Hi Dmitriy

Thanks for the details.
So to summarise if we are using upgrade using the run_upgrade.sh script , Script will take care of these pki , certificates and CA, We need not do anything extra from our side.
Also how do we manage the expiry and renewal of certificates?

Thanks if there is no extra work required, We will stick to the defaults.

Regards

On Mon, Jan 20, 2025 at 3:06 PM Dmitriy Rabotyagov <noonedeadpunk@gmail.com> wrote:
Hey,

So PKI is being used in multiple places lately. While you probably can
disable it almost everywhere, I'd suggest dealing with it rather then
trying to disable. If we take live migrations as an example, tunneled
migrations are deprecated for removal in nova, due to being a
bottleneck and prevents migration of VMs with local storage [1]


OpenStack-Ansible does have a PKI role [2], which will create a local
CA authority and make it trusted on all managed hosts. Upgrade script
[3] and documentation [3] contain a step required to issue such
Certificate Authority.
The only thing I will suggest doing, is to override defaults [5] for
PKI, in order to contain a valid for your environment data. Other then
that - it should be working out of the box.

Answering your question regarding usage of tunneled migrations - you
can still do that by defining variables:
nova_libvirtd_listen_tls: 0
nova_libvirtd_listen_tcp: 1

This will trigger the logic to not start libvirt with TLS support and
continue using tunneled migrations.

[1] https://docs.openstack.org/nova/xena/configuration/config.html#libvirt.live_migration_tunnelled
[2] https://opendev.org/openstack/ansible-role-pki
[3] https://opendev.org/openstack/openstack-ansible/src/tag/xena-eom/scripts/run-upgrade.sh#L175
[4] https://docs.openstack.org/openstack-ansible/xena/admin/upgrades/major-upgrades.html#upgrade-hosts
[5] https://opendev.org/openstack/openstack-ansible/src/tag/xena-eom/inventory/group_vars/all/ssl.yml#L25-L66

пн, 20 янв. 2025 г. в 14:02, Rambo Rambo <ram.ramb2412@gmail.com>:
>
> Hi Team
>
> I am planning openstack-ansible wallaby to Xena upgrade.
> Distribution: openstack-ansible
> Release: Wallaby (current) ==> Xena (Planned)
>
> I was checking the release notes of Xena and could see that there is introduction of SSL in several services with nova for live migrations one of them.
> https://docs.openstack.org/releasenotes/openstack-ansible/xena.html
>
> As per the release notes:
>
> Nova now defaults to to using the “QEMU-native TLS” feature for live migrations, rather than the deprecated SSH method. A pre-existing PKI (Public Key Infrastructure) setup is required.
>
> QEMU-native TLS requires all compute hosts to accept TCP connections on port 16514 and port range 49152 to 49261.
>
> More information can be found here: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html
>
>
> Can you please confirm what steps are required to setup this PKI before doing the upgrade or it will be taken care by internal-pki using openstack-ansible upgrade method?
> Is there any option to skip this QEMU-native TLS for live-migrations and keep the orginal ssh based live-migrations?
>
> Regards