Use bind mounts for tls certificates
Certificates get merged into the containers using kolla_config mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd gets disabled and enabled at a later point the containers running the qemu process miss the required certificates and live migration fails. This change moves to use bind mount for the certificates and in case of UseTLSTransportForNbd ans creates the required certificates even if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd can be enabled/disabled as the required bind mounts/certificates are already present. Related-Bug: #1900986 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1888951 Depends-On: I9538b7e579d4921b14f6ef5eec0300e7e50628d4 Change-Id: I7f583d18e558b95922a66eb539cc91de74409c96
This commit is contained in:
parent
55c16307ca
commit
e07e571ba2
|
@ -472,6 +472,48 @@ outputs:
|
||||||
template: "libvirt/%{hiera('fqdn_NETWORK')}"
|
template: "libvirt/%{hiera('fqdn_NETWORK')}"
|
||||||
params:
|
params:
|
||||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
# create the qemu and qemu_ndb dirs and certs also when when tls for nbd
|
||||||
|
# is not enabled this allows us to enable it even at a later time without
|
||||||
|
# restart of instances
|
||||||
|
tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu'
|
||||||
|
tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd'
|
||||||
|
tripleo::certmonger::ca::qemu::origin_ca_pem:
|
||||||
|
if:
|
||||||
|
- qemu_specific_ca_unset
|
||||||
|
- get_param: InternalTLSQemuCAFile
|
||||||
|
- get_param: QemuCACert
|
||||||
|
qemu_certificates_specs:
|
||||||
|
qemu-server-cert:
|
||||||
|
cacertfile:
|
||||||
|
if:
|
||||||
|
- qemu_specific_ca_unset
|
||||||
|
- get_param: InternalTLSQemuCAFile
|
||||||
|
- null
|
||||||
|
service_certificate: '/etc/pki/qemu/server-cert.pem'
|
||||||
|
service_key: '/etc/pki/qemu/server-key.pem'
|
||||||
|
hostname:
|
||||||
|
str_replace:
|
||||||
|
template: "%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
principal:
|
||||||
|
str_replace:
|
||||||
|
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
qemu-nbd-client-cert:
|
||||||
|
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
|
||||||
|
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
|
||||||
|
hostname:
|
||||||
|
str_replace:
|
||||||
|
template: "%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
principal:
|
||||||
|
str_replace:
|
||||||
|
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
-
|
-
|
||||||
nova::migration::libvirt::live_migration_inbound_addr:
|
nova::migration::libvirt::live_migration_inbound_addr:
|
||||||
str_replace:
|
str_replace:
|
||||||
|
@ -518,51 +560,6 @@ outputs:
|
||||||
-
|
-
|
||||||
nova::compute::libvirt::qemu::nbd_tls: true
|
nova::compute::libvirt::qemu::nbd_tls: true
|
||||||
nova::migration::libvirt::live_migration_with_native_tls: true
|
nova::migration::libvirt::live_migration_with_native_tls: true
|
||||||
tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu'
|
|
||||||
tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd'
|
|
||||||
generate_service_certificates: true
|
|
||||||
tripleo::certmonger::ca::qemu::origin_ca_pem:
|
|
||||||
if:
|
|
||||||
- qemu_specific_ca_unset
|
|
||||||
- get_param: InternalTLSQemuCAFile
|
|
||||||
- get_param: QemuCACert
|
|
||||||
qemu_certificates_specs:
|
|
||||||
qemu-server-cert:
|
|
||||||
cacertfile:
|
|
||||||
if:
|
|
||||||
- qemu_specific_ca_unset
|
|
||||||
- get_param: InternalTLSQemuCAFile
|
|
||||||
- null
|
|
||||||
service_certificate: '/etc/pki/qemu/server-cert.pem'
|
|
||||||
service_key: '/etc/pki/qemu/server-key.pem'
|
|
||||||
hostname:
|
|
||||||
str_replace:
|
|
||||||
template: "%{hiera('fqdn_NETWORK')}"
|
|
||||||
params:
|
|
||||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
||||||
principal:
|
|
||||||
str_replace:
|
|
||||||
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
|
||||||
params:
|
|
||||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
||||||
qemu-nbd-client-cert:
|
|
||||||
cacertfile:
|
|
||||||
if:
|
|
||||||
- qemu_specific_ca_unset
|
|
||||||
- get_param: InternalTLSQemuCAFile
|
|
||||||
- null
|
|
||||||
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
|
|
||||||
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
|
|
||||||
hostname:
|
|
||||||
str_replace:
|
|
||||||
template: "%{hiera('fqdn_NETWORK')}"
|
|
||||||
params:
|
|
||||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
||||||
principal:
|
|
||||||
str_replace:
|
|
||||||
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
|
||||||
params:
|
|
||||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
||||||
- {}
|
- {}
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_volume: nova_libvirt
|
config_volume: nova_libvirt
|
||||||
|
@ -592,22 +589,6 @@ outputs:
|
||||||
dest: "/etc/ceph/"
|
dest: "/etc/ceph/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
- if:
|
|
||||||
- use_tls_for_vnc
|
|
||||||
-
|
|
||||||
- source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
