2b8d5a0b88
To secure communications from the proxy server to the compute nodes using VeNCrypt authentication scheme. In a previous patch a TLS server certificate was deployed to compute nodes, this patch makes use of this same server cert for securing VNC sessions on compute nodes. It is recommended that this certificate be issued by a dedicated certificate authority solely for the VNC service, as libvirt does not currently have a mechanism to restrict what certificates can be presented by the proxy server. This has not been implemented to reduce complexity. In addition the noVNC proxy needs to present a client certificate so only approved VNC proxy servers can connect to the Compute nodes. The PKI role has been used to create a client certificate for the nova console nodes. Related Nova docs: https://docs.openstack.org/nova/latest/admin/remote-console-access.html To help with the transition from from unencrypted VNC to VeNCrypt, initially compute nodes auth scheme allows for both encrypted and unencrypted sessions using the variable `nova_vencrypt_auth_scheme`, this will be removed in future releases. Change-Id: Iafb788f80fd401c6ce6e4576bafd06c92431bd65
100 lines
2.5 KiB
YAML
100 lines
2.5 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Stop libvirt-bin
|
|
service:
|
|
name: "{{ libvirt_service_name }}"
|
|
enabled: yes
|
|
state: "stopped"
|
|
listen:
|
|
- Restart libvirt-bin
|
|
- "cert installed"
|
|
when:
|
|
- "'nova_compute' in group_names"
|
|
- nova_virt_type != 'ironic'
|
|
|
|
- name: Enable sockets when needed
|
|
service:
|
|
name: "{{ item.name | default(item) }}"
|
|
state: "{{ item.condition | default(False) | ternary('started', 'stopped') }}"
|
|
enabled: "{{ item.condition | default(False) }}"
|
|
masked: no
|
|
when:
|
|
- libvirtd_version is version('5.7', '>=')
|
|
with_items:
|
|
- name: libvirtd-tls.socket
|
|
condition: "{{ nova_libvirtd_listen_tls | bool }}"
|
|
- name: libvirtd-tcp.socket
|
|
condition: "{{ nova_libvirtd_listen_tcp | bool }}"
|
|
listen:
|
|
- Restart libvirt-bin
|
|
|
|
- name: Start libvirt-bin
|
|
service:
|
|
name: "{{ libvirt_service_name }}"
|
|
enabled: yes
|
|
state: "started"
|
|
listen:
|
|
- Restart libvirt-bin
|
|
- "cert installed"
|
|
when:
|
|
- "'nova_compute' in group_names"
|
|
- nova_virt_type != 'ironic'
|
|
|
|
- name: Stop services
|
|
service:
|
|
name: "{{ item.service_name }}"
|
|
enabled: yes
|
|
state: "stopped"
|
|
daemon_reload: yes
|
|
with_items: "{{ filtered_nova_services }}"
|
|
register: _stop
|
|
until: _stop is success
|
|
retries: 5
|
|
delay: 2
|
|
listen:
|
|
- "Restart nova services"
|
|
- "venv changed"
|
|
- "cert installed"
|
|
|
|
# NOTE (noonedeadpunk): Remove this task after Xena release
|
|
- name: Remove obsoleted policy.json
|
|
file:
|
|
path: "/etc/nova/policy.json"
|
|
state: absent
|
|
listen:
|
|
- "Restart nova services"
|
|
- "venv changed"
|
|
|
|
- name: Start services
|
|
service:
|
|
name: "{{ item.service_name }}"
|
|
enabled: yes
|
|
state: "started"
|
|
daemon_reload: yes
|
|
with_items: "{{ filtered_nova_services }}"
|
|
register: _start
|
|
until: _start is success
|
|
retries: 5
|
|
delay: 2
|
|
listen:
|
|
- "Restart nova services"
|
|
- "venv changed"
|
|
- "cert installed"
|
|
|
|
- meta: noop
|
|
listen: Manage LB
|
|
when: false
|