Merge "Use bind mounts for tls certificates" into stable/queens
This commit is contained in:
commit
e28ba19093
|
@ -266,14 +266,6 @@ outputs:
|
|||
dest: "/etc/ceph/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- if:
|
||||
- use_tls_for_vnc
|
||||
-
|
||||
- source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
|
||||
dest: /etc/pki/libvirt-vnc/
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- null
|
||||
permissions:
|
||||
list_concat:
|
||||
-
|
||||
|
@ -285,13 +277,6 @@ outputs:
|
|||
USER: {get_param: CephClientUserName}
|
||||
owner: nova:nova
|
||||
perm: '0600'
|
||||
- if:
|
||||
- use_tls_for_vnc
|
||||
-
|
||||
- path: /etc/pki/libvirt-vnc/server-key.pem
|
||||
owner: root:qemu
|
||||
perm: '0640'
|
||||
- null
|
||||
/var/lib/kolla/config_files/nova_virtlogd.json:
|
||||
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
||||
config_files:
|
||||
|
@ -358,29 +343,30 @@ outputs:
|
|||
if:
|
||||
- use_tls_for_live_migration
|
||||
-
|
||||
- /etc/pki/libvirt:/etc/pki/libvirt/:ro
|
||||
- str_replace:
|
||||
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro"
|
||||
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
|
||||
params:
|
||||
CACERT:
|
||||
if:
|
||||
- libvirt_specific_ca_unset
|
||||
- get_param: InternalTLSCAFile
|
||||
- get_param: LibvirtCACert
|
||||
- /etc/pki/libvirt/:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/:ro
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- use_tls_for_vnc
|
||||
-
|
||||
- /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro
|
||||
- /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro
|
||||
- str_replace:
|
||||
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
||||
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
||||
params:
|
||||
CACERT:
|
||||
if:
|
||||
- libvirt_vnc_specific_ca_unset
|
||||
- get_param: InternalTLSVncCAFile
|
||||
- get_param: LibvirtVncCACert
|
||||
- /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
|
||||
- null
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Partial backport from train to use bind mounts for certificates.
|
||||
The UseTLSTransportForNbd is not available in queens.
|
||||
|
||||
Certificates get merged into the containers using kolla_config
|
||||
mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
|
||||
gets disabled and enabled at a later point the containers running
|
||||
the qemu process miss the required certificates and live migration
|
||||
fails.
|
||||
This change moves to use bind mount for the certificates and in
|
||||
case of UseTLSTransportForNbd ans creates the required certificates even
|
||||
if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
|
||||
can be enabled/disabled as the required bind mounts/certificates
|
||||
are already present.
|
Loading…
Reference in New Issue