62861db22d
The NBD protocol previously runs in clear text, offering no security protection for the data transferred, unless it is tunnelled over some external transport like SSH. Such tunnelling is inefficient and inconvenient to manage. Support for TLS to the NBD clients & servers provided by QEMU was added. In tls-everywhere use case we want to take advantage of this feature to create the certificates and configure qemu to use nbd tls. Related-bug: 1793093 Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110 Change-Id: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45
43 lines
1.3 KiB
Puppet
43 lines
1.3 KiB
Puppet
# Copyright 2017 Red Hat, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# == Class: tripleo::certmonger::qemu_nbd_dirs
|
|
#
|
|
# Creates the necessary directories for qemu nbd client certificates and keys
|
|
# in the assigned locations if specified. It also assigns the correct SELinux
|
|
# tags.
|
|
#
|
|
# === Parameters:
|
|
#
|
|
# [*certificate_dir*]
|
|
# (Optional) Directory where qemu-nbd's client certificates will be stored.
|
|
# If left unspecified, it won't be created.
|
|
# Defaults to undef
|
|
#
|
|
class tripleo::certmonger::qemu_nbd_dirs(
|
|
$certificate_dir = undef,
|
|
){
|
|
|
|
if $certificate_dir {
|
|
file { $certificate_dir :
|
|
ensure => 'directory',
|
|
selrole => 'object_r',
|
|
seltype => 'cert_t',
|
|
seluser => 'system_u',
|
|
}
|
|
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'qemu-cert' |>
|
|
}
|
|
|
|
}
|