Due to the fact that it doesn't use a separate CA (or sub CA) for
libvirtd, and that proper SASL is not being used. We are disabling this
option since it doesn't meet the appropriate security requirements.
We'll look into adding this back once these issues get fixed.
Change-Id: I6a5e4db1b6dd6bc8b7e73e53b614b070d15b8a23
Closes-Bug: #
1730370
(cherry picked from commit
645757cbd6bdb1a1b75cb4aa8acce80a178099ce)
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
- relevant keys for libvirt.
+ relevant keys for libvirt. NOTE. this is currently being
+ ignored and TLS for libvirtd is always disabled for now.
DockerNovaMigrationSshdPort:
default: 2022
description: Port that dockerized nova migration target sshd service
conditions:
- use_tls_for_live_migration:
- and:
- - equals:
- - {get_param: EnableInternalTLS}
- - true
- - equals:
- - {get_param: UseTLSTransportForLiveMigration}
- - true
+ use_tls_for_live_migration: false
+ # and:
+ # - equals:
+ # - {get_param: EnableInternalTLS}
+ # - true
+ # - equals:
+ # - {get_param: UseTLSTransportForLiveMigration}
+ # - true
need_libvirt_secret:
or:
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
- relevant keys for libvirt.
+ relevant keys for libvirt. NOTE. this is currently being
+ ignored and TLS for libvirtd is always disabled for now.
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
conditions:
- use_tls_for_live_migration:
- and:
- - equals:
- - {get_param: EnableInternalTLS}
- - true
- - equals:
- - {get_param: UseTLSTransportForLiveMigration}
- - true
+ use_tls_for_live_migration: false
+ # and:
+ # - equals:
+ # - {get_param: EnableInternalTLS}
+ # - true
+ # - equals:
+ # - {get_param: UseTLSTransportForLiveMigration}
+ # - true
libvirt_specific_ca_unset:
equals:
--- /dev/null
+---
+security:
+ - |
+ Live migration over TLS has been disabled since the settings it was using
+ don't meet the required security standards. It is currently not possible to
+ enable it via t-h-t.