From 37a339d2b0f0282bf1bac96587b10ca61868cec5 Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Mon, 22 Jan 2018 17:19:14 +0000 Subject: [PATCH] Add support for libvirt VNC TLS Configures certs/key for nova-novnc vencrypt when TLS is enabled on the internal network. A dedicated IPA sub-CA can be used to restrict access, however by default the main IPA CA is used. Depends-On: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8 Change-Id: I67ffd847dc2d1949833a9d7039ad51e4364e02da --- docker/services/nova-libvirt.yaml | 135 +++++++++++++++--- docker/services/nova-vnc-proxy.yaml | 57 ++++++++ puppet/all-nodes-config.j2.yaml | 9 -- puppet/services/certmonger-user.yaml | 22 ++- puppet/services/nova-libvirt.yaml | 93 ++++++++++-- puppet/services/nova-vnc-proxy.yaml | 97 +++++++++++++ .../notes/vnc_tls-b3707d0134697cc7.yaml | 8 ++ 7 files changed, 379 insertions(+), 42 deletions(-) create mode 100644 releasenotes/notes/vnc_tls-b3707d0134697cc7.yaml diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index a4e424361e..3dd9142af6 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -46,8 +46,7 @@ parameters: default: true description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the - relevant keys for libvirt. NOTE. this is currently being - ignored and TLS for libvirtd is always disabled for now. + relevant keys for libvirt. DockerNovaMigrationSshdPort: default: 2022 description: Port that dockerized nova migration target sshd service @@ -80,6 +79,44 @@ parameters: description: > The Ceph cluster name must be at least 1 character and contain only letters and numbers. + UseTLSTransportForVnc: + type: boolean + default: true + description: If set to true and if EnableInternalTLS is enabled, it will + enable TLS transaport for libvirt VNC and configure the + relevant keys for libvirt. + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + InternalTLSVncCAFile: + default: '/etc/ipa/vnc.crt' + type: string + description: Specifies the CA cert to use for VNC TLS. + LibvirtCACert: + type: string + default: '' + description: This specifies the CA certificate to use for TLS in libvirt. + This file will be symlinked to the default CA path in libvirt, + which is /etc/pki/CA/cacert.pem. Note that due to limitations + GNU TLS, which is the TLS backend for libvirt, the file must + be less than 65K (so we can't use the system's CA bundle). + This parameter should be used if the default (which comes from + the InternalTLSCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. + LibvirtVncCACert: + type: string + default: '' + description: This specifies the CA certificate to use for VNC TLS. + This file will be symlinked to the default CA path, + which is /etc/pki/libvirt-vnc/ca-cert.pem. + This parameter should be used if the default (which comes from + the InternalTLSVncCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. + conditions: @@ -92,6 +129,11 @@ conditions: - {get_param: UseTLSTransportForLiveMigration} - true + libvirt_specific_ca_unset: + equals: + - {get_param: LibvirtCACert} + - '' + need_libvirt_secret: or: - equals: @@ -101,6 +143,21 @@ conditions: - {get_param: CinderEnableRbdBackend} - true + use_tls_for_vnc: + and: + - equals: + - {get_param: EnableInternalTLS} + - true + - equals: + - {get_param: UseTLSTransportForVnc} + - true + + libvirt_vnc_specific_ca_unset: + equals: + - {get_param: LibvirtVncCACert} + - '' + + resources: ContainersCommon: @@ -152,23 +209,42 @@ outputs: - /usr/sbin/libvirtd --listen - /usr/sbin/libvirtd config_files: - - source: "/var/lib/kolla/config_files/src/*" - dest: "/" - merge: true - preserve_properties: true - - source: "/var/lib/kolla/config_files/src-ceph/" - dest: "/etc/ceph/" - merge: true - preserve_properties: true + list_concat: + - + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + - source: "/var/lib/kolla/config_files/src-ceph/" + dest: "/etc/ceph/" + merge: true + preserve_properties: true + - if: + - use_tls_for_vnc + - + - source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem + dest: /etc/pki/libvirt-vnc/ + merge: true + preserve_properties: true + - null permissions: - - path: - str_replace: - template: /etc/ceph/CLUSTER.client.USER.keyring - params: - CLUSTER: {get_param: CephClusterName} - USER: {get_param: