Hey, So PKI is being used in multiple places lately. While you probably can disable it almost everywhere, I'd suggest dealing with it rather then trying to disable. If we take live migrations as an example, tunneled migrations are deprecated for removal in nova, due to being a bottleneck and prevents migration of VMs with local storage [1] OpenStack-Ansible does have a PKI role [2], which will create a local CA authority and make it trusted on all managed hosts. Upgrade script [3] and documentation [3] contain a step required to issue such Certificate Authority. The only thing I will suggest doing, is to override defaults [5] for PKI, in order to contain a valid for your environment data. Other then that - it should be working out of the box. Answering your question regarding usage of tunneled migrations - you can still do that by defining variables: nova_libvirtd_listen_tls: 0 nova_libvirtd_listen_tcp: 1 This will trigger the logic to not start libvirt with TLS support and continue using tunneled migrations. [1] https://docs.openstack.org/nova/xena/configuration/config.html#libvirt.live_... [2] https://opendev.org/openstack/ansible-role-pki [3] https://opendev.org/openstack/openstack-ansible/src/tag/xena-eom/scripts/run... [4] https://docs.openstack.org/openstack-ansible/xena/admin/upgrades/major-upgra... [5] https://opendev.org/openstack/openstack-ansible/src/tag/xena-eom/inventory/g... пн, 20 янв. 2025 г. в 14:02, Rambo Rambo <ram.ramb2412@gmail.com>:
Hi Team
I am planning openstack-ansible wallaby to Xena upgrade. Distribution: openstack-ansible Release: Wallaby (current) ==> Xena (Planned)
I was checking the release notes of Xena and could see that there is introduction of SSL in several services with nova for live migrations one of them. https://docs.openstack.org/releasenotes/openstack-ansible/xena.html
As per the release notes:
Nova now defaults to to using the “QEMU-native TLS” feature for live migrations, rather than the deprecated SSH method. A pre-existing PKI (Public Key Infrastructure) setup is required.
QEMU-native TLS requires all compute hosts to accept TCP connections on port 16514 and port range 49152 to 49261.
More information can be found here: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu...
Can you please confirm what steps are required to setup this PKI before doing the upgrade or it will be taken care by internal-pki using openstack-ansible upgrade method? Is there any option to skip this QEMU-native TLS for live-migrations and keep the orginal ssh based live-migrations?
Regards