Merge "libvirt: support SASL authentication"

2022-03-12 16:46:54 +00:00 · 2022-03-12 16:46:54 +00:00 · 33415ed93e
commit 33415ed93e
parent f56f070130 d2d4b53d47
11 changed files with 133 additions and 10 deletions
--- a/ansible/roles/nova-cell/defaults/main.yml
+++ b/ansible/roles/nova-cell/defaults/main.yml
@ -529,6 +529,14 @@ migration_hostname: "{{ ansible_facts.nodename }}"
 # It does not change that often (in fact, most likely never ever).
 qemu_user_gid: 42427

+# Whether to enable libvirt SASL authentication.
+libvirt_enable_sasl: true
+# Username for libvirt SASL.
+libvirt_sasl_authname: "nova"
+# List of enabled libvirt SASL authentication mechanisms.
+libvirt_sasl_mech_list:
+  - "{{ 'SCRAM-SHA-256' if libvirt_tls | bool else 'DIGEST-MD5' }}"
+
 ####################
 # Kolla
 ####################
--- a/ansible/roles/nova-cell/handlers/main.yml
+++ b/ansible/roles/nova-cell/handlers/main.yml
@ -93,6 +93,7 @@
  vars:
    service_name: "nova-libvirt"
    service: "{{ nova_cell_services[service_name] }}"
+    nova_libvirt_notify: "{{ ['Create libvirt SASL user'] if libvirt_enable_sasl | bool else [] }}"
  become: true
  kolla_docker:
    action: "recreate_or_restart_container"
@ -112,6 +113,20 @@
  until: restart_nova_libvirt is success
  when:
    - kolla_action != "config"
+  notify: "{{ nova_libvirt_notify }}"
+
+# The SASL user needs to exist in order for nova-compute to start successfully.
+- name: Create libvirt SASL user
+  become: true
+  shell:
+    cmd: >
+      set -o pipefail &&
+      echo {{ libvirt_sasl_password }} |
+      docker exec -i nova_libvirt
+      saslpasswd2 -c -p -a libvirt {{ libvirt_sasl_authname }}
+    executable: /bin/bash
+  changed_when: true
+  no_log: true

 - name: Restart nova-compute container
  vars:
--- a/ansible/roles/nova-cell/tasks/config.yml
+++ b/ansible/roles/nova-cell/tasks/config.yml
@ -97,6 +97,26 @@
    - libvirt_tls | bool
    - libvirt_tls_manage_certs | bool

+- name: Copying over libvirt SASL configuration
+  become: true
+  vars:
+    service_name: "{{ item.service }}"
+    service: "{{ nova_cell_services[service_name] }}"
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ node_config_directory }}/{{ service_name }}/{{ item.dest }}"
+    mode: "0660"
+  when:
+    - libvirt_enable_sasl | bool
+    - inventory_hostname in groups[service.group]
+    - service.enabled | bool
+  with_items:
+    - { src: "auth.conf.j2", dest: "auth.conf", service: "nova-compute" }
+    - { src: "auth.conf.j2", dest: "auth.conf", service: "nova-libvirt" }
+    - { src: "sasl.conf.j2", dest: "sasl.conf", service: "nova-libvirt" }
+  notify:
+    - Restart {{ service_name }} container
+
 - name: Copying files for nova-ssh
  become: true
  vars:
--- a/ansible/roles/nova-cell/templates/auth.conf.j2
+++ b/ansible/roles/nova-cell/templates/auth.conf.j2
@ -0,0 +1,6 @@
+[credentials-default]
+authname={{ libvirt_sasl_authname }}
+password={{ libvirt_sasl_password }}
+
+[auth-libvirt-default]
+credentials=default
--- a/ansible/roles/nova-cell/templates/libvirtd.conf.j2
+++ b/ansible/roles/nova-cell/templates/libvirtd.conf.j2
@ -5,10 +5,11 @@ tls_port = "{{ nova_libvirt_port }}"
 key_file = "/etc/pki/libvirt/private/serverkey.pem"
 cert_file = "/etc/pki/libvirt/servercert.pem"
 ca_file = "/etc/pki/CA/cacert.pem"
+auth_tls = "{{ 'sasl' if libvirt_enable_sasl | bool else 'none' }}"
 {% else %}
 listen_tcp = 1
 listen_tls = 0
-auth_tcp = "none"
+auth_tcp = "{{ 'sasl' if libvirt_enable_sasl | bool else 'none' }}"
 tcp_port = "{{ nova_libvirt_port }}"
 ca_file = ""
 {% endif %}
--- a/ansible/roles/nova-cell/templates/nova-compute.json.j2
+++ b/ansible/roles/nova-cell/templates/nova-compute.json.j2
@ -55,7 +55,13 @@
            "owner": "nova",
            "perm": "0600",
            "optional": true
-        }
+        }{% if nova_compute_virt_type in ['kvm', 'qemu'] and libvirt_enable_sasl | bool %},
+        {
+            "source": "{{ container_config_directory }}/auth.conf",
+            "dest": "/var/lib/nova/.config/libvirt/auth.conf",
+            "owner": "nova",
+            "perm": "0600"
+        }{% endif %}
    ],
    "permissions": [
        {
--- a/ansible/roles/nova-cell/templates/nova-libvirt.json.j2
+++ b/ansible/roles/nova-cell/templates/nova-libvirt.json.j2
@ -55,6 +55,18 @@
            "dest": "/etc/ceph/ceph.conf",
            "owner": "nova",
            "perm": "0600"
+        }{% endif %}{% if libvirt_enable_sasl | bool %},
+        {
+            "source": "{{ container_config_directory }}/sasl.conf",
+            "dest": "/etc/sasl2/libvirt.conf",
+            "owner": "root",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/auth.conf",
+            "dest": "/root/.config/libvirt/auth.conf",
+            "owner": "root",
+            "perm": "0600"
        }{% endif %}
    ]
 }
--- a/ansible/roles/nova-cell/templates/sasl.conf.j2
+++ b/ansible/roles/nova-cell/templates/sasl.conf.j2
@ -0,0 +1,2 @@
+mech_list: {{ libvirt_sasl_mech_list | join(' ') }}
+sasldb_path: /etc/libvirt/passwd.db
--- a/doc/source/reference/compute/libvirt-guide.rst
+++ b/doc/source/reference/compute/libvirt-guide.rst
@ -1,5 +1,3 @@
-.. libvirt-tls-guide:
-
 ====================================
 Libvirt - Nova Virtualisation Driver
 ====================================
@ -23,16 +21,39 @@ hardware virtualisation (e.g. Virtualisation Technology (VT) BIOS configuration
 on Intel systems), ``qemu`` may be used to provide less performant
 software-emulated virtualisation.

