Missing client certificate for live-migration with TLS
TLS client verification used to be accidentally disabled in libvirt. This was fixed in libvirt-6.10.0-1[1]. Which means, once you're using libvirt-6.10.0-1 or higher, a client certificate is mandatory during live migration with TLS. In this case, the server certificate generated by TripleO is valid for client _and_ server: Key Purpose (not critical): TLS WWW Server. TLS WWW Client. So most deployments can re-use the same certificate for client and server. Why? Because if both migration ends points are located on the same infrastructure, it is reasonable to use the same certificate for both client and server roles. Introducing QemuDefaultTLSVerify parameter This parameter will allow operators to enable or disable TLS client certificate verification. Enabling this option will reject any client who does not have a certificate signed by the CA in /etc/pki/qemu/ca-cert.pem. The default is true and matches libvirt's. We will want to disable this by default in train. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1879477#c3 Depends-On: https://review.opendev.org/c/openstack/puppet-nova/+/787249 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1945760 Change-Id: I3b252854a0dbf121d69bab79543561da6be781f4 (cherry picked from commite7d37585ac
) (cherry picked from commitd0d4f25f3d
) (cherry picked from commitdfb282b503
)
This commit is contained in:
parent
538171db55
commit
ac1584a44f
|
@ -244,6 +244,13 @@ parameters:
|
|||
type: boolean
|
||||
tags:
|
||||
- role_specific
|
||||
QemuDefaultTLSVerify:
|
||||
description: >
|
||||
Whether to enable or disable TLS client certificate verification. Enabling this
|
||||
option will reject any client who does not have a certificate signed by the CA
|
||||
in /etc/pki/qemu/ca-cert.pem
|
||||
default: true
|
||||
type: boolean
|
||||
LibvirtLogFilters:
|
||||
description: Defines a filter to select a different logging level
|
||||
for a given category log outputs, as specified in
|
||||
|
@ -456,6 +463,7 @@ outputs:
|
|||
generate_service_certificates: true
|
||||
tripleo::profile::base::nova::migration::client::libvirt_tls: true
|
||||
tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
|
||||
nova::compute::libvirt::qemu::default_tls_verify: {get_param: QemuDefaultTLSVerify}
|
||||
nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority}
|
||||
nova::migration::libvirt::listen_address:
|
||||
str_replace:
|
||||
|
@ -769,6 +777,8 @@ outputs:
|
|||
- get_param: LibvirtNbdCACert
|
||||
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
|
||||
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
|
||||
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/client-cert.pem:ro
|
||||
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/client-key.pem:ro
|
||||
- null
|
||||
-
|
||||
if:
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
`QemuDefaultTLSVerify` will allow operators to enable or disable TLS client
|
||||
certificate verification. Enabling this option will reject any client
|
||||
who does not have a certificate signed by the CA in
|
||||
/etc/pki/qemu/ca-cert.pem.
|
||||
The default is true and matches libvirt's. We will want to disable this
|
||||
by default in train.
|
Loading…
Reference in New Issue