openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Use bind mounts for tls certificates 

Certificates get merged into the containers using kolla_config
mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
gets disabled and enabled at a later point the containers running
the qemu process miss the required certificates and live migration
fails.
This change moves to use bind mount for the certificates and in
case of UseTLSTransportForNbd ans creates the required certificates even
if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
can be enabled/disabled as the required bind mounts/certificates
are already present.

Related-Bug: #1900986
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1888951

Depends-On: I9538b7e579d4921b14f6ef5eec0300e7e50628d4

Change-Id: I7f583d18e558b95922a66eb539cc91de74409c96
This commit is contained in:
Martin Schuppert 2020-10-30 10:43:58 +01:00
parent 55c16307ca
commit e07e571ba2
2 changed files with 71 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
deployment/nova/nova-libvirt-container-puppet.yaml
View File

@ -472,6 +472,48 @@ outputs:
template: "libvirt/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
# create the qemu and qemu_ndb dirs and certs also when when tls for nbd
# is not enabled this allows us to enable it even at a later time without
# restart of instances
tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu'
tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd'
tripleo::certmonger::ca::qemu::origin_ca_pem:
if:
- qemu_specific_ca_unset
- get_param: InternalTLSQemuCAFile
- get_param: QemuCACert
qemu_certificates_specs:
qemu-server-cert:
cacertfile:
if:
- qemu_specific_ca_unset
- get_param: InternalTLSQemuCAFile
- null
service_certificate: '/etc/pki/qemu/server-cert.pem'
service_key: '/etc/pki/qemu/server-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
qemu-nbd-client-cert:
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
-
nova::migration::libvirt::live_migration_inbound_addr:
str_replace:
@ -518,51 +560,6 @@ outputs:
-
nova::compute::libvirt::qemu::nbd_tls: true
nova::migration::libvirt::live_migration_with_native_tls: true
tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu'
tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd'
generate_service_certificates: true
tripleo::certmonger::ca::qemu::origin_ca_pem:
if:
- qemu_specific_ca_unset
- get_param: InternalTLSQemuCAFile
- get_param: QemuCACert
qemu_certificates_specs:
qemu-server-cert:
cacertfile:
if:
- qemu_specific_ca_unset
- get_param: InternalTLSQemuCAFile
- null
service_certificate: '/etc/pki/qemu/server-cert.pem'
service_key: '/etc/pki/qemu/server-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
qemu-nbd-client-cert:
cacertfile:
if:
- qemu_specific_ca_unset
- get_param: InternalTLSQemuCAFile
- null
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- {}
puppet_config:
config_volume: nova_libvirt
@ -592,22 +589,6 @@ outputs:
dest: "/etc/ceph/"
merge: true
preserve_properties: true
- if:
- use_tls_for_vnc
-
- source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
dest: /etc/pki/libvirt-vnc/
merge: true
preserve_properties: true
- null
- if:
- use_tls_for_nbd
-
- source: /var/lib/kolla/config_files/src-libvirt-nbd-pki/client-*.pem
dest: /etc/pki/libvirt-nbd/
merge: true
preserve_properties: true
- null
permissions:
list_concat:
-
@ -619,26 +600,6 @@ outputs:
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
- if:
- use_tls_for_vnc
-
- path: /etc/pki/libvirt-vnc/server-key.pem
owner: root:qemu
perm: '0640'
- null
- if:
- use_tls_for_nbd
-
- path: /etc/pki/libvirt-nbd/client-key.pem
owner: root:qemu
perm: '0640'
- path: /etc/pki/qemu/server-key.pem
owner: root:qemu
perm: '0640'
- path: /etc/pki/qemu/ca-cert.pem
owner: root:root
perm: '0644'
- null
/var/lib/kolla/config_files/nova_virtlogd.json:
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files:
@ -740,29 +701,41 @@ outputs:
if:
- use_tls_for_live_migration
-
- /etc/pki/libvirt:/etc/pki/libvirt/:ro
- /etc/pki/libvirt-nbd:/etc/pki/libvirt-nbd:ro
- str_replace:
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro"
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
params:
CACERT:
if:
- libvirt_specific_ca_unset
- get_param: InternalTLSCAFile
- get_param: LibvirtCACert
- /etc/pki/libvirt/:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/:ro
- str_replace:
template: "CACERT:/etc/pki/qemu/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_nbd_specific_ca_unset
- get_param: InternalTLSNbdCAFile
- get_param: LibvirtNbdCACert
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
- null
-
if:
- use_tls_for_vnc
-
- /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro
- /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro
- str_replace:
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro"
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
- /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
- null
-
if:
@ -773,22 +746,6 @@ outputs:
params:
MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]}
- null
-
if:
- use_tls_for_nbd
-
- str_replace:
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_nbd_specific_ca_unset
- get_param: InternalTLSNbdCAFile
- get_param: LibvirtNbdCACert
- /etc/pki/qemu/server-cert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-cert.pem:ro
- /etc/pki/qemu/server-key.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-key.pem:ro
- /etc/pki/libvirt-nbd:/var/lib/kolla/config_files/src-libvirt-nbd-pki:ro
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
step_4:

13
releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml Normal file
View File

@ -0,0 +1,13 @@
---
fixes:
- |
Certificates get merged into the containers using kolla_config
mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
gets disabled and enabled at a later point the containers running
the qemu process miss the required certificates and live migration
fails.
This change moves to use bind mount for the certificates and in
case of UseTLSTransportForNbd ans creates the required certificates even
if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
can be enabled/disabled as the required bind mounts/certificates
are already present.