31 lines
1.7 KiB
YAML
31 lines
1.7 KiB
YAML
---
|
||
fixes:
|
||
- |
|
||
On the compute nodes, right now ssl certificates got created for
|
||
libvirt, qemu-default, qemu-vnc and qemu-nbd. This is not required
|
||
because the all services use the same NovaLibvirtNetwork network and
|
||
therefore multiple certificates for the same hostname get created.
|
||
Also from qemu point of view, if default_tls_x509_cert_dir and
|
||
default_tls_x509_verify parameters get set for all certificates, there
|
||
is no need to specify any of the other `*_tls*` config options. From
|
||
`Secure live migration with QEMU-native TLS <https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html>`_
|
||
|
||
The intention (of libvirt) is that you can just use the
|
||
default_tls_x509_* config attributes so that you don’t need to set any
|
||
other `*_tls*` parameters, unless you need different certificates for
|
||
some services. The rationale for that is that some services (e.g.
|
||
migration / NBD) are only exposed to internal infrastructure; while
|
||
some sevices (VNC, Spice) might be exposed publically, so might need
|
||
different certificates. For OpenStack this does not matter, though,
|
||
we will stick with the defaults.
|
||
|
||
Therefore with this change InternalTLSNbdCAFile, InternalTLSVncCAFile
|
||
and InternalTLSQemuCAFile get removed (which defaulted to
|
||
/etc/ipa/ca.crt anyways) and just use InternalTLSCAFile.
|
||
|
||
Also all cerfificates get created when EnableInternalTLS is true to
|
||
and mount all SSL certificates from the host. This is to prevent
|
||
certificate information is not available in a qemu's process container
|
||
environment if features get switched later, which has shown to be
|
||
problematic.
|