Hi Dmitriy Thanks for the details. So to summarise if we are using upgrade using the run_upgrade.sh script , Script will take care of these pki , certificates and CA, We need not do anything extra from our side. Also how do we manage the expiry and renewal of certificates? Thanks if there is no extra work required, We will stick to the defaults. Regards On Mon, Jan 20, 2025 at 3:06 PM Dmitriy Rabotyagov <noonedeadpunk@gmail.com> wrote:
Hey,
So PKI is being used in multiple places lately. While you probably can disable it almost everywhere, I'd suggest dealing with it rather then trying to disable. If we take live migrations as an example, tunneled migrations are deprecated for removal in nova, due to being a bottleneck and prevents migration of VMs with local storage [1]
OpenStack-Ansible does have a PKI role [2], which will create a local CA authority and make it trusted on all managed hosts. Upgrade script [3] and documentation [3] contain a step required to issue such Certificate Authority. The only thing I will suggest doing, is to override defaults [5] for PKI, in order to contain a valid for your environment data. Other then that - it should be working out of the box.
Answering your question regarding usage of tunneled migrations - you can still do that by defining variables: nova_libvirtd_listen_tls: 0 nova_libvirtd_listen_tcp: 1
This will trigger the logic to not start libvirt with TLS support and continue using tunneled migrations.
[1] https://docs.openstack.org/nova/xena/configuration/config.html#libvirt.live_... [2] https://opendev.org/openstack/ansible-role-pki [3] https://opendev.org/openstack/openstack-ansible/src/tag/xena-eom/scripts/run... [4] https://docs.openstack.org/openstack-ansible/xena/admin/upgrades/major-upgra... [5] https://opendev.org/openstack/openstack-ansible/src/tag/xena-eom/inventory/g...
пн, 20 янв. 2025 г. в 14:02, Rambo Rambo <ram.ramb2412@gmail.com>:
Hi Team
I am planning openstack-ansible wallaby to Xena upgrade. Distribution: openstack-ansible Release: Wallaby (current) ==> Xena (Planned)
I was checking the release notes of Xena and could see that there is
https://docs.openstack.org/releasenotes/openstack-ansible/xena.html
As per the release notes:
Nova now defaults to to using the “QEMU-native TLS” feature for live migrations, rather than the deprecated SSH method. A pre-existing PKI (Public Key Infrastructure) setup is required.
QEMU-native TLS requires all compute hosts to accept TCP connections on
introduction of SSL in several services with nova for live migrations one of them. port 16514 and port range 49152 to 49261.
More information can be found here:
https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu...
Can you please confirm what steps are required to setup this PKI before
doing the upgrade or it will be taken care by internal-pki using openstack-ansible upgrade method?
Is there any option to skip this QEMU-native TLS for live-migrations and keep the orginal ssh based live-migrations?
Regards