Libvirt TLS with client certs alone is not secure and has been disabled in https://bugzilla.redhat.com/show_bug.cgi?id=1510216.
Additional measures must be taken to control access, such as fine grained control of the permitted clients (e.g by using a dedicated CA for libvirt) or configuring SASL authentication.
This will require a kolla patch upstream for master and stable/pike for the nova_libvirt docker file
and likely a dib element for overcloud-full in upstream if they care about the issue.
Created attachment 1352946 [details]
rhosp-director-images patch for cyrus-sasl-scram
openstack-nova-libvirt-docker > 12.0-20171127.1 should have this fix
Libvirt configured with TLS:
[root@overcloud-compute-0 ~]# docker exec nova_libvirt grep listen_tls /etc/libvirt/libvirtd.conf
#listen_tls = 0
Nova configured to use TLS migrations:
[root@overcloud-compute-0 ~]# docker exec nova_libvirt grep live_migration_scheme /etc/nova/nova.conf
# * ``live_migration_scheme``: If ``live_migration_uri`` is not set, the scheme
# used for live migration is taken from ``live_migration_scheme`` instead.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.