Browse Source

Merge "Use bind mounts for tls certificates" into stable/queens

changes/54/761454/2
Zuul 3 months ago
committed by Gerrit Code Review
parent
commit
e28ba19093
2 changed files with 21 additions and 19 deletions
  1. +5
    -19
      docker/services/nova-libvirt.yaml
  2. +16
    -0
      releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml

+ 5
- 19
docker/services/nova-libvirt.yaml View File

@ -266,14 +266,6 @@ outputs:
dest: "/etc/ceph/"
merge: true
preserve_properties: true
- if:
- use_tls_for_vnc
-
- source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
dest: /etc/pki/libvirt-vnc/
merge: true
preserve_properties: true
- null
permissions:
list_concat:
-
@ -285,13 +277,6 @@ outputs:
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
- if:
- use_tls_for_vnc
-
- path: /etc/pki/libvirt-vnc/server-key.pem
owner: root:qemu
perm: '0640'
- null
/var/lib/kolla/config_files/nova_virtlogd.json:
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files:
@ -358,29 +343,30 @@ outputs:
if:
- use_tls_for_live_migration
-
- /etc/pki/libvirt:/etc/pki/libvirt/:ro
- str_replace:
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro"
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
params:
CACERT:
if:
- libvirt_specific_ca_unset
- get_param: InternalTLSCAFile
- get_param: LibvirtCACert
- /etc/pki/libvirt/:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/:ro
- null
-
if:
- use_tls_for_vnc
-
- /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro
- /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro
- str_replace:
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro"
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
- /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS


+ 16
- 0
releasenotes/notes/libvirtd_use_bind_mounts_for_certs-64cb88f78538a64b.yaml View File

@ -0,0 +1,16 @@
---
fixes:
- |
Partial backport from train to use bind mounts for certificates.
The UseTLSTransportForNbd is not available in queens.
Certificates get merged into the containers using kolla_config
mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
gets disabled and enabled at a later point the containers running
the qemu process miss the required certificates and live migration
fails.
This change moves to use bind mount for the certificates and in
case of UseTLSTransportForNbd ans creates the required certificates even
if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
can be enabled/disabled as the required bind mounts/certificates
are already present.

Loading…
Cancel
Save