Merge "Disable live migration over TLS"

This commit is contained in:
Zuul 2017-11-10 17:37:27 +00:00 committed by Gerrit Code Review
commit 210aeaaab1
3 changed files with 26 additions and 18 deletions
docker/services
puppet/services
releasenotes/notes

@ -46,7 +46,8 @@ parameters:
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt.
relevant keys for libvirt. NOTE. this is currently being
ignored and TLS for libvirtd is always disabled for now.
DockerNovaMigrationSshdPort:
default: 2022
description: Port that dockerized nova migration target sshd service
@ -70,14 +71,14 @@ parameters:
conditions:
use_tls_for_live_migration:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForLiveMigration}
- true
use_tls_for_live_migration: false
# and:
# - equals:
# - {get_param: EnableInternalTLS}
# - true
# - equals:
# - {get_param: UseTLSTransportForLiveMigration}
# - true
need_libvirt_secret:
or:

@ -66,7 +66,8 @@ parameters:
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt.
relevant keys for libvirt. NOTE. this is currently being
ignored and TLS for libvirtd is always disabled for now.
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
@ -100,14 +101,14 @@ parameters:
conditions:
use_tls_for_live_migration:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForLiveMigration}
- true
use_tls_for_live_migration: false
# and:
# - equals:
# - {get_param: EnableInternalTLS}
# - true
# - equals:
# - {get_param: UseTLSTransportForLiveMigration}
# - true
libvirt_specific_ca_unset:
equals:

@ -0,0 +1,6 @@
---
security:
- |
Live migration over TLS has been disabled since the settings it was using
don't meet the required security standards. It is currently not possible to
enable it via t-h-t.