Browse Source

Missing client certificate for live-migration with TLS

TLS client verification used to be accidentally disabled in libvirt.
This was fixed in libvirt-6.10.0-1[1].
Which means, once you're using libvirt-6.10.0-1 or higher, a client
certificate is mandatory during live migration with TLS.

In this case, the server certificate generated by TripleO is valid
for client _and_ server:

                 Key Purpose (not critical):
                         TLS WWW Server.
                         TLS WWW Client.

So most deployments can re-use the same certificate for client and
server.  Why?  Because if both migration ends points are located
on the same infrastructure, it is reasonable to use the same
certificate for both client and server roles.

Introducing QemuDefaultTLSVerify parameter

This parameter will allow operators to enable or disable TLS client
certificate verification. Enabling this option will reject any client
who does not have a certificate signed by the CA in
/etc/pki/qemu/ca-cert.pem.

The default is true and matches libvirt's. We will want to disable this
by default in train.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1879477#c3

Depends-On: https://review.opendev.org/c/openstack/puppet-nova/+/787249
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1945760
Change-Id: I3b252854a0dbf121d69bab79543561da6be781f4
(cherry picked from commit e7d37585ac)
(cherry picked from commit d0d4f25f3d)
(cherry picked from commit dfb282b503)
changes/79/787979/2
David Vallee Delisle 1 month ago
parent
commit
ac1584a44f
2 changed files with 19 additions and 0 deletions
  1. +10
    -0
      deployment/nova/nova-libvirt-container-puppet.yaml
  2. +9
    -0
      releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml

+ 10
- 0
deployment/nova/nova-libvirt-container-puppet.yaml View File

@ -244,6 +244,13 @@ parameters:
type: boolean
tags:
- role_specific
QemuDefaultTLSVerify:
description: >
Whether to enable or disable TLS client certificate verification. Enabling this
option will reject any client who does not have a certificate signed by the CA
in /etc/pki/qemu/ca-cert.pem
default: true
type: boolean
LibvirtLogFilters:
description: Defines a filter to select a different logging level
for a given category log outputs, as specified in
@ -456,6 +463,7 @@ outputs:
generate_service_certificates: true
tripleo::profile::base::nova::migration::client::libvirt_tls: true
tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
nova::compute::libvirt::qemu::default_tls_verify: {get_param: QemuDefaultTLSVerify}
nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority}
nova::migration::libvirt::listen_address:
str_replace:
@ -769,6 +777,8 @@ outputs:
- get_param: LibvirtNbdCACert
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/client-cert.pem:ro
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/client-key.pem:ro
- null
-
if:


+ 9
- 0
releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml View File

@ -0,0 +1,9 @@
---
features:
- |
`QemuDefaultTLSVerify` will allow operators to enable or disable TLS client
certificate verification. Enabling this option will reject any client
who does not have a certificate signed by the CA in
/etc/pki/qemu/ca-cert.pem.
The default is true and matches libvirt's. We will want to disable this
by default in train.

Loading…
Cancel
Save