Bug 1513440 - Re-enable libvirt TLS with SASL authentication
Summary: Re-enable libvirt TLS with SASL authentication
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 12.0 (Pike)
Assignee: Ollie Walsh
QA Contact: Joe H. Rahme
Depends On:
Blocks: 1336504 1484481
TreeView+ depends on / blocked
Reported: 2017-11-15 12:15 UTC by Ollie Walsh
Modified: 2018-02-05 19:15 UTC (History)
6 users (show)

Fixed In Version: openstack-tripleo-heat-templates-7.0.3-14.el7ost, puppet-tripleo-7.4.3-10.el7ost, openstack-tripleo-common-7.6.3-5.el7ost, openstack-tripleo-puppet-elements-7.0.1-2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-13 22:20:31 UTC
Target Upstream Version:

Attachments (Terms of Use)
rhosp-director-images patch for cyrus-sasl-scram (1.27 KB, application/mbox)
2017-11-15 20:02 UTC, Jon Schlueter
no flags Details

System ID Private Priority Status Summary Last Updated
Launchpad 1732479 0 None None None 2017-11-15 15:49:23 UTC
OpenStack gerrit 522843 0 None stable/pike: MERGED tripleo-puppet-elements: Include required packages for libvirt SASL auth 2017-11-27 19:13:11 UTC
OpenStack gerrit 522845 0 None stable/pike: MERGED kolla: Include required packages for libvirt SASL auth on CentOs/RHEL 2017-11-27 19:13:06 UTC
OpenStack gerrit 522846 0 None stable/pike: MERGED tripleo-common: Generate password for libvirt TLS SCRAM auth 2017-11-27 19:13:02 UTC
OpenStack gerrit 522847 0 None stable/pike: MERGED puppet-tripleo: Configure libvirt SASL SCRAM-SHA1 when TLS is enabled 2017-11-27 19:12:58 UTC
OpenStack gerrit 522848 0 None stable/pike: MERGED tripleo-heat-templates: Re-enable libvirt TLS with SCRAM SHA-1 auth 2017-11-27 19:12:54 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Description Ollie Walsh 2017-11-15 12:15:52 UTC
Libvirt TLS with client certs alone is not secure and has been disabled in https://bugzilla.redhat.com/show_bug.cgi?id=1510216.

Additional measures must be taken to control access, such as fine grained control of the permitted clients (e.g by using a dedicated CA for libvirt) or configuring SASL authentication.

Comment 2 Jon Schlueter 2017-11-15 15:27:34 UTC
This will require a kolla patch upstream for master and stable/pike for the nova_libvirt docker file

and likely a dib element for overcloud-full in upstream if they care about the issue.

Comment 3 Jon Schlueter 2017-11-15 20:02:22 UTC
Created attachment 1352946 [details]
rhosp-director-images patch for cyrus-sasl-scram

Comment 6 Jon Schlueter 2017-11-27 19:20:23 UTC
openstack-nova-libvirt-docker > 12.0-20171127.1 should have this fix

Comment 8 Joe H. Rahme 2017-12-04 16:18:46 UTC
Libvirt configured with TLS:

[root@overcloud-compute-0 ~]# docker exec nova_libvirt grep listen_tls /etc/libvirt/libvirtd.conf
#listen_tls = 0

Nova configured to use TLS migrations:

[root@overcloud-compute-0 ~]# docker exec nova_libvirt grep live_migration_scheme /etc/nova/nova.conf
# * ``live_migration_scheme``: If ``live_migration_uri`` is not set, the scheme
#   used for live migration is taken from ``live_migration_scheme`` instead.
# ``live_migration_scheme``

Comment 11 errata-xmlrpc 2017-12-13 22:20:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.