Disable live migration over TLS

Due to the fact that it doesn't use a separate CA (or sub CA) for
libvirtd, and that proper SASL is not being used. We are disabling this
option since it doesn't meet the appropriate security requirements.
We'll look into adding this back once these issues get fixed.

Change-Id: I6a5e4db1b6dd6bc8b7e73e53b614b070d15b8a23
Closes-Bug: #1730370
(cherry picked from commit 645757cbd6bdb1a1b75cb4aa8acce80a178099ce)

diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml
index 13dbec9..ae9b6a3 100644 (file)
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@@ -46,7 +46,8 @@ parameters:
     default: true
     description: If set to true and if EnableInternalTLS is enabled, it will
                  set the libvirt URI's transport to tls and configure the
-                 relevant keys for libvirt.
+                 relevant keys for libvirt. NOTE. this is currently being
+                 ignored and TLS for libvirtd is always disabled for now.
   DockerNovaMigrationSshdPort:
     default: 2022
     description: Port that dockerized nova migration target sshd service
@@ -70,14 +71,14 @@ parameters:
 
 conditions:
 
-  use_tls_for_live_migration:
-    and:
-    - equals:
-      - {get_param: EnableInternalTLS}
-      - true
-    - equals:
-      - {get_param: UseTLSTransportForLiveMigration}
-      - true
+  use_tls_for_live_migration: false
+  # and:
+  # - equals:
+  #   - {get_param: EnableInternalTLS}
+  #   - true
+  # - equals:
+  #   - {get_param: UseTLSTransportForLiveMigration}
+  #   - true
 
   need_libvirt_secret:
     or:

diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index ac7cc8f..38608bf 100644 (file)
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -66,7 +66,8 @@ parameters:
     default: true
     description: If set to true and if EnableInternalTLS is enabled, it will
                  set the libvirt URI's transport to tls and configure the
-                 relevant keys for libvirt.
+                 relevant keys for libvirt. NOTE. this is currently being
+                 ignored and TLS for libvirtd is always disabled for now.
   InternalTLSCAFile:
     default: '/etc/ipa/ca.crt'
     type: string
@@ -100,14 +101,14 @@ parameters:
 
 conditions:
 
-  use_tls_for_live_migration:
-    and:
-    - equals:
-      - {get_param: EnableInternalTLS}
-      - true
-    - equals:
-      - {get_param: UseTLSTransportForLiveMigration}
-      - true
+  use_tls_for_live_migration: false
+  # and:
+  # - equals:
+  #   - {get_param: EnableInternalTLS}
+  #   - true
+  # - equals:
+  #   - {get_param: UseTLSTransportForLiveMigration}
+  #   - true
 
   libvirt_specific_ca_unset:
     equals:

diff --git a/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml b/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml
new file mode 100644 (file)
index 0000000..d97e48e
--- /dev/null
+++ b/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Live migration over TLS has been disabled since the settings it was using
+    don't meet the required security standards. It is currently not possible to
+    enable it via t-h-t.