Merge "Missing client certificate for live-migration with TLS"
This commit is contained in:
commit
2b8479d319
|
@ -246,6 +246,13 @@ parameters:
|
|||
description: The password for the libvirt service when TLS is enabled
|
||||
type: string
|
||||
hidden: true
|
||||
QemuDefaultTLSVerify:
|
||||
description: >
|
||||
Whether to enable or disable TLS client certificate verification. Enabling this
|
||||
option will reject any client who does not have a certificate signed by the CA
|
||||
in /etc/pki/qemu/ca-cert.pem
|
||||
default: true
|
||||
type: boolean
|
||||
LibvirtLogFilters:
|
||||
description: Defines a filter in libvirt daemon to select a different
|
||||
logging level for a given category log outputs, as specified
|
||||
|
@ -452,6 +459,7 @@ outputs:
|
|||
-
|
||||
tripleo::profile::base::nova::migration::client::libvirt_tls: true
|
||||
tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
|
||||
nova::compute::libvirt::qemu::default_tls_verify: {get_param: QemuDefaultTLSVerify}
|
||||
nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority}
|
||||
nova::migration::libvirt::listen_address:
|
||||
str_replace:
|
||||
|
@ -662,6 +670,8 @@ outputs:
|
|||
- get_param: LibvirtNbdCACert
|
||||
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
|
||||
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
|
||||
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/client-cert.pem:ro
|
||||
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/client-key.pem:ro
|
||||
- null
|
||||
-
|
||||
if:
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
`QemuDefaultTLSVerify` will allow operators to enable or disable TLS client
|
||||
certificate verification. Enabling this option will reject any client
|
||||
who does not have a certificate signed by the CA in
|
||||
/etc/pki/qemu/ca-cert.pem.
|
||||
The default is true and matches libvirt's. We will want to disable this
|
||||
by default in train.
|
Loading…
Reference in New Issue