From e046a3bf633f310650fefe54abfb2142703c230a Mon Sep 17 00:00:00 2001 From: David Vallee Delisle Date: Mon, 12 Apr 2021 14:55:19 -0400 Subject: [PATCH] Introducing default_tls_verify TLS client verification used to be accidentally disabled in libvirt. This was fixed in libvirt-6.10.0-1. Which means, once you're using libvirt-6.10.0-1 or higher, a client certificate is mandatory during live migration with TLS. If we simply create the client certificate, this will fix live-migration of newly created instance but will not fix already created instances. This change will allow us to keep client certificate validation disabled during the train release cycle and re-enable it from Wallaby and onward. Related-Change: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/785438/ Related: https://bugzilla.redhat.com/show_bug.cgi?id=1945760 Change-Id: I628e5ef0a50799e44145fe4ed78303d0fdbf5838 (cherry picked from commit e28a1b8b70b97820fa99d0a33f594801d42211a2) --- manifests/compute/libvirt/qemu.pp | 12 ++++ ...u-default_tls_verify-57e7afd6670afec2.yaml | 5 ++ .../classes/nova_compute_libvirt_qemu_spec.rb | 55 ++++++++++++++++++- 3 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/qemu-default_tls_verify-57e7afd6670afec2.yaml diff --git a/manifests/compute/libvirt/qemu.pp b/manifests/compute/libvirt/qemu.pp index 9e538c152..241d76755 100644 --- a/manifests/compute/libvirt/qemu.pp +++ b/manifests/compute/libvirt/qemu.pp @@ -28,6 +28,10 @@ # (optional) Enables TLS client cert verification when vnc_tls is enabled. # Defaults to true. # +# [*default_tls_verify*] +# (optional) Enables TLS client cert verification. +# Defaults to true. +# # [*memory_backing_dir*] # (optional) This directory is used for memoryBacking source if configured as file. # NOTE: big files will be stored here @@ -49,6 +53,7 @@ class nova::compute::libvirt::qemu( $max_processes = 4096, $vnc_tls = false, $vnc_tls_verify = true, + $default_tls_verify = true, $memory_backing_dir = undef, $nbd_tls = false, $libvirt_version = $::nova::compute::libvirt::version::default, @@ -73,6 +78,11 @@ class nova::compute::libvirt::qemu( $vnc_tls_value = 0 $vnc_tls_verify_value = 0 } + if $default_tls_verify { + $default_tls_verify_value = $default_tls_verify ? { true => 1, false => 0 } + } else { + $default_tls_verify_value = 0 + } if $nbd_tls { $nbd_tls_value = 1 @@ -85,6 +95,7 @@ class nova::compute::libvirt::qemu( "set max_processes ${max_processes}", "set vnc_tls ${vnc_tls_value}", "set vnc_tls_x509_verify ${vnc_tls_verify_value}", + "set default_tls_x509_verify ${default_tls_verify_value}", ] if $group and !empty($group) { $augues_group_changes = ["set group ${group}"] @@ -117,6 +128,7 @@ class nova::compute::libvirt::qemu( 'rm group', 'rm vnc_tls', 'rm vnc_tls_x509_verify', + 'rm default_tls_x509_verify', 'rm memory_backing_dir', ] if versioncmp($libvirt_version, '4.5') >= 0 { diff --git a/releasenotes/notes/qemu-default_tls_verify-57e7afd6670afec2.yaml b/releasenotes/notes/qemu-default_tls_verify-57e7afd6670afec2.yaml new file mode 100644 index 000000000..a4be67ed4 --- /dev/null +++ b/releasenotes/notes/qemu-default_tls_verify-57e7afd6670afec2.