|
|
||||||
dest: /etc/pki/libvirt-vnc/
|
|
||||||
merge: true
|
|
||||||
preserve_properties: true
|
|
||||||
- null
|
|
||||||
- if:
|
|
||||||
- use_tls_for_nbd
|
|
||||||
-
|
|
||||||
- source: /var/lib/kolla/config_files/src-libvirt-nbd-pki/client-*.pem
|
|
||||||
dest: /etc/pki/libvirt-nbd/
|
|
||||||
merge: true
|
|
||||||
preserve_properties: true
|
|
||||||
- null
|
|
||||||
permissions:
|
permissions:
|
||||||
list_concat:
|
list_concat:
|
||||||
-
|
-
|
||||||
|
@ -619,26 +600,6 @@ outputs:
|
||||||
USER: {get_param: CephClientUserName}
|
USER: {get_param: CephClientUserName}
|
||||||
owner: nova:nova
|
owner: nova:nova
|
||||||
perm: '0600'
|
perm: '0600'
|
||||||
- if:
|
|
||||||
- use_tls_for_vnc
|
|
||||||
-
|
|
||||||
- path: /etc/pki/libvirt-vnc/server-key.pem
|
|
||||||
owner: root:qemu
|
|
||||||
perm: '0640'
|
|
||||||
- null
|
|
||||||
- if:
|
|
||||||
- use_tls_for_nbd
|
|
||||||
-
|
|
||||||
- path: /etc/pki/libvirt-nbd/client-key.pem
|
|
||||||
owner: root:qemu
|
|
||||||
perm: '0640'
|
|
||||||
- path: /etc/pki/qemu/server-key.pem
|
|
||||||
owner: root:qemu
|
|
||||||
perm: '0640'
|
|
||||||
- path: /etc/pki/qemu/ca-cert.pem
|
|
||||||
owner: root:root
|
|
||||||
perm: '0644'
|
|
||||||
- null
|
|
||||||
/var/lib/kolla/config_files/nova_virtlogd.json:
|
/var/lib/kolla/config_files/nova_virtlogd.json:
|
||||||
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
||||||
config_files:
|
config_files:
|
||||||
|
@ -740,29 +701,41 @@ outputs:
|
||||||
if:
|
if:
|
||||||
- use_tls_for_live_migration
|
- use_tls_for_live_migration
|
||||||
-
|
-
|
||||||
|
- /etc/pki/libvirt:/etc/pki/libvirt/:ro
|
||||||
|
- /etc/pki/libvirt-nbd:/etc/pki/libvirt-nbd:ro
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro"
|
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
|
||||||
params:
|
params:
|
||||||
CACERT:
|
CACERT:
|
||||||
if:
|
if:
|
||||||
- libvirt_specific_ca_unset
|
- libvirt_specific_ca_unset
|
||||||
- get_param: InternalTLSCAFile
|
- get_param: InternalTLSCAFile
|
||||||
- get_param: LibvirtCACert
|
- get_param: LibvirtCACert
|
||||||
- /etc/pki/libvirt/:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/:ro
|
- str_replace:
|
||||||
|
template: "CACERT:/etc/pki/qemu/ca-cert.pem:ro"
|
||||||
|
params:
|
||||||
|
CACERT:
|
||||||
|
if:
|
||||||
|
- libvirt_nbd_specific_ca_unset
|
||||||
|
- get_param: InternalTLSNbdCAFile
|
||||||
|
- get_param: LibvirtNbdCACert
|
||||||
|
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
|
||||||
|
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
|
||||||
- null
|
- null
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- use_tls_for_vnc
|
- use_tls_for_vnc
|
||||||
-
|
-
|
||||||
|
- /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro
|
||||||
|
- /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
||||||
params:
|
params:
|
||||||
CACERT:
|
CACERT:
|
||||||
if:
|
if:
|
||||||
- libvirt_vnc_specific_ca_unset
|
- libvirt_vnc_specific_ca_unset
|
||||||
- get_param: InternalTLSVncCAFile
|
- get_param: InternalTLSVncCAFile
|
||||||
- get_param: LibvirtVncCACert
|
- get_param: LibvirtVncCACert
|
||||||
- /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
|
|
||||||
- null
|
- null
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
|
@ -773,22 +746,6 @@ outputs:
|
||||||
params:
|
params:
|
||||||
MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]}
|
MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]}
|
||||||
- null
|
- null
|
||||||
-
|
|
||||||
if:
|
|
||||||
- use_tls_for_nbd
|
|
||||||
-
|
|
||||||
- str_replace:
|
|
||||||
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/ca-cert.pem:ro"
|
|
||||||
params:
|
|
||||||
CACERT:
|
|
||||||
if:
|
|
||||||
- libvirt_nbd_specific_ca_unset
|
|
||||||
- get_param: InternalTLSNbdCAFile
|
|
||||||
- get_param: LibvirtNbdCACert
|
|
||||||
- /etc/pki/qemu/server-cert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-cert.pem:ro
|
|
||||||
- /etc/pki/qemu/server-key.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-key.pem:ro
|
|
||||||
- /etc/pki/libvirt-nbd:/var/lib/kolla/config_files/src-libvirt-nbd-pki:ro
|
|
||||||
- null
|
|
||||||
environment:
|
environment:
|
||||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
step_4:
|
step_4:
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Certificates get merged into the containers using kolla_config
|
||||||
|
mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
|
||||||
|
gets disabled and enabled at a later point the containers running
|
||||||
|
the qemu process miss the required certificates and live migration
|
||||||
|
fails.
|
||||||
|
This change moves to use bind mount for the certificates and in
|
||||||
|
case of UseTLSTransportForNbd ans creates the required certificates even
|
||||||
|
if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
|
||||||
|
can be enabled/disabled as the required bind mounts/certificates
|
||||||
|
are already present.
|
Loading…
Reference in New Issue