nova: add support for TLS between novnc proxy & compute nodes

Nova is gaining the ability to run TLS over the connection between the
novnc proxy service and the QEMU/KVM compute node VNC server.

This adds a new config param - 'NOVA_CONSOLE_PROXY_COMPUTE_TLS=True' -
which instructs devstack to configure libvirt/QEMU to enable TLS for the
VNC server, and to configure the novncproxy to use TLS when connecting.
NB this use of TLS is distinct from use of TLS for the public facing API
controlled by USE_SSL, they can be enabled independently.

This is done in a generic manner so that it is easy to extend to cover
use of TLS with the SPICE and serial console proxy services too.

Change-Id: Ib29d3f5f18533115b9c51e27b373e92fc0a28d1a
Depends-on: I9cc9a380500715e60bd05aa5c29ee46bc6f8d6c2
Implements bp: websocket-proxy-to-host-security
This commit is contained in:
Daniel P. Berrange 2016-11-10 13:03:32 +00:00 committed by melanie witt
parent 9640d3bfbf
commit e9870eb18d
3 changed files with 52 additions and 0 deletions

View File

@ -82,6 +82,10 @@ if is_service_enabled tls-proxy; then
NOVA_SERVICE_PROTOCOL="https" NOVA_SERVICE_PROTOCOL="https"
fi fi
# Whether to use TLS for comms between the VNC/SPICE/serial proxy
# services and the compute node
NOVA_CONSOLE_PROXY_COMPUTE_TLS=${NOVA_CONSOLE_PROXY_COMPUTE_TLS:-False}
# Public facing bits # Public facing bits
NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST} NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST}
NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774} NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774}
@ -197,6 +201,13 @@ function is_n-cell_enabled {
return 1 return 1
} }
# is_nova_console_proxy_compute_tls_enabled() - Test if the Nova Console Proxy
# service has TLS enabled
function is_nova_console_proxy_compute_tls_enabled {
[[ ${NOVA_CONSOLE_PROXY_COMPUTE_TLS} = "True" ]] && return 0
return 1
}
# Helper to clean iptables rules # Helper to clean iptables rules
function clean_iptables { function clean_iptables {
# Delete rules # Delete rules
@ -524,6 +535,17 @@ function create_nova_conf {
iniset $NOVA_CONF vnc server_proxyclient_address "$VNCSERVER_PROXYCLIENT_ADDRESS" iniset $NOVA_CONF vnc server_proxyclient_address "$VNCSERVER_PROXYCLIENT_ADDRESS"
iniset $NOVA_CONF vnc novncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS" iniset $NOVA_CONF vnc novncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
iniset $NOVA_CONF vnc xvpvncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS" iniset $NOVA_CONF vnc xvpvncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
if is_nova_console_proxy_compute_tls_enabled ; then
iniset $NOVA_CONF vnc auth_schemes "vencrypt"
iniset $NOVA_CONF vnc vencrypt_client_key "/etc/pki/nova-novnc/client-key.pem"
iniset $NOVA_CONF vnc vencrypt_client_cert "/etc/pki/nova-novnc/client-cert.pem"
iniset $NOVA_CONF vnc vencrypt_ca_certs "/etc/pki/nova-novnc/ca-cert.pem"
sudo mkdir -p /etc/pki/nova-novnc
deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem
deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem
fi
else else
iniset $NOVA_CONF vnc enabled false iniset $NOVA_CONF vnc enabled false
fi fi

View File

@ -147,6 +147,18 @@ EOF
fi fi
fi fi
if is_nova_console_proxy_compute_tls_enabled ; then
if is_service_enabled n-novnc ; then
echo "vnc_tls = 1" | sudo tee -a $QEMU_CONF
echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF
sudo mkdir -p /etc/pki/libvirt-vnc
sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem
deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
fi
fi
# Service needs to be started on redhat/fedora -- do a restart for # Service needs to be started on redhat/fedora -- do a restart for
# sanity after fiddling the config. # sanity after fiddling the config.
restart_service $LIBVIRT_DAEMON restart_service $LIBVIRT_DAEMON

18
lib/tls
View File

@ -340,6 +340,24 @@ function make_root_CA {
fi fi
} }
# Deploy the service cert & key to a service specific
# location
function deploy_int_cert {
local cert_target_file=$1
local key_target_file=$2
sudo cp "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt" "$cert_target_file"
sudo cp "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key" "$key_target_file"
}
# Deploy the intermediate CA cert bundle file to a service
# specific location
function deploy_int_CA {
local ca_target_file=$1
sudo cp "$INT_CA_DIR/ca-chain.pem" "$ca_target_file"
}
# If a non-system python-requests is installed then it will use the # If a non-system python-requests is installed then it will use the
# built-in CA certificate store rather than the distro-specific # built-in CA certificate store rather than the distro-specific
# CA certificate store. Detect this and symlink to the correct # CA certificate store. Detect this and symlink to the correct