CephClientUserName} - owner: nova:nova - perm: '0600' + list_concat: + - + - path: + str_replace: + template: /etc/ceph/CLUSTER.client.USER.keyring + params: + CLUSTER: {get_param: CephClusterName} + USER: {get_param: CephClientUserName} + owner: nova:nova + perm: '0600' + - if: + - use_tls_for_vnc + - + - path: /etc/pki/libvirt-vnc/server-key.pem + owner: root:qemu + perm: '0640' + - null /var/lib/kolla/config_files/nova_virtlogd.json: command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf config_files: @@ -232,12 +308,33 @@ outputs: if: - use_tls_for_live_migration - - - /etc/ipa/ca.crt:/etc/pki/CA/cacert.pem:ro + - str_replace: + template: "CACERT:/etc/pki/CA/cacert.pem:ro" + params: + CACERT: + if: + - libvirt_specific_ca_unset + - get_param: InternalTLSCAFile + - get_param: LibvirtCACert - /etc/pki/libvirt/servercert.pem:/etc/pki/libvirt/servercert.pem:ro - /etc/pki/libvirt/private/serverkey.pem:/etc/pki/libvirt/private/serverkey.pem:ro - /etc/pki/libvirt/clientcert.pem:/etc/pki/libvirt/clientcert.pem:ro - /etc/pki/libvirt/private/clientkey.pem:/etc/pki/libvirt/private/clientkey.pem:ro - null + - + if: + - use_tls_for_vnc + - + - str_replace: + template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro" + params: + CACERT: + if: + - libvirt_vnc_specific_ca_unset + - get_param: InternalTLSVncCAFile + - get_param: LibvirtVncCACert + - /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro + - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS step_4: diff --git a/docker/services/nova-vnc-proxy.yaml b/docker/services/nova-vnc-proxy.yaml index 1ae28d1bc3..be678c4ffb 100644 --- a/docker/services/nova-vnc-proxy.yaml +++ b/docker/services/nova-vnc-proxy.yaml @@ -40,6 +40,46 @@ parameters: default: false description: Remove package if the service is being disabled during upgrade type: boolean + EnableInternalTLS: + type: boolean + default: false + UseTLSTransportForVnc: + type: boolean + default: true + description: If set to true and if EnableInternalTLS is enabled, it will + enable TLS transaport for libvirt VNC and configure the + relevant keys for libvirt. + InternalTLSVncCAFile: + default: '/etc/ipa/vnc.crt' + type: string + description: Specifies the CA cert to use for VNC TLS. + LibvirtVncCACert: + type: string + default: '' + description: This specifies the CA certificate to use for VNC TLS. + This file will be symlinked to the default CA path, + which is /etc/pki/libvirt-vnc/ca-cert.pem. + This parameter should be used if the default (which comes from + the InternalTLSVncCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. + + +conditions: + + use_tls_for_vnc: + and: + - equals: + - {get_param: EnableInternalTLS} + - true + - equals: + - {get_param: UseTLSTransportForVnc} + - true + + libvirt_vnc_specific_ca_unset: + equals: + - {get_param: LibvirtVncCACert} + - '' resources: @@ -119,8 +159,25 @@ outputs: - - /var/lib/kolla/config_files/nova_vnc_proxy.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro + - + if: + - use_tls_for_vnc + - + - str_replace: + template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro" + params: + CACERT: + if: + - libvirt_vnc_specific_ca_unset + - get_param: InternalTLSVncCAFile + - get_param: LibvirtVncCACert + - /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro + - /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro + - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + metadata_settings: + get_attr: [NovaVncProxyPuppetBase, role_data, metadata_settings] host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]} upgrade_tasks: - name: Check if nova vncproxy is deployed diff --git a/puppet/all-nodes-config.j2.yaml b/puppet/all-nodes-config.j2.yaml index e015498a5f..c41cd44fac 100644 --- a/puppet/all-nodes-config.j2.yaml +++ b/puppet/all-nodes-config.j2.yaml @@ -58,12 +58,6 @@ parameters: constraints: - allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE'] default: '' - # NOTE(jaosorior): This is being set as IPA as it's the first - # CA we'll actually be testing out. But we can change this if - # people request it. - CertmongerCA: - type: string - default: 'IPA' EnableInternalTLS: type: boolean default: false @@ -75,7 +69,6 @@ parameters: type: string {%- endfor %} - resources: