Browse Source

Use bind mounts for tls certificates

partial backport from train to use bind mounts for certificates.
The UseTLSTransportForNbd is not available in queens.

Certificates get merged into the containers using kolla_config
mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
gets disabled and enabled at a later point the containers running
the qemu process miss the required certificates and live migration
fails.
This change moves to use bind mount for the certificates and in
case of UseTLSTransportForNbd ans creates the required certificates even
if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
can be enabled/disabled as the required bind mounts/certificates
are already present.

Related-Bug: #1900986
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1888951

Conflicts:
  deployment/nova/nova-libvirt-container-puppet.yaml

Change-Id: I7f583d18e558b95922a66eb539cc91de74409c96
(cherry picked from commit e07e571ba2)
(cherry picked from commit 6e59a84ec0)
(cherry picked from commit a2510a5e14)
changes/88/767688/1
Martin Schuppert 9 months ago
parent
commit
855e61ceb2
  1. 24
      docker/services/nova-libvirt.yaml
  2. 16
      releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml

24
docker/services/nova-libvirt.yaml

@ -266,14 +266,6 @@ outputs:
dest: "/etc/ceph/"
merge: true
preserve_properties: true
- if:
- use_tls_for_vnc
-
- source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
dest: /etc/pki/libvirt-vnc/
merge: true
preserve_properties: true
- null
permissions:
list_concat:
-
@ -285,13 +277,6 @@ outputs:
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
- if:
- use_tls_for_vnc
-
- path: /etc/pki/libvirt-vnc/server-key.pem
owner: root:qemu
perm: '0640'
- null
/var/lib/kolla/config_files/nova_virtlogd.json:
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files:
@ -358,29 +343,30 @@ outputs:
if:
- use_tls_for_live_migration
-
- /etc/pki/libvirt:/etc/pki/libvirt/:ro
- str_replace:
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro"
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
params:
CACERT:
if:
- libvirt_specific_ca_unset
- get_param: InternalTLSCAFile
- get_param: LibvirtCACert
- /etc/pki/libvirt/:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/:ro
- null
-
if:
- use_tls_for_vnc
-
- /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro
- /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro
- str_replace:
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro"
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
- /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS

16
releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml

@ -0,0 +1,16 @@
---
fixes:
- |
Partial backport from train to use bind mounts for certificates.
The UseTLSTransportForNbd is not available in queens.
Certificates get merged into the containers using kolla_config
mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
gets disabled and enabled at a later point the containers running
the qemu process miss the required certificates and live migration
fails.
This change moves to use bind mount for the certificates and in
case of UseTLSTransportForNbd ans creates the required certificates even
if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
can be enabled/disabled as the required bind mounts/certificates
are already present.
Loading…
Cancel
Save