From 6e59a84ec0082b17b54acbc0374700217a3f684b Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Fri, 30 Oct 2020 10:43:58 +0100 Subject: [PATCH] Use bind mounts for tls certificates Certificates get merged into the containers using kolla_config mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd gets disabled and enabled at a later point the containers running the qemu process miss the required certificates and live migration fails. This change moves to use bind mount for the certificates and in case of UseTLSTransportForNbd ans creates the required certificates even if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd can be enabled/disabled as the required bind mounts/certificates are already present. Related-Bug: #1900986 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1888951 Depends-On: I9538b7e579d4921b14f6ef5eec0300e7e50628d4 Change-Id: I7f583d18e558b95922a66eb539cc91de74409c96 (cherry picked from commit e07e571ba205097a23d9dc4e1fb9a6645351c248) --- .../nova/nova-libvirt-container-puppet.yaml | 159 +++++++----------- ...ind_mounts_for_certs-64cb88f78538a64b.yaml | 13 ++ 2 files changed, 71 insertions(+), 101 deletions(-) create mode 100644 releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 738e1cec92..99716540ce 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -472,6 +472,48 @@ outputs: template: "libvirt/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + # create the qemu and qemu_ndb dirs and certs also when when tls for nbd + # is not enabled this allows us to enable it even at a later time without + # restart of instances + tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu' + tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd' + tripleo::certmonger::ca::qemu::origin_ca_pem: + if: + - qemu_specific_ca_unset + - get_param: InternalTLSQemuCAFile + - get_param: QemuCACert + qemu_certificates_specs: + qemu-server-cert: + cacertfile: + if: + - qemu_specific_ca_unset + - get_param: InternalTLSQemuCAFile + - null + service_certificate: '/etc/pki/qemu/server-cert.pem' + service_key: '/etc/pki/qemu/server-key.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "qemu/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + qemu-nbd-client-cert: + service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem' + service_key: '/etc/pki/libvirt-nbd/client-key.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "qemu/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - nova::migration::libvirt::live_migration_inbound_addr: str_replace: @@ -518,51 +560,6 @@ outputs: - nova::compute::libvirt::qemu::nbd_tls: true nova::migration::libvirt::live_migration_with_native_tls: true - tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu' - tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd' - generate_service_certificates: true - tripleo::certmonger::ca::qemu::origin_ca_pem: - if: - - qemu_specific_ca_unset - - get_param: InternalTLSQemuCAFile - - get_param: QemuCACert - qemu_certificates_specs: - qemu-server-cert: - cacertfile: - if: - - qemu_specific_ca_unset - - get_param: InternalTLSQemuCAFile - - null - service_certificate: '/etc/pki/qemu/server-cert.pem' - service_key: '/etc/pki/qemu/server-key.pem' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - principal: - str_replace: - template: "qemu/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - qemu-nbd-client-cert: - cacertfile: - if: - - qemu_specific_ca_unset - - get_param: InternalTLSQemuCAFile - - null - service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem' - service_key: '/etc/pki/libvirt-nbd/client-key.pem' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - principal: - str_replace: - template: "qemu/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - {} puppet_config: config_volume: nova_libvirt @@ -592,22 +589,6 @@ outputs: dest: "/etc/ceph/" merge: true preserve_properties: true - - if: - - use_tls_for_vnc - - - - source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem - dest: /etc/pki/libvirt-vnc/ - merge: true - preserve_properties: true - - null - - if: - - use_tls_for_nbd - - - - source: /var/lib/kolla/config_files/src-libvirt-nbd-pki/client-*.pem - dest: /etc/pki/libvirt-nbd/ - merge: true - preserve_properties: true - - null permissions: list_concat: - @@ -619,26 +600,6 @@ outputs: USER: {get_param: CephClientUserName} owner: nova:nova perm: '0600' - - if: - - use_tls_for_vnc - - - - path: /etc/pki/libvirt-vnc/server-key.pem - owner: root:qemu - perm: '0640' - - null - - if: - - use_tls_for_nbd - - - - path: /etc/pki/libvirt-nbd/client-key.pem - owner: root:qemu - perm: '0640' - - path: /etc/pki/qemu/server-key.pem - owner: root:qemu - perm: '0640' - - path: /etc/pki/qemu/ca-cert.pem - owner: root:root - perm: '0644' - - null /var/lib/kolla/config_files/nova_virtlogd.json: command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf config_files: @@ -740,29 +701,41 @@ outputs: if: - use_tls_for_live_migration - + - /etc/pki/libvirt:/etc/pki/libvirt/:ro + - /etc/pki/libvirt-nbd:/etc/pki/libvirt-nbd:ro - str_replace: - template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro" + template: "CACERT:/etc/pki/CA/cacert.pem:ro" params: CACERT: if: - libvirt_specific_ca_unset - get_param: InternalTLSCAFile - get_param: LibvirtCACert - - /etc/pki/libvirt/:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/:ro + - str_replace: + template: "CACERT:/etc/pki/qemu/ca-cert.pem:ro" + params: + CACERT: + if: + - libvirt_nbd_specific_ca_unset + - get_param: InternalTLSNbdCAFile + - get_param: LibvirtNbdCACert + - /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro + - /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro - null - if: - use_tls_for_vnc - + - /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro + - /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro - str_replace: - template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro" + template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro" params: CACERT: if: - libvirt_vnc_specific_ca_unset - get_param: InternalTLSVncCAFile - get_param: LibvirtVncCACert - - /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro - null - if: @@ -773,22 +746,6 @@ outputs: params: MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]} - null - - - if: - - use_tls_for_nbd - - - - str_replace: - template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/ca-cert.pem:ro" - params: - CACERT: - if: - - libvirt_nbd_specific_ca_unset - - get_param: InternalTLSNbdCAFile - - get_param: LibvirtNbdCACert - - /etc/pki/qemu/server-cert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-cert.pem:ro - - /etc/pki/qemu/server-key.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-key.pem:ro - - /etc/pki/libvirt-nbd:/var/lib/kolla/config_files/src-libvirt-nbd-pki:ro - - null environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS step_4: diff --git a/releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml b/releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml new file mode 100644 index 0000000000..220a38c0ce --- /dev/null +++ b/releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml @@ -0,0 +1,13 @@ +--- +fixes: + - | + Certificates get merged into the containers using kolla_config + mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd + gets disabled and enabled at a later point the containers running + the qemu process miss the required certificates and live migration + fails. + This change moves to use bind mount for the certificates and in + case of UseTLSTransportForNbd ans creates the required certificates even + if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd + can be enabled/disabled as the required bind mounts/certificates + are already present.