Disable live migration over TLS

Due to the fact that it doesn't use a separate CA (or sub CA) for libvirtd, and that proper SASL is not being used. We are disabling this option since it doesn't meet the appropriate security requirements. We'll look into adding this back once these issues get fixed. Change-Id: I6a5e4db1b6dd6bc8b7e73e53b614b070d15b8a23 Closes-Bug: #1730370
2017-11-06 13:31:33 +02:00 · 2017-11-06 13:31:33 +02:00 · 645757cbd6
commit 645757cbd6
parent e463ca15fb
3 changed files with 26 additions and 18 deletions
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@ -46,7 +46,8 @@ parameters:
    default: true
    description: If set to true and if EnableInternalTLS is enabled, it will
                 set the libvirt URI's transport to tls and configure the
-                 relevant keys for libvirt.
+                 relevant keys for libvirt. NOTE. this is currently being
+                 ignored and TLS for libvirtd is always disabled for now.
  DockerNovaMigrationSshdPort:
    default: 2022
    description: Port that dockerized nova migration target sshd service
@ -70,14 +71,14 @@ parameters:

 conditions:

-  use_tls_for_live_migration:
-    and:
-    - equals:
-      - {get_param: EnableInternalTLS}
-      - true
-    - equals:
-      - {get_param: UseTLSTransportForLiveMigration}
-      - true
+  use_tls_for_live_migration: false
+  # and:
+  # - equals:
+  #   - {get_param: EnableInternalTLS}
+  #   - true
+  # - equals:
+  #   - {get_param: UseTLSTransportForLiveMigration}
+  #   - true

  need_libvirt_secret:
    or:
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@ -66,7 +66,8 @@ parameters:
    default: true
    description: If set to true and if EnableInternalTLS is enabled, it will
                 set the libvirt URI's transport to tls and configure the
-                 relevant keys for libvirt.
+                 relevant keys for libvirt. NOTE. this is currently being
+                 ignored and TLS for libvirtd is always disabled for now.
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
@ -100,14 +101,14 @@ parameters:

 conditions:

-  use_tls_for_live_migration:
-    and:
-    - equals:
-      - {get_param: EnableInternalTLS}
-      - true
-    - equals:
-      - {get_param: UseTLSTransportForLiveMigration}
-      - true
+  use_tls_for_live_migration: false
+  # and:
+  # - equals:
+  #   - {get_param: EnableInternalTLS}
+  #   - true
+  # - equals:
+  #   - {get_param: UseTLSTransportForLiveMigration}
+  #   - true

  libvirt_specific_ca_unset:
    equals:
--- a/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml
+++ b/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Live migration over TLS has been disabled since the settings it was using
+    don't meet the required security standards. It is currently not possible to
+    enable it via t-h-t.