+SASL Authentication
+===================
+
+The default configuration of Kolla Ansible is to run libvirt over TCP,
+authenticated with SASL. This should not be considered as providing a secure,
+encrypted channel, since the username/password SASL mechanisms available for
+TCP are no longer considered cryptographically secure. However, it does at
+least provide some authentication for the libvirt API. For a more secure
+encrypted channel, use :ref`libvirt TLS <libvirt-tls>`.
+
+SASL is enabled according to the ``libvirt_enable_sasl`` flag, which defaults
+to ``true``.
+
+The username is configured via ``libvirt_sasl_authname``, and defaults to
+``kolla``. The password is configured via ``libvirt_sasl_password``, and is
+generated with other passwords using and stored in ``passwords.yml``.
+
+The list of enabled authentication mechanisms is configured via
+``libvirt_sasl_mech_list``, and defaults to ``["SCRAM-SHA-256"]`` if libvirt
+TLS is enabled, or ``["DIGEST-MD5"]`` otherwise.
+
+.. libvirt-tls:
+
 Libvirt TLS
 ===========

 The default configuration of Kolla Ansible is to run libvirt over TCP, with
-authentication disabled. As long as one takes steps to protect who can access
-the port this works well. However, in the case where you want live-migration to
-be allowed across hypervisors one may want to either add some level of
-authentication to the connections or make sure VM data is passed between
-hypervisors in a secure manner. To do this we can enable TLS for libvirt and
-make nova use it.
+SASL authentication. As long as one takes steps to protect who can access
+the network this works well. However, in a less trusted environment one may
+want to use encryption when accessing the libvirt API. To do this we can enable
+TLS for libvirt and make nova use it. Mutual TLS is configured, providing
+authentication of clients via certificates. SASL authentication provides a
+further level of security.

 Using libvirt TLS
 ~~~~~~~~~~~~~~~~~
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@ -253,3 +253,8 @@ keystone_federation_openid_crypto_password:
 # Ceph RadosGW options
 ####################
 ceph_rgw_keystone_password:
+
+##################
+# libvirt options
+##################
+libvirt_sasl_password:
--- a/releasenotes/notes/libvirt-sasl-404199143610fb75.yaml
+++ b/releasenotes/notes/libvirt-sasl-404199143610fb75.yaml
@ -0,0 +1,27 @@
+---
+features:
+  - |
+    Adds support for libvirt SASL authentication. It is enabled by default.
+    `LP#1964013 <https://bugs.launchpad.net/kolla-ansible/+bug/1964013>`__
+security:
+  - |
+    Fixes an issue where the default configuration of libvirt did not use
+    authentication for the API exposed over TCP on the internal API network.
+    This allowed anyone with access to the internal API network read-write
+    access to libvirt. While the internal API network is typically trusted,
+    other services on this network generally at least require authentication.
+
+    SASL authentication is now enabled for libvirt by default. Kolla Ansible
+    supports libvirt TLS since the Train release, and this is recommended to
+    provide a higher level of security. `LP#1964013
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1964013>`__
+upgrade:
+  - |
+    The addition of libvirt SASL authentication requires a new password in
+    ``passwords.yml``, ``libvirt_sasl_password``. This may be generated using
+    the existing ``kolla-genpwd`` and ``kolla-mergepwd`` tooling.
+  - |
+    The addition of libvirt SASL authentication requires both the
+    ``nova_libvirt`` and ``nova_compute`` containers to be updated
+    simultaneously, using new images with the necessary Cyrus SASL
+    dependencies, as well as configuration containing the SASL credentials.