Bug 1513440

Summary: Re-enable libvirt TLS with SASL authentication
Product: Red Hat OpenStack Reporter: Ollie Walsh <owalsh>
Component: openstack-tripleo-heat-templatesAssignee: Ollie Walsh <owalsh>
Status: CLOSED ERRATA QA Contact: Joe H. Rahme <jhakimra>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 12.0 (Pike)CC: jschluet, kchamart, lyarwood, mburns, owalsh, sgordon
Target Milestone: rcKeywords: Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-7.0.3-14.el7ost, puppet-tripleo-7.4.3-10.el7ost, openstack-tripleo-common-7.6.3-5.el7ost, openstack-tripleo-puppet-elements-7.0.1-2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-13 22:20:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1336504, 1484481    
Attachments:
Description Flags
rhosp-director-images patch for cyrus-sasl-scram none

Description Ollie Walsh 2017-11-15 12:15:52 UTC 
Libvirt TLS with client certs alone is not secure and has been disabled in https://bugzilla.redhat.com/show_bug.cgi?id=1510216.

Additional measures must be taken to control access, such as fine grained control of the permitted clients (e.g by using a dedicated CA for libvirt) or configuring SASL authentication.
Comment 2 Jon Schlueter 2017-11-15 15:27:34 UTC 
This will require a kolla patch upstream for master and stable/pike for the nova_libvirt docker file

and likely a dib element for overcloud-full in upstream if they care about the issue.
Comment 3 Jon Schlueter 2017-11-15 20:02:22 UTC 
Created attachment 1352946 [details]
rhosp-director-images patch for cyrus-sasl-scram
Comment 6 Jon Schlueter 2017-11-27 19:20:23 UTC 
openstack-nova-libvirt-docker > 12.0-20171127.1 should have this fix
Comment 8 Joe H. Rahme 2017-12-04 16:18:46 UTC 
Libvirt configured with TLS:

[root@overcloud-compute-0 ~]# docker exec nova_libvirt grep listen_tls /etc/libvirt/libvirtd.conf
#listen_tls = 0
listen_tls=1


Nova configured to use TLS migrations:

[root@overcloud-compute-0 ~]# docker exec nova_libvirt grep live_migration_scheme /etc/nova/nova.conf
# * ``live_migration_scheme``: If ``live_migration_uri`` is not set, the scheme
#   used for live migration is taken from ``live_migration_scheme`` instead.
# ``live_migration_scheme``
#live_migration_scheme=<None>
live_migration_scheme=tls
Comment 11 errata-xmlrpc 2017-12-13 22:20:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462