59a235340c
On the compute nodes, right now ssl certificates got created for libvirt, qemu-default, qemu-vnc and qemu-nbd. This is not required because the all services use the same NovaLibvirtNetwork network and therefore multiple certificates for the same hostname get created. Also from qemu point of view, if default_tls_x509_cert_dir and default_tls_x509_verify parameters get set for all certificates, there is no need to specify any of the other *_tls* config options. From [1] The intention (of libvirt) is that you can just use the default_tls_x509_* config attributes so that you don’t need to set any other *_tls* parameters, unless_ you need different certificates for some services. The rationale for that is that some services (e.g. migration / NBD) are only exposed to internal infrastructure; while some sevices (VNC, Spice) might be exposed publically, so might need different certificates. For OpenStack this does not matter, though, we will stick with the defaults. Therefore with this change InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile get removed (which defaulted to /etc/ipa/ca.crt anyways) and just use InternalTLSCAFile. Also all cerfificates get created when EnableInternalTLS is true to and mount all SSL certificates from the host. This is to prevent certificate information is not available in a qemu's process container environment if features get switched later, which has shown to be problematic. [1] https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html Also squashesc904c7555cinto this backport: Explicit set qemu certificate group ownership While the certificates get requested with the appropriate group root:qemu [1] and copied to /etc/pki/qemu/ with -a it has seen that the group ownership is not correct on the target certificate files. Lets set explicit group ownership via the run_after script. Closes-Bug: #1933330 [1] https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/nova/nova-libvirt-container-puppet.yaml#L777-L779 Change-Id: Ie2c78fc3a07be1cd22cb6cac240047b5d2b9cd0a (cherry picked from commitd20f295f3a)
31 lines
1.7 KiB
YAML
31 lines
1.7 KiB
YAML
---
|
||
fixes:
|
||
- |
|
||
On the compute nodes, right now ssl certificates got created for
|
||
libvirt, qemu-default, qemu-vnc and qemu-nbd. This is not required
|
||
because the all services use the same NovaLibvirtNetwork network and
|
||
therefore multiple certificates for the same hostname get created.
|
||
Also from qemu point of view, if default_tls_x509_cert_dir and
|
||
default_tls_x509_verify parameters get set for all certificates, there
|
||
is no need to specify any of the other `*_tls*` config options. From
|
||
`Secure live migration with QEMU-native TLS <https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html>`_
|
||
|
||
The intention (of libvirt) is that you can just use the
|
||
default_tls_x509_* config attributes so that you don’t need to set any
|
||
other `*_tls*` parameters, unless you need different certificates for
|
||
some services. The rationale for that is that some services (e.g.
|
||
migration / NBD) are only exposed to internal infrastructure; while
|
||
some sevices (VNC, Spice) might be exposed publically, so might need
|
||
different certificates. For OpenStack this does not matter, though,
|
||
we will stick with the defaults.
|
||
|
||
Therefore with this change InternalTLSNbdCAFile, InternalTLSVncCAFile
|
||
and InternalTLSQemuCAFile get removed (which defaulted to
|
||
/etc/ipa/ca.crt anyways) and just use InternalTLSCAFile.
|
||
|
||
Also all cerfificates get created when EnableInternalTLS is true to
|
||
and mount all SSL certificates from the host. This is to prevent
|
||
certificate information is not available in a qemu's process container
|
||
environment if features get switched later, which has shown to be
|
||
problematic.
|