From 373838ffbb4a410d8e846f97ff57ddb96c50a83c Mon Sep 17 00:00:00 2001
From: David Vallee Delisle <dvd@redhat.com>
Date: Tue, 27 Apr 2021 06:53:18 -0400
Subject: [PATCH] [train-only] QemuDefaultTLSVerify should be false

TLS client verification used to be accidentally disabled in libvirt.
This was fixed in libvirt-6.10.0-1[1].
Which means, once you're using libvirt-6.10.0-1 or higher, a client
certificate is mandatory during live migration with TLS.

Change-Id: I30e39e45ddbf385da955a400cd998f2b467a7d5d
---
 deployment/nova/nova-libvirt-container-puppet.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml
index 837ef8e969..d5e7d2be68 100644
--- a/deployment/nova/nova-libvirt-container-puppet.yaml
+++ b/deployment/nova/nova-libvirt-container-puppet.yaml
@@ -249,7 +249,7 @@ parameters:
       Whether to enable or disable TLS client certificate verification. Enabling this
       option will reject any client who does not have a certificate signed by the CA
       in /etc/pki/qemu/ca-cert.pem
-    default: true
+    default: false
     type: boolean
   LibvirtLogFilters:
     description: Defines a filter to select a different logging level