From 855e61ceb2da43cd75747fabd88176cd9af75f44 Mon Sep 17 00:00:00 2001
From: Martin Schuppert <mschuppert@redhat.com>
Date: Fri, 30 Oct 2020 10:43:58 +0100
Subject: [PATCH] Use bind mounts for tls certificates

partial backport from train to use bind mounts for certificates.
The UseTLSTransportForNbd is not available in queens.

Certificates get merged into the containers using kolla_config
mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
gets disabled and enabled at a later point the containers running
the qemu process miss the required certificates and live migration
fails.
This change moves to use bind mount for the certificates and in
case of UseTLSTransportForNbd ans creates the required certificates even
if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
can be enabled/disabled as the required bind mounts/certificates
are already present.

Related-Bug: #1900986
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1888951

Conflicts:
  deployment/nova/nova-libvirt-container-puppet.yaml

Change-Id: I7f583d18e558b95922a66eb539cc91de74409c96
(cherry picked from commit e07e571ba205097a23d9dc4e1fb9a6645351c248)
(cherry picked from commit 6e59a84ec0082b17b54acbc0374700217a3f684b)
(cherry picked from commit a2510a5e149733244f0c97ec07f3f81ff50ac174)
---
 docker/services/nova-libvirt.yaml             | 24 ++++---------------
 ...ind_mounts_for_certs-64cb88f78538a64b.yaml | 16 +++++++++++++
 2 files changed, 21 insertions(+), 19 deletions(-)
 create mode 100644 releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml

diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml
index 4b5b255afe..589adcd198 100644
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@@ -266,14 +266,6 @@ outputs:
                   dest: "/etc/ceph/"
                   merge: true
                   preserve_properties: true
-              - if:
-                - use_tls_for_vnc
-                -
-                  - source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
-                    dest: /etc/pki/libvirt-vnc/
-                    merge: true
-                    preserve_properties: true
-                - null
           permissions:
             list_concat:
               -
@@ -285,13 +277,6 @@ outputs:
                         USER: {get_param: CephClientUserName}
                   owner: nova:nova
                   perm: '0600'
-              - if:
-                - use_tls_for_vnc
-                -
-                  - path: /etc/pki/libvirt-vnc/server-key.pem
-                    owner: root:qemu
-                    perm: '0640'
-                - null
         /var/lib/kolla/config_files/nova_virtlogd.json:
           command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
           config_files:
@@ -358,29 +343,30 @@ outputs:
                   if:
                     - use_tls_for_live_migration
                     -
+                      - /etc/pki/libvirt:/etc/pki/libvirt/:ro
                       - str_replace:
-                          template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro"
+                          template: "CACERT:/etc/pki/CA/cacert.pem:ro"
                           params:
                             CACERT:
                               if:
                                 - libvirt_specific_ca_unset
                                 - get_param: InternalTLSCAFile
                                 - get_param: LibvirtCACert
-                      - /etc/pki/libvirt/:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/:ro
                     - null
                 -
                   if:
                     - use_tls_for_vnc
                     -
+                      - /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro
+                      - /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro
                       - str_replace:
-                          template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro"
+                          template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
                           params:
                             CACERT:
                               if:
                                 - libvirt_vnc_specific_ca_unset
                                 - get_param: InternalTLSVncCAFile
                                 - get_param: LibvirtVncCACert
-                      - /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
                     - null
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
diff --git a/releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml b/releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml
new file mode 100644
index 0000000000..0bd132dff7
--- /dev/null
+++ b/releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml
@@ -0,0 +1,16 @@
+---
+fixes:
+  - |
+    Partial backport from train to use bind mounts for certificates.
+    The UseTLSTransportForNbd is not available in queens.
+
+    Certificates get merged into the containers using kolla_config
+    mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
+    gets disabled and enabled at a later point the containers running
+    the qemu process miss the required certificates and live migration
+    fails.
+    This change moves to use bind mount for the certificates and in
+    case of UseTLSTransportForNbd ans creates the required certificates even
+    if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
+    can be enabled/disabled as the required bind mounts/certificates
+    are already present.