openstack/openstack-ansible-os_nova
Code Issues Proposed changes
openstack-ansible-os_nova/templates/qemu.conf.j2
James Gibson ad8bda5f64 Enable TLS for live migrations 
Instead of using SSH to live migrate VM's use TLS as this is more
secure and SSH migrations are deprecated.
https://docs.openstack.org/nova/xena/admin/secure-live-migration-with-qemu-native-tls.html
A pre-existing PKI (Public Key Infrastruture) setup is required.

TLS live migrations require that all compute hosts can communcate
with each other on port 16514 and port range 49152 to 49261.

To enable TLS live migrations, both libvirt and QEMU require server
and client certificates, the server certicicates is used to verify
servers and the client cert is used by servers to authenticate
clients. A single cert is created by the pki role, that can be
used by both libvirt and QEMU for both client and server auth.

The client, server and CA certifcates need to installed in a
number of locations on each compute host:
* For Libvirt https://libvirt.org/tlscerts.html
* For QEMU https://github.com/libvirt/libvirt/blob/master/src/qemu/qemu.conf

Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/815007
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/815849
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/816857

Change-Id: Iddbe8764bb6d3cd3eaee122b2d5ddc02fa3f7662
2021-11-09 09:11:24 +00:00

68 lines
2.3 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
{% if nova_network_type == 'calico' %}
# Calico specific qemu settings
# Information available at:
# http://docs.projectcalico.org/en/latest/ubuntu-opens-install.html
clear_emulator_capabilities = 0
user = "root"
group = "root"
cgroup_device_acl = [
"/dev/null", "/dev/full", "/dev/zero",
"/dev/random", "/dev/urandom",
"/dev/ptmx", "/dev/kvm", "/dev/kqemu",
"/dev/rtc", "/dev/hpet", "/dev/net/tun",
]
{% endif %}
{% if nova_libvirtd_listen_tls == 1 %}
# Use of TLS requires that x509 certificates be issued. The default is
# to keep them in /etc/pki/qemu. This directory must contain
#
# ca-cert.pem - the CA master certificate
# server-cert.pem - the server certificate signed with ca-cert.pem
# server-key.pem - the server private key
#
# and optionally may contain
#
# dh-params.pem - the DH params configuration file
#
# If the directory does not exist, libvirtd will fail to start. If the
# directory doesn't contain the necessary files, QEMU domains will fail
# to start if they are configured to use TLS.
#
# In order to overwrite the default path alter the following. This path
# definition will be used as the default path for other *_tls_x509_cert_dir
# configuration settings if their default path does not exist or is not
# specifically set.
#
default_tls_x509_cert_dir = "{{ nova_qemu_ssl_dir }}"
# The default TLS configuration only uses certificates for the server
# allowing the client to verify the server's identity and establish
# an encrypted channel.
#
# It is possible to use x509 certificates for authentication too, by
# issuing an x509 certificate to every client who needs to connect.
#
# Enabling this option will reject any client who does not have a
# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
#
# The default_tls_x509_cert_dir directory must also contain
#
# client-cert.pem - the client certificate signed with the ca-cert.pem
# client-key.pem - the client private key
#
# If this option is supplied it provides the default for the "_verify" option
# of specific TLS users such as vnc, backups, migration, etc. The specific
# users of TLS may override this by setting the specific "_verify" option.
#
# When not supplied the specific TLS users provide their own defaults.
#
default_tls_x509_verify = 1
{% endif %}
{% for key, value in _nova_qemu_conf.items() %}
{{ key }} = {{ value }}
{% endfor %}
View Git Blame Copy Permalink