Enable libvirt control channel and live migration over TLS

Enable libvirt control channel and live migration over TLS

This section explains how to enable TLS encryption for libvirt. By protecting libvirt with TLS, you prevent your cloud workloads from security compromise. The attacker without an appropriate TLS certificate will not be able to connect to libvirtd and affect its operation. Even if the user does not define custom certificates in their Reclass configuration, the certificates are created automatically.

Note

The procedures included in this section apply to new MCP OpenStack deployments only, unless specified otherwise.

To enable libvirt control channel and live migration over TLS:

  1. Log in to the Salt Master node.

  2. Select from the following options:

    • To use dynamically generated pillars from the Salt minion with the automatically generated certificates, add the following class in the classes/cluster/cluster_name/openstack/compute/init.yml of your Recalss model:

      classes:
      ...
      - system.nova.compute.libvirt.ssl
      
    • To install the pre-created certificates, define them as follows in the pillar:

      nova:
        compute:
          libvirt:
            tls:
              enabled: True
              key: certificate_content
              cert: certificate_content
              cacert: certificate_content
              client:
                key: certificate_content
                cert: certificate_content
      
  3. Optional. In classes/cluster/cluster_name/openstack/compute/init.yml, modify the following default configuration for SSL ciphers as required:

    Warning

    The default SSL ciphers configuration below contains only the TLS v1.2 FIPS-approved cipher suites. Using weak or medium strengh encryption suites can potentially lead to security or compliance issues in your cluster. Therefore, Mirantis highly recommends keeping the default configuration for this parameter.

    nova:
      complute:
        libvirt:
          tls:
            ...
            priority: "SECURE256:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:\
              -CIPHER-ALL:+AES-256-GCM:+AES-256-CBC:-MAC-ALL:+AEAD:+SHA384"
    
  4. Apply the changes by running the nova state for all compute nodes:

    salt 'cmp*' state.apply nova