Merge "Add support for native TLS encryption on NBD for disk migration"

2019-02-01 10:05:52 +00:00 · 2019-02-01 10:05:52 +00:00 · b8a5dbe071
parent 15543abd17 fe9372eceb
commit b8a5dbe071
4 changed files with 179 additions and 0 deletions
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@ -85,11 +85,21 @@ parameters:
    description: If set to true and if EnableInternalTLS is enabled, it will
                 enable TLS transaport for libvirt VNC and configure the
                 relevant keys for libvirt.
+  UseTLSTransportForNbd:
+    type: boolean
+    default: true
+    description: If set to true and if EnableInternalTLS is enabled, it will
+                 enable TLS transaport for libvirt NBD and configure the
+                 relevant keys for libvirt.
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
+  InternalTLSNbdCAFile:
+    default: '/etc/pki/qemu/ca-cert.pem'
+    type: string
+    description: Specifies the CA cert to use for NBD TLS.
  InternalTLSVncCAFile:
    default: '/etc/pki/CA/certs/vnc.crt'
    type: string
@ -116,6 +126,16 @@ parameters:
                 the InternalTLSVncCAFile parameter) is not desired. The current
                 default reflects TripleO's default CA, which is FreeIPA.
                 It will only be used if internal TLS is enabled.
+  LibvirtNbdCACert:
+    type: string
+    default: ''
+    description: This specifies the CA certificate to use for NBD TLS.
+                 This file will be symlinked to the default CA path,
+                 which is /etc/pki/libvirt-nbd/ca-cert.pem.
+                 This parameter should be used if the default (which comes from
+                 the InternalTLSNbdCAFile parameter) is not desired. The current
+                 default reflects TripleO's default CA, which is FreeIPA.
+                 It will only be used if internal TLS is enabled.
  VhostuserSocketGroup:
    default: "qemu"
    description: >
@ -186,6 +206,20 @@ conditions:
      - {get_param: QemuMemoryBackingDir}
      - ''

+  use_tls_for_nbd:
+    and:
+    - equals:
+      - {get_param: EnableInternalTLS}
+      - true
+    - equals:
+      - {get_param: UseTLSTransportForNbd}
+      - true
+
+  libvirt_nbd_specific_ca_unset:
+    equals:
+      - {get_param: LibvirtNbdCACert}
+      - ''
+
  docker_enabled:
    equals:
      - {get_param: ContainerCli}
@ -277,6 +311,14 @@ outputs:
                    merge: true
                    preserve_properties: true
                - null
+              - if:
+                - use_tls_for_nbd
+                -
+                  - source: /var/lib/kolla/config_files/src-libvirt-nbd-pki/client-*.pem
+                    dest: /etc/pki/libvirt-nbd/
+                    merge: true
+                    preserve_properties: true
+                - null
          permissions:
            list_concat:
              -
@ -295,6 +337,19 @@ outputs:
                    owner: root:qemu
                    perm: '0640'
                - null
+              - if:
+                - use_tls_for_nbd
+                -
+                  - path: /etc/pki/libvirt-nbd/client-key.pem
+                    owner: root:qemu
+                    perm: '0640'
+                  - path: /etc/pki/qemu/server-key.pem
+                    owner: root:qemu
+                    perm: '0640'
+                  - path: /etc/pki/qemu/ca-cert.pem
+                    owner: root:root
+                    perm: '0644'
+                - null
        /var/lib/kolla/config_files/nova_virtlogd.json:
          command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
          config_files:
@ -403,6 +458,22 @@ outputs:
                          params:
                            MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]}
                    - null
+                -
+                  if:
+                    - use_tls_for_nbd
+                    -
+                      - str_replace:
+                          template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/ca-cert.pem:ro"
+                          params:
+                            CACERT:
+                              if:
+                                - libvirt_nbd_specific_ca_unset
+                                - get_param: InternalTLSNbdCAFile
+                                - get_param: LibvirtNbdCACert
+                      - /etc/pki/qemu/server-cert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-cert.pem:ro
+                      - /etc/pki/qemu/server-key.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-key.pem:ro
+                      - /etc/pki/libvirt-nbd:/var/lib/kolla/config_files/src-libvirt-nbd-pki:ro
+                    - null
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
        step_4:
--- a/puppet/services/certmonger-user.yaml
+++ b/puppet/services/certmonger-user.yaml
@ -48,6 +48,9 @@ parameters:
  CertmongerVncCA:
    type: string
    default: 'IPA'
+  CertmongerQemuCA:
+    type: string
+    default: 'IPA'

 conditions:

