nova: add support for TLS between novnc proxy & compute nodes
Nova is gaining the ability to run TLS over the connection between the novnc proxy service and the QEMU/KVM compute node VNC server. This adds a new config param - 'NOVA_CONSOLE_PROXY_COMPUTE_TLS=True' - which instructs devstack to configure libvirt/QEMU to enable TLS for the VNC server, and to configure the novncproxy to use TLS when connecting. NB this use of TLS is distinct from use of TLS for the public facing API controlled by USE_SSL, they can be enabled independently. This is done in a generic manner so that it is easy to extend to cover use of TLS with the SPICE and serial console proxy services too. Change-Id: Ib29d3f5f18533115b9c51e27b373e92fc0a28d1a Depends-on: I9cc9a380500715e60bd05aa5c29ee46bc6f8d6c2 Implements bp: websocket-proxy-to-host-security
This commit is contained in:
parent
9640d3bfbf
commit
e9870eb18d
22
lib/nova
22
lib/nova
@ -82,6 +82,10 @@ if is_service_enabled tls-proxy; then
|
|||||||
NOVA_SERVICE_PROTOCOL="https"
|
NOVA_SERVICE_PROTOCOL="https"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Whether to use TLS for comms between the VNC/SPICE/serial proxy
|
||||||
|
# services and the compute node
|
||||||
|
NOVA_CONSOLE_PROXY_COMPUTE_TLS=${NOVA_CONSOLE_PROXY_COMPUTE_TLS:-False}
|
||||||
|
|
||||||
# Public facing bits
|
# Public facing bits
|
||||||
NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST}
|
NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST}
|
||||||
NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774}
|
NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774}
|
||||||
@ -197,6 +201,13 @@ function is_n-cell_enabled {
|
|||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# is_nova_console_proxy_compute_tls_enabled() - Test if the Nova Console Proxy
|
||||||
|
# service has TLS enabled
|
||||||
|
function is_nova_console_proxy_compute_tls_enabled {
|
||||||
|
[[ ${NOVA_CONSOLE_PROXY_COMPUTE_TLS} = "True" ]] && return 0
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
# Helper to clean iptables rules
|
# Helper to clean iptables rules
|
||||||
function clean_iptables {
|
function clean_iptables {
|
||||||
# Delete rules
|
# Delete rules
|
||||||
@ -524,6 +535,17 @@ function create_nova_conf {
|
|||||||
iniset $NOVA_CONF vnc server_proxyclient_address "$VNCSERVER_PROXYCLIENT_ADDRESS"
|
iniset $NOVA_CONF vnc server_proxyclient_address "$VNCSERVER_PROXYCLIENT_ADDRESS"
|
||||||
iniset $NOVA_CONF vnc novncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
|
iniset $NOVA_CONF vnc novncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
|
||||||
iniset $NOVA_CONF vnc xvpvncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
|
iniset $NOVA_CONF vnc xvpvncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
|
||||||
|
|
||||||
|
if is_nova_console_proxy_compute_tls_enabled ; then
|
||||||
|
iniset $NOVA_CONF vnc auth_schemes "vencrypt"
|
||||||
|
iniset $NOVA_CONF vnc vencrypt_client_key "/etc/pki/nova-novnc/client-key.pem"
|
||||||
|
iniset $NOVA_CONF vnc vencrypt_client_cert "/etc/pki/nova-novnc/client-cert.pem"
|
||||||
|
iniset $NOVA_CONF vnc vencrypt_ca_certs "/etc/pki/nova-novnc/ca-cert.pem"
|
||||||
|
|
||||||
|
sudo mkdir -p /etc/pki/nova-novnc
|
||||||
|
deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem
|
||||||
|
deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
iniset $NOVA_CONF vnc enabled false
|
iniset $NOVA_CONF vnc enabled false
|
||||||
fi
|
fi
|
||||||
|
@ -147,6 +147,18 @@ EOF
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if is_nova_console_proxy_compute_tls_enabled ; then
|
||||||
|
if is_service_enabled n-novnc ; then
|
||||||
|
echo "vnc_tls = 1" | sudo tee -a $QEMU_CONF
|
||||||
|
echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF
|
||||||
|
|
||||||
|
sudo mkdir -p /etc/pki/libvirt-vnc
|
||||||
|
sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
|
||||||
|
deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem
|
||||||
|
deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# Service needs to be started on redhat/fedora -- do a restart for
|
# Service needs to be started on redhat/fedora -- do a restart for
|
||||||
# sanity after fiddling the config.
|
# sanity after fiddling the config.
|
||||||
restart_service $LIBVIRT_DAEMON
|
restart_service $LIBVIRT_DAEMON
|
||||||
|
18
lib/tls
18
lib/tls
@ -340,6 +340,24 @@ function make_root_CA {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Deploy the service cert & key to a service specific
|
||||||
|
# location
|
||||||
|
function deploy_int_cert {
|
||||||
|
local cert_target_file=$1
|
||||||
|
local key_target_file=$2
|
||||||
|
|
||||||
|
sudo cp "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt" "$cert_target_file"
|
||||||
|
sudo cp "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key" "$key_target_file"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Deploy the intermediate CA cert bundle file to a service
|
||||||
|
# specific location
|
||||||
|
function deploy_int_CA {
|
||||||
|
local ca_target_file=$1
|
||||||
|
|
||||||
|
sudo cp "$INT_CA_DIR/ca-chain.pem" "$ca_target_file"
|
||||||
|
}
|
||||||
|
|
||||||
# If a non-system python-requests is installed then it will use the
|
# If a non-system python-requests is installed then it will use the
|
||||||
# built-in CA certificate store rather than the distro-specific
|
# built-in CA certificate store rather than the distro-specific
|
||||||
# CA certificate store. Detect this and symlink to the correct
|
# CA certificate store. Detect this and symlink to the correct
|
||||||
|
Loading…
Reference in New Issue
Block a user