Merge "Use bind mounts for tls certificates" into stable/queens
This commit is contained in:
commit
e28ba19093
|
@ -266,14 +266,6 @@ outputs:
|
||||||
dest: "/etc/ceph/"
|
dest: "/etc/ceph/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
- if:
|
|
||||||
- use_tls_for_vnc
|
|
||||||
-
|
|
||||||
- source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
|
|
||||||
dest: /etc/pki/libvirt-vnc/
|
|
||||||
merge: true
|
|
||||||
preserve_properties: true
|
|
||||||
- null
|
|
||||||
permissions:
|
permissions:
|
||||||
list_concat:
|
list_concat:
|
||||||
-
|
-
|
||||||
|
@ -285,13 +277,6 @@ outputs:
|
||||||
USER: {get_param: CephClientUserName}
|
USER: {get_param: CephClientUserName}
|
||||||
owner: nova:nova
|
owner: nova:nova
|
||||||
perm: '0600'
|
perm: '0600'
|
||||||
- if:
|
|
||||||
- use_tls_for_vnc
|
|
||||||
-
|
|
||||||
- path: /etc/pki/libvirt-vnc/server-key.pem
|
|
||||||
owner: root:qemu
|
|
||||||
perm: '0640'
|
|
||||||
- null
|
|
||||||
/var/lib/kolla/config_files/nova_virtlogd.json:
|
/var/lib/kolla/config_files/nova_virtlogd.json:
|
||||||
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
||||||
config_files:
|
config_files:
|
||||||
|
@ -358,29 +343,30 @@ outputs:
|
||||||
if:
|
if:
|
||||||
- use_tls_for_live_migration
|
- use_tls_for_live_migration
|
||||||
-
|
-
|
||||||
|
- /etc/pki/libvirt:/etc/pki/libvirt/:ro
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro"
|
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
|
||||||
params:
|
params:
|
||||||
CACERT:
|
CACERT:
|
||||||
if:
|
if:
|
||||||
- libvirt_specific_ca_unset
|
- libvirt_specific_ca_unset
|
||||||
- get_param: InternalTLSCAFile
|
- get_param: InternalTLSCAFile
|
||||||
- get_param: LibvirtCACert
|
- get_param: LibvirtCACert
|
||||||
- /etc/pki/libvirt/:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/:ro
|
|
||||||
- null
|
- null
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- use_tls_for_vnc
|
- use_tls_for_vnc
|
||||||
-
|
-
|
||||||
|
- /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro
|
||||||
|
- /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
||||||
params:
|
params:
|
||||||
CACERT:
|
CACERT:
|
||||||
if:
|
if:
|
||||||
- libvirt_vnc_specific_ca_unset
|
- libvirt_vnc_specific_ca_unset
|
||||||
- get_param: InternalTLSVncCAFile
|
- get_param: InternalTLSVncCAFile
|
||||||
- get_param: LibvirtVncCACert
|
- get_param: LibvirtVncCACert
|
||||||
- /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
|
|
||||||
- null
|
- null
|
||||||
environment:
|
environment:
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Partial backport from train to use bind mounts for certificates.
|
||||||
|
The UseTLSTransportForNbd is not available in queens.
|
||||||
|
|
||||||
|
Certificates get merged into the containers using kolla_config
|
||||||
|
mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd
|
||||||
|
gets disabled and enabled at a later point the containers running
|
||||||
|
the qemu process miss the required certificates and live migration
|
||||||
|
fails.
|
||||||
|
This change moves to use bind mount for the certificates and in
|
||||||
|
case of UseTLSTransportForNbd ans creates the required certificates even
|
||||||
|
if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd
|
||||||
|
can be enabled/disabled as the required bind mounts/certificates
|
||||||
|
are already present.
|
Loading…
Reference in New Issue