diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-11-06 13:31:33 +0200 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-11-11 10:36:50 +0000 |
| commit | 994922a8ba996fe68d047df0e1486fa805dbea31 (patch) | |
| tree | e84dd791d0b75f8513d0314eabafea7be09c4005 | |
| parent | a5ba2c29ec88a78289023048492dc8189ea8e183 (diff) | |
Disable live migration over TLS
Due to the fact that it doesn't use a separate CA (or sub CA) for
libvirtd, and that proper SASL is not being used. We are disabling this
option since it doesn't meet the appropriate security requirements.
We'll look into adding this back once these issues get fixed.
Change-Id: I6a5e4db1b6dd6bc8b7e73e53b614b070d15b8a23
Closes-Bug: #1730370
(cherry picked from commit 645757cbd6bdb1a1b75cb4aa8acce80a178099ce)
| -rw-r--r-- | docker/services/nova-libvirt.yaml | 19 | ||||
| -rw-r--r-- | puppet/services/nova-libvirt.yaml | 19 | ||||
| -rw-r--r-- | releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml | 6 |
3 files changed, 26 insertions, 18 deletions
diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 13dbec95..ae9b6a3a 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -46,7 +46,8 @@ parameters: default: true description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the - relevant keys for libvirt. + relevant keys for libvirt. NOTE. this is currently being + ignored and TLS for libvirtd is always disabled for now. DockerNovaMigrationSshdPort: default: 2022 description: Port that dockerized nova migration target sshd service @@ -70,14 +71,14 @@ parameters: conditions: - use_tls_for_live_migration: - and: - - equals: - - {get_param: EnableInternalTLS} - - true - - equals: - - {get_param: UseTLSTransportForLiveMigration} - - true + use_tls_for_live_migration: false + # and: + # - equals: + # - {get_param: EnableInternalTLS} + # - true + # - equals: + # - {get_param: UseTLSTransportForLiveMigration} + # - true need_libvirt_secret: or: diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index ac7cc8f1..38608bf4 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -66,7 +66,8 @@ parameters: default: true description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the - relevant keys for libvirt. + relevant keys for libvirt. NOTE. this is currently being + ignored and TLS for libvirtd is always disabled for now. InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string @@ -100,14 +101,14 @@ parameters: conditions: - use_tls_for_live_migration: - and: - - equals: - - {get_param: EnableInternalTLS} - - true - - equals: - - {get_param: UseTLSTransportForLiveMigration} - - true + use_tls_for_live_migration: false + # and: + # - equals: + # - {get_param: EnableInternalTLS} + # - true + # - equals: + # - {get_param: UseTLSTransportForLiveMigration} + # - true libvirt_specific_ca_unset: equals: diff --git a/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml b/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml new file mode 100644 index 00000000..d97e48ed --- /dev/null +++ b/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Live migration over TLS has been disabled since the settings it was using + don't meet the required security standards. It is currently not possible to + enable it via t-h-t. |