allNodesConfigImpl: @@ -213,8 +206,6 @@ resources: cloud_name_{{network.name_lower}}: {get_param: cloud_name_{{network.name_lower}}} {%- endfor %} cloud_name_ctlplane: {get_param: cloud_name_ctlplane} - # TLS parameters - certmonger_ca: {get_param: CertmongerCA} enable_internal_tls: {get_param: EnableInternalTLS} outputs: diff --git a/puppet/services/certmonger-user.yaml b/puppet/services/certmonger-user.yaml index a0b152954c..56f4ee9f0c 100644 --- a/puppet/services/certmonger-user.yaml +++ b/puppet/services/certmonger-user.yaml @@ -37,6 +37,17 @@ parameters: default: 'http://ipa-ca/ipa/crl/MasterCRL.bin' description: URI where to get the CRL to be configured in the nodes. type: string + # NOTE(jaosorior): This is being set as IPA as it's the first + # CA we'll actually be testing out. But we can change this if + # people request it. + CertmongerCA: + type: string + default: 'IPA' + # TODO: default to a dedicated CA once the ipa sub-CA setup has been + # automated and upgrades are addressed + CertmongerVncCA: + type: string + default: 'IPA' conditions: @@ -48,10 +59,11 @@ outputs: value: service_name: certmonger_user config_settings: - tripleo::certmonger::ca::crl::crl_source: - if: - - internal_tls_enabled - - {get_param: DefaultCRLURL} - - null + if: + - internal_tls_enabled + - tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL} + certmonger_ca: {get_param: CertmongerCA} + certmonger_ca_vnc: {get_param: CertmongerVncCA} + - {} step_config: | include ::tripleo::profile::base::certmonger_user diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index 821d5b1aa2..1d233cee31 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -75,13 +75,22 @@ parameters: default: true description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the - relevant keys for libvirt. NOTE. this is currently being - ignored and TLS for libvirtd is always disabled for now. + relevant keys for libvirt. + UseTLSTransportForVnc: + type: boolean + default: true + description: If set to true and if EnableInternalTLS is enabled, it will + enable TLS transaport for libvirt VNC and configure the + relevant keys for libvirt. InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + InternalTLSVncCAFile: + default: '/etc/ipa/vnc.crt' + type: string + description: Specifies the CA cert to use for VNC TLS. LibvirtCACert: type: string default: '' @@ -94,6 +103,16 @@ parameters: the InternalTLSCAFile parameter) is not desired. The current default reflects TripleO's default CA, which is FreeIPA. It will only be used if internal TLS is enabled. + LibvirtVncCACert: + type: string + default: '' + description: This specifies the CA certificate to use for VNC TLS. + This file will be symlinked to the default CA path, + which is /etc/pki/libvirt-vnc/ca-cert.pem. + This parameter should be used if the default (which comes from + the InternalTLSVncCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. MigrationSshKey: type: json description: > @@ -128,6 +147,21 @@ conditions: - {get_param: LibvirtCACert} - '' + use_tls_for_vnc: + and: + - equals: + - {get_param: EnableInternalTLS} + - true + - equals: + - {get_param: UseTLSTransportForVnc} + - true + + libvirt_vnc_specific_ca_unset: + equals: + - {get_param: LibvirtVncCACert} + - '' + + resources: NovaBase: type: ./nova-base.yaml @@ -234,13 +268,54 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - {} + - + if: + - use_tls_for_vnc + - + nova::compute::libvirt::qemu::vnc_tls: true + nova::compute::libvirt::qemu::vnc_tls_verify: true + generate_service_certificates: true + tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem: + if: + - libvirt_vnc_specific_ca_unset + - get_param: InternalTLSVncCAFile + - get_param: LibvirtVncCACert + tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc' + libvirt_vnc_certificates_specs: + libvirt-vnc-server-cert: + cacertfile: + if: + - libvirt_vnc_specific_ca_unset + - get_param: InternalTLSVncCAFile + - null + service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem' + service_key: '/etc/pki/libvirt-vnc/server-key.