@ -64,6 +67,7 @@ outputs:
          - tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
            certmonger_ca: {get_param: CertmongerCA}
            certmonger_ca_vnc: {get_param: CertmongerVncCA}
+            certmonger_ca_qemu: {get_param: CertmongerQemuCA}
          - {}
      step_config: |
        include ::tripleo::profile::base::certmonger_user
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@ -82,6 +82,12 @@ parameters:
    description: If set to true and if EnableInternalTLS is enabled, it will
                 enable TLS transaport for libvirt VNC and configure the
                 relevant keys for libvirt.
+  UseTLSTransportForNbd:
+    type: boolean
+    default: true
+    description: If set to true and if EnableInternalTLS is enabled, it will
+                 enable TLS transaport for libvirt NBD and configure the
+                 relevant keys for libvirt.
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
@ -91,6 +97,10 @@ parameters:
    default: '/etc/pki/CA/certs/vnc.crt'
    type: string
    description: Specifies the CA cert to use for VNC TLS.
+  InternalTLSQemuCAFile:
+    default: '/etc/pki/CA/certs/qemu.pem'
+    type: string
+    description: Specifies the CA cert to use for qemu.
  LibvirtCACert:
    type: string
    default: ''
@ -113,6 +123,16 @@ parameters:
                 the InternalTLSVncCAFile parameter) is not desired. The current
                 default reflects TripleO's default CA, which is FreeIPA.
                 It will only be used if internal TLS is enabled.
+  QemuCACert:
+    type: string
+    default: ''
+    description: This specifies the CA certificate to use for qemu.
+                 This file will be symlinked to the default CA path,
+                 which is /etc/pki/qemu/ca-cert.pem.
+                 This parameter should be used if the default (which comes from
+                 the InternalTLSQemuCAFile parameter) is not desired. The current
+                 default reflects TripleO's default CA, which is FreeIPA.
+                 It will only be used if internal TLS is enabled.
  MigrationSshKey:
    type: json
    description: >
@ -169,6 +189,19 @@ conditions:
      - {get_param: LibvirtVncCACert}
      - ''

+  use_tls_for_nbd:
+    and:
+    - equals:
+      - {get_param: EnableInternalTLS}
+      - true
+    - equals:
+      - {get_param: UseTLSTransportForNbd}
+      - true
+
+  qemu_specific_ca_unset:
+    equals:
+      - {get_param: QemuCACert}
+      - ''

 resources:
  NovaBase:
@ -342,6 +375,58 @@ outputs:
                        params:
                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
              - {}
+          -
+            if:
+              - use_tls_for_nbd
+              -
+                nova::compute::libvirt::qemu::nbd_tls: true
+                nova::migration::libvirt::live_migration_with_native_tls: true
+                tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu'
+                tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd'
+                generate_service_certificates: true
+                tripleo::certmonger::ca::qemu::origin_ca_pem:
+                  if:
+                    - qemu_specific_ca_unset
+                    - get_param: InternalTLSQemuCAFile
+                    - get_param: QemuCACert
+                qemu_certificates_specs:
+                  qemu-server-cert:
+                    cacertfile:
+                      if:
+                        - qemu_specific_ca_unset
+                        - get_param: InternalTLSQemuCAFile
+                        - null
+                    service_certificate: '/etc/pki/qemu/server-cert.pem'
+                    service_key: '/etc/pki/qemu/server-key.pem'
+                    hostname:
+                      str_replace:
+                        template: "%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    principal:
+                      str_replace:
+                        template: "qemu/%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                  qemu-nbd-client-cert:
+                    cacertfile:
+                      if:
+                        - qemu_specific_ca_unset
+                        - get_param: InternalTLSQemuCAFile
+                        - null
+                    service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
+                    service_key: '/etc/pki/libvirt-nbd/client-key.pem'
+                    hostname:
+                      str_replace:
+                        template: "%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    principal:
+                      str_replace:
+                        template: "qemu/%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+              - {}
      step_config: |
        include tripleo::profile::base::nova::libvirt
      metadata_settings:
@ -360,3 +445,10 @@ outputs:
                network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
                type: node
            - null
+          - if:
+            - use_tls_for_nbd
+            -
+              - service: qemu
+                network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                type: node
+            - null
--- a/releasenotes/notes/nova_qemu_native_tls_encryption_on_nbd_for_disk_migration-2e16003c4764a399.yaml
+++ b/releasenotes/notes/nova_qemu_native_tls_encryption_on_nbd_for_disk_migration-2e16003c4764a399.yaml
@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Add support for native TLS encryption on NBD for disk migration
+
+    The NBD protocol previously runs in clear text, offering no security
+    protection for the data transferred, unless it is tunnelled over some
+    external transport like SSH. Such tunnelling is inefficient and
+    inconvenient to manage. Support for TLS to the NBD clients & servers
+    provided by QEMU was added. In tls-everywhere use case we want to
+    take advantage of this feature to create the certificates and configure
+    qemu to use nbd tls.