Libvirt TLS with client certs alone is not secure and has been disabled in https://bugzilla.redhat.com/show_bug.cgi?id=1510216. Additional measures must be taken to control access, such as fine grained control of the permitted clients (e.g by using a dedicated CA for libvirt) or configuring SASL authentication.
This will require a kolla patch upstream for master and stable/pike for the nova_libvirt docker file and likely a dib element for overcloud-full in upstream if they care about the issue.
Created attachment 1352946 [details] rhosp-director-images patch for cyrus-sasl-scram
openstack-nova-libvirt-docker > 12.0-20171127.1 should have this fix
Libvirt configured with TLS: [root@overcloud-compute-0 ~]# docker exec nova_libvirt grep listen_tls /etc/libvirt/libvirtd.conf #listen_tls = 0 listen_tls=1 Nova configured to use TLS migrations: [root@overcloud-compute-0 ~]# docker exec nova_libvirt grep live_migration_scheme /etc/nova/nova.conf # * ``live_migration_scheme``: If ``live_migration_uri`` is not set, the scheme # used for live migration is taken from ``live_migration_scheme`` instead. # ``live_migration_scheme`` #live_migration_scheme=<None> live_migration_scheme=tls
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462