Merge "Certificates permission fixed for libvirt vnc+tls"
diff --git a/README.rst b/README.rst
index 42ba8db..2720bdd 100644
--- a/README.rst
+++ b/README.rst
@@ -986,6 +986,32 @@
key: (certificate content)
cert: (certificate content)
+Controlling access by `tls_allowed_dn_list`.
+Enable an access control list of client certificate Distinguished Names (DNs)
+which can connect to the TLS port on this server. The default is that DNs are
+not checked. This list may contain wildcards such as
+"C=GB,ST=London,L=London,O=Libvirt Project,CN=*" See the POSIX fnmatch function
+for the format of the wildcards.
+Note that if this is an empty list, no client can connect.
+Note also that GnuTLS returns DNs without spaces after commas between
+the fields (and this is what we check against), but the openssl x509 tool
+shows spaces.
+
+.. code-block:: yaml
+
+ nova:
+ compute:
+ libvirt:
+ tls:
+ tls_allowed_dn_list:
+ host1:
+ enabled: true
+ value: 'C=foo,CN=cmp1'
+ host2:
+ enabled: true
+ value: 'C=foo,CN=cmp2'
+
+
You can read more about live migration over TLS here:
https://wiki.libvirt.org/page/TLSCreateServerCerts
diff --git a/nova/client/init.sls b/nova/client/init.sls
new file mode 100644
index 0000000..e058d2d
--- /dev/null
+++ b/nova/client/init.sls
@@ -0,0 +1,2 @@
+include:
+- nova.client.resources
diff --git a/nova/client.sls b/nova/client/resources/init.sls
similarity index 93%
rename from nova/client.sls
rename to nova/client/resources/init.sls
index 87ae2cb..6dae528 100644
--- a/nova/client.sls
+++ b/nova/client/resources/init.sls
@@ -1,11 +1,14 @@
{%- from "nova/map.jinja" import client with context %}
{%- if client.enabled %}
+include:
+- nova.client.resources.v21
+
nova_client_packages:
pkg.installed:
- names: {{ client.pkgs }}
-{%- for identity_name, identity in client.server.iteritems() %}
+{%- for identity_name, identity in client.get('server', {}).iteritems() %}
{%- if identity.flavor is defined %}
@@ -75,3 +78,4 @@
{%- endfor %}
{%- endif %}
+
diff --git a/nova/client/resources/v21.sls b/nova/client/resources/v21.sls
new file mode 100644
index 0000000..448a94c
--- /dev/null
+++ b/nova/client/resources/v21.sls
@@ -0,0 +1,33 @@
+{%- from "nova/map.jinja" import client with context %}
+{%- if client.enabled %}
+
+{%- for identity_name, identity in client.get('resources', {}).get('v21', {}).iteritems() %}
+
+ {%- if identity.flavor is defined %}
+ {%- for flavor_name, flavor in identity.flavor.iteritems() %}
+
+novav21_openstack_flavor_{{ flavor_name }}:
+ novav21.flavor_present:
+ - name: {{ flavor_name }}
+ - cloud_name: {{ identity_name }}
+ {%- if flavor.flavor_id is defined %}
+ - flavor_id: {{ flavor.flavor_id }}
+ {%- endif %}
+ {%- if flavor.ram is defined %}
+ - ram: {{ flavor.ram }}
+ {%- endif %}
+ {%- if flavor.disk is defined %}
+ - disk: {{ flavor.disk }}
+ {%- endif %}
+ {%- if flavor.vcpus is defined %}
+ - vcpus: {{ flavor.vcpus }}
+ {%- endif %}
+ {%- if flavor.extra_specs is defined %}
+ - extra_specs: {{ flavor.extra_specs }}
+ {%- endif %}
+
+ {%- endfor %}
+ {%- endif %}
+
+{%- endfor %}
+{%- endif %}
diff --git a/nova/files/pike/libvirtd.conf.Debian b/nova/files/pike/libvirtd.conf.Debian
index d8836f9..aab457c 100644
--- a/nova/files/pike/libvirtd.conf.Debian
+++ b/nova/files/pike/libvirtd.conf.Debian
@@ -28,6 +28,14 @@
{%- set ca_file = compute.libvirt.tls.ca_file %}
{%- set unix_sock_ro_perms = "0000" %}
{%- set unix_sock_rw_perms = "0000" %}
+{%- if compute.libvirt.tls.allowed_dn_list is defined %}
+ {% set tls_allowed_dn_list = [] %}
+ {%- for _,item in compute.libvirt.tls.allowed_dn_list.iteritems() %}
+ {%- if item.enabled %}
+ {%- do tls_allowed_dn_list.append(item.value) %}
+ {%- endif %}
+ {%- endfor %}
+{%- endif %}
{%- else %}
{%- set listen_tls = 0 %}
{%- set listen_tcp = 1 %}
@@ -250,6 +258,9 @@
# By default, no DN's are checked
#tls_allowed_dn_list = ["DN1", "DN2"]
+{%- if tls_allowed_dn_list is defined %}
+tls_allowed_dn_list = {{ tls_allowed_dn_list }}
+{%- endif %}
# A whitelist of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames
diff --git a/nova/files/queens/libvirtd.conf.Debian b/nova/files/queens/libvirtd.conf.Debian
index d8836f9..aab457c 100644
--- a/nova/files/queens/libvirtd.conf.Debian
+++ b/nova/files/queens/libvirtd.conf.Debian
@@ -28,6 +28,14 @@
{%- set ca_file = compute.libvirt.tls.ca_file %}
{%- set unix_sock_ro_perms = "0000" %}
{%- set unix_sock_rw_perms = "0000" %}
+{%- if compute.libvirt.tls.allowed_dn_list is defined %}
+ {% set tls_allowed_dn_list = [] %}
+ {%- for _,item in compute.libvirt.tls.allowed_dn_list.iteritems() %}
+ {%- if item.enabled %}
+ {%- do tls_allowed_dn_list.append(item.value) %}
+ {%- endif %}
+ {%- endfor %}
+{%- endif %}
{%- else %}
{%- set listen_tls = 0 %}
{%- set listen_tcp = 1 %}
@@ -250,6 +258,9 @@
# By default, no DN's are checked
#tls_allowed_dn_list = ["DN1", "DN2"]
+{%- if tls_allowed_dn_list is defined %}
+tls_allowed_dn_list = {{ tls_allowed_dn_list }}
+{%- endif %}
# A whitelist of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames