diff --git a/lib/nova b/lib/nova index ea0d2f7b89..c48aba625f 100644 --- a/lib/nova +++ b/lib/nova @@ -82,6 +82,10 @@ if is_service_enabled tls-proxy; then NOVA_SERVICE_PROTOCOL="https" fi +# Whether to use TLS for comms between the VNC/SPICE/serial proxy +# services and the compute node +NOVA_CONSOLE_PROXY_COMPUTE_TLS=${NOVA_CONSOLE_PROXY_COMPUTE_TLS:-False} + # Public facing bits NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST} NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774} @@ -197,6 +201,13 @@ function is_n-cell_enabled { return 1 } +# is_nova_console_proxy_compute_tls_enabled() - Test if the Nova Console Proxy +# service has TLS enabled +function is_nova_console_proxy_compute_tls_enabled { + [[ ${NOVA_CONSOLE_PROXY_COMPUTE_TLS} = "True" ]] && return 0 + return 1 +} + # Helper to clean iptables rules function clean_iptables { # Delete rules @@ -524,6 +535,17 @@ function create_nova_conf { iniset $NOVA_CONF vnc server_proxyclient_address "$VNCSERVER_PROXYCLIENT_ADDRESS" iniset $NOVA_CONF vnc novncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS" iniset $NOVA_CONF vnc xvpvncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS" + + if is_nova_console_proxy_compute_tls_enabled ; then + iniset $NOVA_CONF vnc auth_schemes "vencrypt" + iniset $NOVA_CONF vnc vencrypt_client_key "/etc/pki/nova-novnc/client-key.pem" + iniset $NOVA_CONF vnc vencrypt_client_cert "/etc/pki/nova-novnc/client-cert.pem" + iniset $NOVA_CONF vnc vencrypt_ca_certs "/etc/pki/nova-novnc/ca-cert.pem" + + sudo mkdir -p /etc/pki/nova-novnc + deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem + deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem + fi else iniset $NOVA_CONF vnc enabled false fi diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt index 8d74c77517..85b2689c59 100644 --- a/lib/nova_plugins/functions-libvirt +++ b/lib/nova_plugins/functions-libvirt @@ -147,6 +147,18 @@ EOF fi fi + if is_nova_console_proxy_compute_tls_enabled ; then + if is_service_enabled n-novnc ; then + echo "vnc_tls = 1" | sudo tee -a $QEMU_CONF + echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF + + sudo mkdir -p /etc/pki/libvirt-vnc + sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc + deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem + deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem + fi + fi + # Service needs to be started on redhat/fedora -- do a restart for # sanity after fiddling the config. restart_service $LIBVIRT_DAEMON diff --git a/lib/tls b/lib/tls index 0baf86caa9..bd9272cc18 100644 --- a/lib/tls +++ b/lib/tls @@ -340,6 +340,24 @@ function make_root_CA { fi } +# Deploy the service cert & key to a service specific +# location +function deploy_int_cert { + local cert_target_file=$1 + local key_target_file=$2 + + sudo cp "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt" "$cert_target_file" + sudo cp "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key" "$key_target_file" +} + +# Deploy the intermediate CA cert bundle file to a service +# specific location +function deploy_int_CA { + local ca_target_file=$1 + + sudo cp "$INT_CA_DIR/ca-chain.pem" "$ca_target_file" +} + # If a non-system python-requests is installed then it will use the # built-in CA certificate store rather than the distro-specific # CA certificate store. Detect this and symlink to the correct