Merge pull request #626 from olliewalsh/nbd_tls

Enable live-migration NBD TLS

roles/edpm_libvirt/defaults/main.yml

@@ -65,7 +65,5 @@ edpm_libvirt_packages:
 edpm_libvirt_ceph_path: /var/lib/openstack/config/ceph
 
 # certs
-# FIXME: (owalsh) Disable until certs are correct https://libvirt.org/kbase/tlscerts.html
 edpm_libvirt_tls_certs_enabled: "{{ edpm_tls_certs_enabled | default(False) }}"
 edpm_libvirt_tls_cert_src_dir: /var/lib/openstack/certs/libvirt
-edpm_libvirt_tls_ca_src_dir: /var/lib/openstack/certs/libvirt

roles/edpm_libvirt/molecule/default/converge.yml

@@ -17,5 +17,4 @@
     - role: osp.edpm.edpm_libvirt
       vars:
         edpm_libvirt_tls_cert_src_dir: /tmp/pki
-        edpm_libvirt_tls_ca_src_dir: /tmp/pki
         edpm_libvirt_tls_certs_enabled: true

roles/edpm_libvirt/tasks/configure.yml

@@ -17,7 +17,8 @@
     - {"path": "/var/lib/edpm-config/firewall", "owner": "root", "group": "root"}
     - {"path": "/etc/pki/libvirt", "owner": "root", "group": "root"}
     - {"path": "/etc/pki/libvirt/private", "owner": "root", "group": "root"}
-    - {"path": "/etc/pki/CA/libvirt", "owner": "root", "group": "root"}
+    - {"path": "/etc/pki/CA", "owner": "root", "group": "root"}
+    - {"path": "/etc/pki/qemu", "owner": "root", "group": "qemu"}
 
 - name: Render libvirt config files
   tags:
@@ -109,7 +110,7 @@
     persistent: true
     state: true
 
-- name: Move TLS files to the right location on the compute node
+- name: Move libvirt TLS files to the right location on the compute node
   tags:
     - configure
     - libvirt
@@ -119,7 +120,7 @@
     - {"src": "{{ edpm_libvirt_tls_cert_src_dir }}/tls.key", "dest": "/etc/pki/libvirt/private/serverkey.pem"}
     - {"src": "{{ edpm_libvirt_tls_cert_src_dir }}/tls.crt", "dest": "/etc/pki/libvirt/clientcert.pem"}
     - {"src": "{{ edpm_libvirt_tls_cert_src_dir }}/tls.key", "dest": "/etc/pki/libvirt/private/clientkey.pem"}
-    - {"src": "{{ edpm_libvirt_tls_ca_src_dir }}/ca.crt", "dest": "/etc/pki/CA/cacert.pem"}
+    - {"src": "{{ edpm_libvirt_tls_cert_src_dir }}/ca.crt", "dest": "/etc/pki/CA/cacert.pem"}
   ansible.builtin.copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
@@ -128,3 +129,23 @@
     owner: "root"
     group: "root"
   when: edpm_libvirt_tls_certs_enabled
+
+- name: Move qemu TLS files to the right location on the compute node
+  tags:
+    - configure
+    - libvirt
+  become: true
+  loop:
+    - {"src": "{{ edpm_libvirt_tls_cert_src_dir }}/tls.crt", "dest": "/etc/pki/qemu/server-cert.pem"}
+    - {"src": "{{ edpm_libvirt_tls_cert_src_dir }}/tls.key", "dest": "/etc/pki/qemu/server-key.pem"}
+    - {"src": "{{ edpm_libvirt_tls_cert_src_dir }}/tls.crt", "dest": "/etc/pki/qemu/client-cert.pem"}
+    - {"src": "{{ edpm_libvirt_tls_cert_src_dir }}/tls.key", "dest": "/etc/pki/qemu/client-key.pem"}
+    - {"src": "{{ edpm_libvirt_tls_cert_src_dir }}/ca.crt", "dest": "/etc/pki/qemu/ca-cert.pem"}
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    remote_src: true
+    mode: "0640"
+    owner: "root"
+    group: "qemu"
+  when: edpm_libvirt_tls_certs_enabled

roles/edpm_libvirt/templates/qemu.conf.j2

@@ -2,17 +2,10 @@ max_files = 32768
 max_processes = 131072
 vnc_tls = 0
 vnc_tls_x509_verify = 0
-default_tls_x509_verify = 0
-nbd_tls = 0
 # NOTE(gibi): In tripleo the default range was intentionally changed to avoid
 # port usage conflicts. See https://review.openstack.org/#/c/561784
 migration_port_min = 61152
 migration_port_max = 61215
 {% if edpm_nova_libvirt_qemu_group is defined%}
 group = "{{ edpm_nova_libvirt_qemu_group }}"
 {% endif %}
-{% if edpm_libvirt_tls_certs_enabled | bool %}
-# FIXME(owalsh): disable until QEMU hostname validation issue is resolved
-# default_tls_x509_cert_dir = "/etc/pki/libvirt"
-# default_tls_x509_verify = 1
-{% endif %}

roles/edpm_nova/defaults/main.yml

@@ -31,9 +31,7 @@ edpm_nova_compute_image: "quay.io/podified-antelope-centos9/openstack-nova-compu
 
 # Libvirt TLS
 edpm_nova_live_migration_tls: "{{ edpm_tls_certs_enabled | default(False) }}"
-# FIXME: (owalsh) disable until QEMU hostname validation is resolved
-# edpm_nova_live_migration_native_tls: "{{ edpm_tls_certs_enabled | default(False) }}"
-edpm_nova_live_migration_native_tls: false
+edpm_nova_live_migration_native_tls: "{{ edpm_tls_certs_enabled | default(False) }}"
 
 # NOTE(sean-k-mooney): nova will use unix sockets for libvirt and communicate with ovs via tcp
 # so we will not need the libvirt or ovs client certs or ca. nova will communicate other services

roles/edpm_nova/molecule/default/verify.yml

@@ -64,7 +64,7 @@
       ansible.builtin.assert:
         that:
           - "'live_migration_with_native_tls = True' in host_specific_config.content | b64decode"
-          - "'live_migration_scheme = tls' in host_specific_config.content | b64decode"
+          - "'live_migration_uri = qemu+tls://%s/system' in host_specific_config.content | b64decode"
 
     - name: Assert that host is rendered into the host specific config
       ansible.builtin.assert:

roles/edpm_nova/templates/02-nova-host-specific.conf.j2

@@ -4,6 +4,12 @@ host = {{ canonical_hostname }}
 
 [libvirt]
 live_migration_with_native_tls = {{ edpm_nova_live_migration_native_tls|bool }}
+
 {% if edpm_nova_live_migration_tls|bool %}
-live_migration_scheme = tls
+live_migration_uri = qemu+tls://%s/system
+{% endif %}
+
+{% if edpm_nova_live_migration_native_tls|bool %}
+# FIXME(owalsh): workaround https://issues.redhat.com/browse/LIBVIRT-1113
+live_migration_permit_post_copy = False
 {% endif %}