tripleo

enable secure data transport between QEMU servers for migration

Bug #1793093 reported by Martin Schuppert
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Undecided
Martin Schuppert

Bug Description

The default QEMU migration transport runs a clear text TCP connection between the two QEMU servers. It is possible to tunnel the migration connection over libvirtd's secure connection but this imposes a significant performance penalty. It is also not possible to tunnel the NBD connection use for block migration at all.

As a step towards securing the management network we need to have Nova configure QEMU to use native TLS support on its migration and NBD data transports, without any tunneling.

This depends on the libvirt support for TLS encryption for NBD disks.

Martin Schuppert (mschuppert)
Changed in tripleo:
assignee: nobody → Martin Schuppert (mschuppert)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/603341

OpenStack Infra (hudson-openstack)
Changed in tripleo:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/603341
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=62861db22df6170123352b978eb9e7f472b67d6f
Submitter: Zuul
Branch: master

commit 62861db22df6170123352b978eb9e7f472b67d6f
Author: Martin Schuppert <email address hidden>
Date: Tue Sep 11 11:15:42 2018 +0200

    Add support for native TLS encryption on NBD for disk migration

    The NBD protocol previously runs in clear text, offering no security
    protection for the data transferred, unless it is tunnelled over some
    external transport like SSH. Such tunnelling is inefficient and
    inconvenient to manage. Support for TLS to the NBD clients & servers
    provided by QEMU was added. In tls-everywhere use case we want to
    take advantage of this feature to create the certificates and configure
    qemu to use nbd tls.

    Related-bug: 1793093
    Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110
    Change-Id: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/603343
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=fe9372eceb0eba77635549ed4ddcd56040186fbf
Submitter: Zuul
Branch: master

commit fe9372eceb0eba77635549ed4ddcd56040186fbf
Author: Martin Schuppert <email address hidden>
Date: Tue Sep 11 11:21:40 2018 +0200

    Add support for native TLS encryption on NBD for disk migration

    The NBD protocol previously runs in clear text, offering no security
    protection for the data transferred, unless it is tunnelled over some
    external transport like SSH. Such tunnelling is inefficient and
    inconvenient to manage. Support for TLS to the NBD clients & servers
    provided by QEMU was added. In tls-everywhere use case we want to
    take advantage of this feature to create the certificates and configure
    qemu to use nbd tls.

    Closes-Bug: 1793093
    Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110
    Depends-On: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45
    Depends-On: I347881cf4822583179c0c042c42fa1e33dbcedd2
    Change-Id: I7d9df304d75bdbe36ecdfe50e5ce6b42a53063cc

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 10.4.0

This issue was fixed in the openstack/tripleo-heat-templates 10.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/716254

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (stable/rocky)

Change abandoned by Rajesh Tailor (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/716254
Reason: Required nova change is not backported upstream.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.