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Introducing default_tls_verify for qemu. + This effectively allows operators to enable or disable TLS client certificate verification. diff --git a/spec/classes/nova_compute_libvirt_qemu_spec.rb b/spec/classes/nova_compute_libvirt_qemu_spec.rb index 9292bd855..37a13b1ae 100644 --- a/spec/classes/nova_compute_libvirt_qemu_spec.rb +++ b/spec/classes/nova_compute_libvirt_qemu_spec.rb @@ -25,6 +25,7 @@ describe 'nova::compute::libvirt::qemu' do "rm group", "rm vnc_tls", "rm vnc_tls_x509_verify", + "rm default_tls_x509_verify", "rm memory_backing_dir", ], }).that_notifies('Service[libvirt]') } @@ -45,6 +46,7 @@ describe 'nova::compute::libvirt::qemu' do "rm group", "rm vnc_tls", "rm vnc_tls_x509_verify", + "rm default_tls_x509_verify", "rm memory_backing_dir", "rm nbd_tls", ], @@ -65,6 +67,7 @@ describe 'nova::compute::libvirt::qemu' do "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0", + "set default_tls_x509_verify 1", ], :tag => 'qemu-conf-augeas', }).that_notifies('Service[libvirt]') } @@ -84,6 +87,7 @@ describe 'nova::compute::libvirt::qemu' do "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0", + "set default_tls_x509_verify 1", "set nbd_tls 0", ], :tag => 'qemu-conf-augeas', @@ -106,6 +110,7 @@ describe 'nova::compute::libvirt::qemu' do "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0", + "set default_tls_x509_verify 1", ], :tag => 'qemu-conf-augeas', }).that_notifies('Service[libvirt]') } @@ -127,6 +132,7 @@ describe 'nova::compute::libvirt::qemu' do "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0", + "set default_tls_x509_verify 1", "set nbd_tls 0", ], :tag => 'qemu-conf-augeas', @@ -151,6 +157,7 @@ describe 'nova::compute::libvirt::qemu' do "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0", + "set default_tls_x509_verify 1", "set group openvswitch", "set memory_backing_dir /tmp", ], @@ -173,12 +180,34 @@ describe 'nova::compute::libvirt::qemu' do "set max_processes 4096", "set vnc_tls 1", "set vnc_tls_x509_verify 1", + "set default_tls_x509_verify 1", ], :tag => 'qemu-conf-augeas', }).that_notifies('Service[libvirt]') } end - context 'when configuring qemu without vnc_tls_verify' do + context 'when configuring qemu with default_tls_verify enabled' do + let :params do + { + :configure_qemu => true, + :default_tls_verify => true, + :libvirt_version => '3.9', + } + end + it { is_expected.to contain_augeas('qemu-conf-limits').with({ + :context => '/files/etc/libvirt/qemu.conf', + :changes => [ + "set max_files 1024", + "set max_processes 4096", + "set vnc_tls 0", + "set vnc_tls_x509_verify 0", + "set default_tls_x509_verify 1", + ], + :tag => 'qemu-conf-augeas', + }).that_notifies('Service[libvirt]') } + end + + context 'when configuring qemu with vnc_tls_verify disabled' do let :params do { :configure_qemu => true, @@ -194,6 +223,28 @@ describe 'nova::compute::libvirt::qemu' do "set max_processes 4096", "set vnc_tls 1", "set vnc_tls_x509_verify 0", + "set default_tls_x509_verify 1", + ], + :tag => 'qemu-conf-augeas', + }).that_notifies('Service[libvirt]') } + end + + context 'when configuring qemu with default_tls_verify disabled' do + let :params do + { + :configure_qemu => true, + :default_tls_verify => false, + :libvirt_version => '3.9', + } + end + it { is_expected.to contain_augeas('qemu-conf-limits').with({ + :context => '/files/etc/libvirt/qemu.conf', + :changes => [ + "set max_files 1024", + "set max_processes 4096", + "set vnc_tls 0", + "set vnc_tls_x509_verify 0", + "set default_tls_x509_verify 0", ], :tag => 'qemu-conf-augeas', }).that_notifies('Service[libvirt]') } @@ -214,6 +265,7 @@ describe 'nova::compute::libvirt::qemu' do "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0", + "set default_tls_x509_verify 1", ], :tag => 'qemu-conf-augeas', }).that_notifies('Service[libvirt]') } @@ -234,6 +286,7 @@ describe 'nova::compute::libvirt::qemu' do "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0", + "set default_tls_x509_verify 1", "set nbd_tls 1", ], :tag => 'qemu-conf-augeas',