]') }
    end

-    context 'when configuring qemu without vnc_tls_verify' do
+    context 'when configuring qemu with default_tls_verify enabled' do
+      let :params do
+        {
+          :configure_qemu => true,
+          :default_tls_verify => true,
+          :libvirt_version => '3.9',
+        }
+      end
+      it { is_expected.to contain_augeas('qemu-conf-limits').with({
+        :context => '/files/etc/libvirt/qemu.conf',
+        :changes => [
+            "set max_files 1024",
+            "set max_processes 4096",
+            "set vnc_tls 0",
+            "set vnc_tls_x509_verify 0",
+            "set default_tls_x509_verify 1",
+        ],
+        :tag     => 'qemu-conf-augeas',
+      }).that_notifies('Service[libvirt]') }
+    end
+
+    context 'when configuring qemu with vnc_tls_verify disabled' do
      let :params do
        {
          :configure_qemu => true,
@@ -194,6 +223,28 @@ describe 'nova::compute::libvirt::qemu' do
            "set max_processes 4096",
            "set vnc_tls 1",
            "set vnc_tls_x509_verify 0",
+            "set default_tls_x509_verify 1",
+        ],
+        :tag     => 'qemu-conf-augeas',
+      }).that_notifies('Service[libvirt]') }
+    end
+
+    context 'when configuring qemu with default_tls_verify disabled' do
+      let :params do
+        {
+          :configure_qemu => true,
+          :default_tls_verify => false,
+          :libvirt_version => '3.9',
+        }
+      end
+      it { is_expected.to contain_augeas('qemu-conf-limits').with({
+        :context => '/files/etc/libvirt/qemu.conf',
+        :changes => [
+            "set max_files 1024",
+            "set max_processes 4096",
+            "set vnc_tls 0",
+            "set vnc_tls_x509_verify 0",
+            "set default_tls_x509_verify 0",
        ],
        :tag     => 'qemu-conf-augeas',
      }).that_notifies('Service[libvirt]') }
@@ -214,6 +265,7 @@ describe 'nova::compute::libvirt::qemu' do
            "set max_processes 4096",
            "set vnc_tls 0",
            "set vnc_tls_x509_verify 0",
+            "set default_tls_x509_verify 1",
        ],
        :tag     => 'qemu-conf-augeas',
      }).that_notifies('Service[libvirt]') }
@@ -234,6 +286,7 @@ describe 'nova::compute::libvirt::qemu' do
            "set max_processes 4096",
            "set vnc_tls 0",
            "set vnc_tls_x509_verify 0",
+            "set default_tls_x509_verify 1",
            "set nbd_tls 1",
        ],
        :tag     => 'qemu-conf-augeas',