aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docker/services/nova-libvirt.yaml19
-rw-r--r--puppet/services/nova-libvirt.yaml19
-rw-r--r--releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml6
3 files changed, 26 insertions, 18 deletions
diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml
index 13dbec95..ae9b6a3a 100644
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@@ -46,7 +46,8 @@ parameters:
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
- relevant keys for libvirt.
+ relevant keys for libvirt. NOTE. this is currently being
+ ignored and TLS for libvirtd is always disabled for now.
DockerNovaMigrationSshdPort:
default: 2022
description: Port that dockerized nova migration target sshd service
@@ -70,14 +71,14 @@ parameters:
conditions:
- use_tls_for_live_migration:
- and:
- - equals:
- - {get_param: EnableInternalTLS}
- - true
- - equals:
- - {get_param: UseTLSTransportForLiveMigration}
- - true
+ use_tls_for_live_migration: false
+ # and:
+ # - equals:
+ # - {get_param: EnableInternalTLS}
+ # - true
+ # - equals:
+ # - {get_param: UseTLSTransportForLiveMigration}
+ # - true
need_libvirt_secret:
or:
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index ac7cc8f1..38608bf4 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -66,7 +66,8 @@ parameters:
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
- relevant keys for libvirt.
+ relevant keys for libvirt. NOTE. this is currently being
+ ignored and TLS for libvirtd is always disabled for now.
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
@@ -100,14 +101,14 @@ parameters:
conditions:
- use_tls_for_live_migration:
- and:
- - equals:
- - {get_param: EnableInternalTLS}
- - true
- - equals:
- - {get_param: UseTLSTransportForLiveMigration}
- - true
+ use_tls_for_live_migration: false
+ # and:
+ # - equals:
+ # - {get_param: EnableInternalTLS}
+ # - true
+ # - equals:
+ # - {get_param: UseTLSTransportForLiveMigration}
+ # - true
libvirt_specific_ca_unset:
equals:
diff --git a/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml b/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml
new file mode 100644
index 00000000..d97e48ed
--- /dev/null
+++ b/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml
@@ -0,0 +1,6 @@
+---
+security:
+ - |
+ Live migration over TLS has been disabled since the settings it was using
+ don't meet the required security standards. It is currently not possible to
+ enable it via t-h-t.