openstack/tripleo-heat-templates
Code Issues Proposed changes

Merge "Add support for native TLS encryption on NBD for disk migration"

Browse Source
This commit is contained in:
Zuul 2019-02-01 10:05:52 +00:00 committed by Gerrit Code Review
commit b8a5dbe071
4 changed files with 179 additions and 0 deletions

71
docker/services/nova-libvirt.yaml

@ -85,11 +85,21 @@ parameters:
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
UseTLSTransportForNbd:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt NBD and configure the
relevant keys for libvirt.
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
InternalTLSNbdCAFile:
default: '/etc/pki/qemu/ca-cert.pem'
type: string
description: Specifies the CA cert to use for NBD TLS.
InternalTLSVncCAFile:
default: '/etc/pki/CA/certs/vnc.crt'
type: string
@ -116,6 +126,16 @@ parameters:
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
LibvirtNbdCACert:
type: string
default: ''
description: This specifies the CA certificate to use for NBD TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-nbd/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSNbdCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
VhostuserSocketGroup:
default: "qemu"
description: >
@ -186,6 +206,20 @@ conditions:
- {get_param: QemuMemoryBackingDir}
- ''
use_tls_for_nbd:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForNbd}
- true
libvirt_nbd_specific_ca_unset:
equals:
- {get_param: LibvirtNbdCACert}
- ''
docker_enabled:
equals:
- {get_param: ContainerCli}
@ -277,6 +311,14 @@ outputs:
merge: true
preserve_properties: true
- null
- if:
- use_tls_for_nbd
-
- source: /var/lib/kolla/config_files/src-libvirt-nbd-pki/client-*.pem
dest: /etc/pki/libvirt-nbd/
merge: true
preserve_properties: true
- null
permissions:
list_concat:
-
@ -295,6 +337,19 @@ outputs:
owner: root:qemu
perm: '0640'
- null
- if:
- use_tls_for_nbd
-
- path: /etc/pki/libvirt-nbd/client-key.pem
owner: root:qemu
perm: '0640'
- path: /etc/pki/qemu/server-key.pem
owner: root:qemu
perm: '0640'
- path: /etc/pki/qemu/ca-cert.pem
owner: root:root
perm: '0644'
- null
/var/lib/kolla/config_files/nova_virtlogd.json:
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files:
@ -403,6 +458,22 @@ outputs:
params:
MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]}
- null
-
if:
- use_tls_for_nbd
-
- str_replace:
template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_nbd_specific_ca_unset
- get_param: InternalTLSNbdCAFile
- get_param: LibvirtNbdCACert
- /etc/pki/qemu/server-cert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-cert.pem:ro
- /etc/pki/qemu/server-key.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-key.pem:ro
- /etc/pki/libvirt-nbd:/var/lib/kolla/config_files/src-libvirt-nbd-pki:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
step_4:

4
puppet/services/certmonger-user.yaml

@ -48,6 +48,9 @@ parameters:
CertmongerVncCA:
type: string
default: 'IPA'
CertmongerQemuCA:
type: string
default: 'IPA'
conditions:
@ -64,6 +67,7 @@ outputs:
- tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
certmonger_ca: {get_param: CertmongerCA}
certmonger_ca_vnc: {get_param: CertmongerVncCA}
certmonger_ca_qemu: {get_param: CertmongerQemuCA}
- {}
step_config: |
include ::tripleo::profile::base::certmonger_user

92
puppet/services/nova-libvirt.yaml

@ -82,6 +82,12 @@ parameters:
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
UseTLSTransportForNbd:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt NBD and configure the
relevant keys for libvirt.
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
@ -91,6 +97,10 @@ parameters:
default: '/etc/pki/CA/certs/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
InternalTLSQemuCAFile:
default: '/etc/pki/CA/certs/qemu.pem'
type: string
description: Specifies the CA cert to use for qemu.
LibvirtCACert:
type: string
default: ''
@ -113,6 +123,16 @@ parameters:
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
QemuCACert:
type: string
default: ''
description: This specifies the CA certificate to use for qemu.
This file will be symlinked to the default CA path,
which is /etc/pki/qemu/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSQemuCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
MigrationSshKey:
type: json
description: >
@ -169,6 +189,19 @@ conditions:
- {get_param: LibvirtVncCACert}
- ''
use_tls_for_nbd:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForNbd}
- true
qemu_specific_ca_unset:
equals:
- {get_param: QemuCACert}
- ''
resources:
NovaBase:
@ -342,6 +375,58 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- {}
-
if:
- use_tls_for_nbd
-
nova::compute::libvirt::qemu::nbd_tls: true
nova::migration::libvirt::live_migration_with_native_tls: true
tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu'
tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd'
generate_service_certificates: true
tripleo::certmonger::ca::qemu::origin_ca_pem:
if:
- qemu_specific_ca_unset
- get_param: InternalTLSQemuCAFile
- get_param: QemuCACert
qemu_certificates_specs:
qemu-server-cert:
cacertfile:
if:
- qemu_specific_ca_unset
- get_param: InternalTLSQemuCAFile
- null
service_certificate: '/etc/pki/qemu/server-cert.pem'
service_key: '/etc/pki/qemu/server-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
qemu-nbd-client-cert:
cacertfile:
if:
- qemu_specific_ca_unset
- get_param: InternalTLSQemuCAFile
- null
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- {}
step_config: |
include tripleo::profile::base::nova::libvirt
metadata_settings:
@ -360,3 +445,10 @@ outputs:
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null
- if:
- use_tls_for_nbd
-
- service: qemu
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null

12
releasenotes/notes/nova_qemu_native_tls_encryption_on_nbd_for_disk_migration-2e16003c4764a399.yaml Normal file

@ -0,0 +1,12 @@
---
features:
- |
Add support for native TLS encryption on NBD for disk migration
The NBD protocol previously runs in clear text, offering no security
protection for the data transferred, unless it is tunnelled over some
external transport like SSH. Such tunnelling is inefficient and
inconvenient to manage. Support for TLS to the NBD clients & servers
provided by QEMU was added. In tls-everywhere use case we want to
take advantage of this feature to create the certificates and configure
qemu to use nbd tls.