Hi Dmitriy Thanks for all the details. can you please confirm for the port communication "QEMU-native TLS requires *all compute hosts to accept TCP connections on port 16514 and port range 49152 to 49261.*" This ports communication should be opened on which all VLANs of compute: br_management, br_storage, br_vxlan? Regards On Mon, Jan 20, 2025 at 8:29 PM Dmitriy Rabotyagov <noonedeadpunk@gmail.com> wrote:
Yes, so upgrade scripts should be taking care of that. We also do have an upgrade tests that ensure enablement of TLS not only for nova, but for all frontends and service, like mariadb and rabbitmq. I'm not sure when it was introduced though, likely it was in zed or yoga...
So, the default issue time for certificates is 10 years. At least, I was thinking it's 10 years until I started replying to you. As eventually we're using default values from community.crypto collection (which is 1 year for the latest version).
With that role/playbooks do not verify validity of certificate and do not trigger their re-issue during runtime on their own. In order to re-issue certificates, you need to run a service playbook with extra-var pki_regen_cert, ie:
openstack-ansible os-nova-install.yml -e pki_regen_cert=true
You can supply a certificate name to pki_regen_cert variable instead of "true" - then only the certificate with the matching name will be re-generated.
But eventually we need to review our flow in the nearest future, as I see how things might become problematic soon.
Though I believe that older collection versions should have way more generous defaults.
On Mon, 20 Jan 2025, 20:11 Rambo Rambo, <ram.ramb2412@gmail.com> wrote:
Hi Dmitriy
Thanks for the details. So to summarise if we are using upgrade using the run_upgrade.sh script , Script will take care of these pki , certificates and CA, We need not do anything extra from our side. Also how do we manage the expiry and renewal of certificates?
Thanks if there is no extra work required, We will stick to the defaults.
Regards
On Mon, Jan 20, 2025 at 3:06 PM Dmitriy Rabotyagov < noonedeadpunk@gmail.com> wrote:
Hey,
So PKI is being used in multiple places lately. While you probably can disable it almost everywhere, I'd suggest dealing with it rather then trying to disable. If we take live migrations as an example, tunneled migrations are deprecated for removal in nova, due to being a bottleneck and prevents migration of VMs with local storage [1]
OpenStack-Ansible does have a PKI role [2], which will create a local CA authority and make it trusted on all managed hosts. Upgrade script [3] and documentation [3] contain a step required to issue such Certificate Authority. The only thing I will suggest doing, is to override defaults [5] for PKI, in order to contain a valid for your environment data. Other then that - it should be working out of the box.
Answering your question regarding usage of tunneled migrations - you can still do that by defining variables: nova_libvirtd_listen_tls: 0 nova_libvirtd_listen_tcp: 1
This will trigger the logic to not start libvirt with TLS support and continue using tunneled migrations.
[1] https://docs.openstack.org/nova/xena/configuration/config.html#libvirt.live_... [2] https://opendev.org/openstack/ansible-role-pki [3] https://opendev.org/openstack/openstack-ansible/src/tag/xena-eom/scripts/run... [4] https://docs.openstack.org/openstack-ansible/xena/admin/upgrades/major-upgra... [5] https://opendev.org/openstack/openstack-ansible/src/tag/xena-eom/inventory/g...
пн, 20 янв. 2025 г. в 14:02, Rambo Rambo <ram.ramb2412@gmail.com>:
Hi Team
I am planning openstack-ansible wallaby to Xena upgrade. Distribution: openstack-ansible Release: Wallaby (current) ==> Xena (Planned)
I was checking the release notes of Xena and could see that there is
introduction of SSL in several services with nova for live migrations one of them.
https://docs.openstack.org/releasenotes/openstack-ansible/xena.html
As per the release notes:
Nova now defaults to to using the “QEMU-native TLS” feature for live migrations, rather than the deprecated SSH method. A pre-existing PKI (Public Key Infrastructure) setup is required.
QEMU-native TLS requires all compute hosts to accept TCP connections on port 16514 and port range 49152 to 49261.
More information can be found here: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu...
Can you please confirm what steps are required to setup this PKI before doing the upgrade or it will be taken care by internal-pki using openstack-ansible upgrade method? Is there any option to skip this QEMU-native TLS for live-migrations and keep the orginal ssh based live-migrations?
Regards