From ac1584a44f951b24f6379c235ffb07e3b0dbee2e Mon Sep 17 00:00:00 2001 From: David Vallee Delisle Date: Thu, 8 Apr 2021 11:54:34 -0400 Subject: [PATCH] Missing client certificate for live-migration with TLS TLS client verification used to be accidentally disabled in libvirt. This was fixed in libvirt-6.10.0-1[1]. Which means, once you're using libvirt-6.10.0-1 or higher, a client certificate is mandatory during live migration with TLS. In this case, the server certificate generated by TripleO is valid for client _and_ server: Key Purpose (not critical): TLS WWW Server. TLS WWW Client. So most deployments can re-use the same certificate for client and server. Why? Because if both migration ends points are located on the same infrastructure, it is reasonable to use the same certificate for both client and server roles. Introducing QemuDefaultTLSVerify parameter This parameter will allow operators to enable or disable TLS client certificate verification. Enabling this option will reject any client who does not have a certificate signed by the CA in /etc/pki/qemu/ca-cert.pem. The default is true and matches libvirt's. We will want to disable this by default in train. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1879477#c3 Depends-On: https://review.opendev.org/c/openstack/puppet-nova/+/787249 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1945760 Change-Id: I3b252854a0dbf121d69bab79543561da6be781f4 (cherry picked from commit e7d37585ac38cfef5f1d1f2c54b357c38757536a) (cherry picked from commit d0d4f25f3df418fab2ea8a3cc79b731cf398dfc0) (cherry picked from commit dfb282b50306a6a68c52da530818fce425da7b41) --- deployment/nova/nova-libvirt-container-puppet.yaml | 10 ++++++++++ .../introducing-qemutlsverify-af590e0243fe6b08.yaml | 9 +++++++++ 2 files changed, 19 insertions(+) create mode 100644 releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index ab7b653a8c..837ef8e969 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -244,6 +244,13 @@ parameters: type: boolean tags: - role_specific + QemuDefaultTLSVerify: + description: > + Whether to enable or disable TLS client certificate verification. Enabling this + option will reject any client who does not have a certificate signed by the CA + in /etc/pki/qemu/ca-cert.pem + default: true + type: boolean LibvirtLogFilters: description: Defines a filter to select a different logging level for a given category log outputs, as specified in @@ -456,6 +463,7 @@ outputs: generate_service_certificates: true tripleo::profile::base::nova::migration::client::libvirt_tls: true tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]} + nova::compute::libvirt::qemu::default_tls_verify: {get_param: QemuDefaultTLSVerify} nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority} nova::migration::libvirt::listen_address: str_replace: @@ -769,6 +777,8 @@ outputs: - get_param: LibvirtNbdCACert - /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro - /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro + - /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/client-cert.pem:ro + - /etc/pki/qemu/server-key.pem:/etc/pki/qemu/client-key.pem:ro - null - if: diff --git a/releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml b/releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml new file mode 100644 index 0000000000..db13663a0d --- /dev/null +++ b/releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + `QemuDefaultTLSVerify` will allow operators to enable or disable TLS client + certificate verification. Enabling this option will reject any client + who does not have a certificate signed by the CA in + /etc/pki/qemu/ca-cert.pem. + The default is true and matches libvirt's. We will want to disable this + by default in train.