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + - {} step_config: | include tripleo::profile::base::nova::libvirt metadata_settings: - if: - - use_tls_for_live_migration - - - - service: libvirt - network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - type: node - - null + list_concat: + - if: + - use_tls_for_live_migration + - + - service: libvirt + network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + type: node + - null + - if: + - use_tls_for_vnc + - + - service: libvirt-vnc + network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + type: node + - null diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml index abd00fb834..a0427c63b2 100644 --- a/puppet/services/nova-vnc-proxy.yaml +++ b/puppet/services/nova-vnc-proxy.yaml @@ -30,6 +30,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + StackUpdateType: + type: string + description: > + Type of update, to differentiate between UPGRADE and UPDATE cases + when StackAction is UPDATE (both are the same stack action). + constraints: + - allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE'] + default: '' MonitoringSubscriptionNovaVNCProxy: default: 'overcloud-nova-vncproxy' type: string @@ -38,6 +46,50 @@ parameters: default: tag: openstack.nova.vncproxy path: /var/log/nova/nova-vncproxy.log + EnableInternalTLS: + type: boolean + default: false + UseTLSTransportForVnc: + type: boolean + default: true + description: If set to true and if EnableInternalTLS is enabled, it will + enable TLS transaport for libvirt VNC and configure the + relevant keys for libvirt. + InternalTLSVncCAFile: + default: '/etc/ipa/vnc.crt' + type: string + description: Specifies the CA cert to use for VNC TLS. + LibvirtVncCACert: + type: string + default: '' + description: This specifies the CA certificate to use for VNC TLS. + This file will be symlinked to the default CA path, + which is /etc/pki/libvirt-vnc/ca-cert.pem. + This parameter should be used if the default (which comes from + the InternalTLSVncCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. + +conditions: + + use_tls_for_vnc: + and: + - equals: + - {get_param: EnableInternalTLS} + - true + - equals: + - {get_param: UseTLSTransportForVnc} + - true + + libvirt_vnc_specific_ca_unset: + equals: + - {get_param: LibvirtVncCACert} + - '' + + allow_noauth: + # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky. + equals: [{get_param: StackUpdateType}, 'UPGRADE'] + resources: NovaBase: @@ -74,6 +126,43 @@ outputs: dport: - 6080 - 13080 + - + if: + - use_tls_for_vnc + - + nova::vncproxy::allow_vencrypt: true + nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]} + nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem + nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem + nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem + generate_service_certificates: true + tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem: + if: + - libvirt_vnc_specific_ca_unset + - get_param: InternalTLSVncCAFile + - get_param: LibvirtVncCACert + tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc' + libvirt_vnc_certificates_specs: + libvirt-vnc-client-cert: + cacertfile: + if: + - libvirt_vnc_specific_ca_unset + - get_param: InternalTLSVncCAFile + - null + service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem' + service_key: '/etc/pki/libvirt-vnc/client-key.pem' + notify_service: '%{::nova::params::vncproxy_service_name}' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + - {} service_config_settings: fluentd: tripleo_fluentd_groups_nova_vnc_proxy: @@ -86,3 +175,11 @@ outputs: - name: Stop nova_vnc_proxy service when: step|int == 1 service: name=openstack-nova-consoleauth state=stopped + metadata_settings: + if: + - use_tls_for_vnc + - + - service: libvirt-vnc + network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + type: node + - null diff --git a/releasenotes/notes/vnc_tls-b3707d0134697cc7.yaml b/releasenotes/notes/vnc_tls-b3707d0134697cc7.yaml new file mode 100644 index 0000000000..b72ee1d7fd --- /dev/null +++ b/releasenotes/notes/vnc_tls-b3707d0134697cc7.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + If TLS on the internal network is enabled, the nova-novnc to libvirt vnc + transport defaults to using TLS. This can be changed by setting the + ``UseTLSTransportForVnc`` parameter, which is ``true`` by default. + A dedicated IPA sub-CA can be specified by the ``LibvirtVncCACert`` + parameter. By default the main IPA CA will be used.