This section explains how to enable TLS encryption for libvirt. By protecting libvirt with TLS, you prevent your cloud workloads from security compromise. The attacker without an appropriate TLS certificate will not be able to connect to libvirtd and affect its operation. Even if the user does not define custom certificates in their Reclass configuration, the certificates are created automatically.
Note
The procedures included in this section apply to new MCP OpenStack deployments only, unless specified otherwise.
To enable libvirt control channel and live migration over TLS:
Log in to the Salt Master node.
Select from the following options:
To use dynamically generated pillars from the Salt minion with
the automatically generated certificates, add the following class
in the classes/cluster/cluster_name/openstack/compute/init.yml
of your Recalss model:
classes:
...
- system.nova.compute.libvirt.ssl
To install the pre-created certificates, define them as follows in the pillar:
nova:
compute:
libvirt:
tls:
enabled: True
key: certificate_content
cert: certificate_content
cacert: certificate_content
client:
key: certificate_content
cert: certificate_content
Optional.
In classes/cluster/cluster_name/openstack/compute/init.yml,
modify the following default configuration for SSL ciphers as required:
Warning
The default SSL ciphers configuration below contains only the TLS v1.2 FIPS-approved cipher suites. Using weak or medium strengh encryption suites can potentially lead to security or compliance issues in your cluster. Therefore, Mirantis highly recommends keeping the default configuration for this parameter.
nova:
complute:
libvirt:
tls:
...
priority: "SECURE256:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:\
-CIPHER-ALL:+AES-256-GCM:+AES-256-CBC:-MAC-ALL:+AEAD:+SHA384"
Apply the changes by running the nova state for all compute nodes:
salt 'cmp*' state.apply nova