Use bind mounts for tls certificates
partial backport from train to use bind mounts for certificates. The UseTLSTransportForNbd is not available in queens. Certificates get merged into the containers using kolla_config mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd gets disabled and enabled at a later point the containers running the qemu process miss the required certificates and live migration fails. This change moves to use bind mount for the certificates and in case of UseTLSTransportForNbd ans creates the required certificates even if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd can be enabled/disabled as the required bind mounts/certificates are already present. Related-Bug: #1900986 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1888951 Conflicts: deployment/nova/nova-libvirt-container-puppet.yaml Change-Id: I7f583d18e558b95922a66eb539cc91de74409c96 (cherry picked from commite07e571ba2
) (cherry picked from commit6e59a84ec0
) (cherry picked from commita2510a5e14
)
This commit is contained in:
parent
32761b5d8c
commit
855e61ceb2
|
@ -266,14 +266,6 @@ outputs:
|
||||||
dest: "/etc/ceph/"
|
dest: "/etc/ceph/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
- if:
|
|
||||||
- use_tls_for_vnc
|
|
||||||
-
|
|
||||||
- source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
|
|
||||||
dest: /etc/pki/libvirt-vnc/
|
|
||||||
merge: true
|
|
||||||
preserve_properties: true
|
|
||||||
- null
|
|
||||||
permissions:
|
permissions:
|
||||||
list_concat:
|
list_concat:
|
||||||
-
|
-
|
||||||
|
@ -285,13 +277,6 @@ outputs:
|
||||||
USER: {get_param: CephClientUserName}
|
USER: {get_param: CephClientUserName}
|
||||||
owner: nova:nova
|
owner: nova:nova
|
||||||
perm: '0600'
|
perm: '0600'
|
||||||
- if:
|
|
||||||
- use_tls_for_vnc
|
|
||||||
-
|
|
||||||
- path: /etc/pki/libvirt-vnc/server-key.pem
|
|
||||||
owner: root:qemu
|
|
||||||
perm: '0640'
|
|
||||||
- null
|
|
||||||
/var/lib/kolla/config_files/nova_virtlogd.json:
|
/var/lib/kolla/config_files/nova_virtlogd.json:
|
||||||
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
||||||
config_files:
|
config_files:
|
||||||
|
@ -358,29 +343,30 @@ outputs:
|
||||||
if:
|
if:
|
||||||
- use_tls_for_live_migration
|
- use_tls_for_live_migration
|
||||||
-
|
-
|
||||||
|
- /etc/pki/libvirt:/etc/pki/libvirt/:ro
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro"
|
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
|
||||||
params:
|
params:
|
||||||
CACERT:
|
CACERT:
|
||||||
if:
|
if:
|
||||||
- libvirt_specific_ca_unset
|
- libvirt_specific_ca_unset
|
||||||
- get_param: InternalTLSCAFile
|
- get_param: InternalTLSCAFile
|
||||||
- get_param: LibvirtCACert
|
- get_param: LibvirtCACert
|
||||||
- /etc/pki/libvirt/:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/:ro
|
|
||||||
- null
|
- null
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- use_tls_for_vnc
|
- use_tls_for_vnc
|
||||||
-
|
-
|
||||||
|
- /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro
|
||||||
|
- /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
||||||
params:
|
params:
|
||||||
CACERT:
|
CACERT:
|
||||||
if:
|
if:
|
||||||
- libvirt_vnc_specific_ca_unset
|
- libvirt_vnc_specific_ca_unset
|
||||||
- get_param: InternalTLSVncCAFile
|
- get_param: InternalTLSVncCAFile
|
||||||
- get_param: LibvirtVncCACert
|
- get_param: LibvirtVncCACert
|
||||||
- /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
|
|
||||||
- null
|
- null
|
||||||
environment:
|
environment:
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Partial backport from train to use bind mounts for certificates.
|
||||||
|
The UseTLSTransportForNbd is not available in queens.
|
||||||
|
|
||||||
|
Certificates get merged into the containers using kolla_config
|
||||||
|
mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
|
||||||
|
gets disabled and enabled at a later point the containers running
|
||||||
|
the qemu process miss the required certificates and live migration
|
||||||
|
fails.
|
||||||
|
This change moves to use bind mount for the certificates and in
|
||||||
|
case of UseTLSTransportForNbd ans creates the required certificates even
|
||||||
|
if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
|
||||||
|
can be enabled/disabled as the required bind mounts/certificates
|
||||||
|
are already present.
|
Loading…
Reference in New Issue