d20f295f3a
On the compute nodes, right now ssl certificates got created for libvirt, qemu-default, qemu-vnc and qemu-nbd. This is not required because the all services use the same NovaLibvirtNetwork network and therefore multiple certificates for the same hostname get created. Also from qemu point of view, if default_tls_x509_cert_dir and default_tls_x509_verify parameters get set for all certificates, there is no need to specify any of the other *_tls* config options. From [1] The intention (of libvirt) is that you can just use the default_tls_x509_* config attributes so that you don’t need to set any other *_tls* parameters, unless_ you need different certificates for some services. The rationale for that is that some services (e.g. migration / NBD) are only exposed to internal infrastructure; while some sevices (VNC, Spice) might be exposed publically, so might need different certificates. For OpenStack this does not matter, though, we will stick with the defaults. Therefore with this change InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile get removed (which defaulted to /etc/ipa/ca.crt anyways) and just use InternalTLSCAFile. Also all cerfificates get created when EnableInternalTLS is true to and mount all SSL certificates from the host. This is to prevent certificate information is not available in a qemu's process container environment if features get switched later, which has shown to be problematic. [1] https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html Change-Id: Ie2c78fc3a07be1cd22cb6cac240047b5d2b9cd0a
31 lines
1.7 KiB
YAML
31 lines
1.7 KiB
YAML
---
|
||
fixes:
|
||
- |
|
||
On the compute nodes, right now ssl certificates got created for
|
||
libvirt, qemu-default, qemu-vnc and qemu-nbd. This is not required
|
||
because the all services use the same NovaLibvirtNetwork network and
|
||
therefore multiple certificates for the same hostname get created.
|
||
Also from qemu point of view, if default_tls_x509_cert_dir and
|
||
default_tls_x509_verify parameters get set for all certificates, there
|
||
is no need to specify any of the other `*_tls*` config options. From
|
||
`Secure live migration with QEMU-native TLS <https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html>`_
|
||
|
||
The intention (of libvirt) is that you can just use the
|
||
default_tls_x509_* config attributes so that you don’t need to set any
|
||
other `*_tls*` parameters, unless you need different certificates for
|
||
some services. The rationale for that is that some services (e.g.
|
||
migration / NBD) are only exposed to internal infrastructure; while
|
||
some sevices (VNC, Spice) might be exposed publically, so might need
|
||
different certificates. For OpenStack this does not matter, though,
|
||
we will stick with the defaults.
|
||
|
||
Therefore with this change InternalTLSNbdCAFile, InternalTLSVncCAFile
|
||
and InternalTLSQemuCAFile get removed (which defaulted to
|
||
/etc/ipa/ca.crt anyways) and just use InternalTLSCAFile.
|
||
|
||
Also all cerfificates get created when EnableInternalTLS is true to
|
||
and mount all SSL certificates from the host. This is to prevent
|
||
certificate information is not available in a qemu's process container
|
||
environment if features get switched later, which has shown to be
|
||
problematic.
|