Backport CA and certificate fixes to 4.5.0.z #347
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently our internal CA is always issued for 10 years during the initial engine-setup. This carries over upgrades and on old enough installations we can get close to expiration. We don't have an easy way how to replace internal CA without complete downtime, and running over the expiration date leads to a complete cease of communication between all oVirt components. Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2079799
michalskrivanek
requested review from
ahadas,
bennyz,
emesika,
mwperina,
oliel,
sgratch and
didib
as code owners
Non-web certificates are not subjects to the lifetime limitations required by web browsers. VDS certificates must be renewed when the host is in maintenance, which makes frequent upgrades difficult. Let’s extend the lifetime of non-web certificates to 5 years (a value selected by Michal) to make the certificate updates much less frequent. Bug-Url: https://bugzilla.redhat.com/2079835
…host-upgrade Otherwise the whole playbook will stop immediately and host upgrade fails. We want to proceed instead and update the certificates. Bug-Url: https://bugzilla.redhat.com/2079890
Currently, we warn about host certificate expiration 120 days in advance and alert and perform renewal on host upgrades 30 days in advance. These proved to be too late, many users don’t pay appropriate attention to warnings and alerts and when there is no host upgrade during the relatively short period, the users may end up with expired certificates and non-responsive hosts. Now, when we have extended the lifetime of host certificates to 3650 days, we can warn about host certificate expiration earlier and force renewal on host upgrades already during the warning period. This increases the chances there will be a host upgrade (with certificate renewal) during the period. Value of CertExpirationWarnPeriodInDays is increased to 365. This change also extends the warning period for all other certificates except for web certificates. Bug-Url: https://bugzilla.redhat.com/2079890
When a host certificate expires the host becomes non-responsive. There is no longer a way to connect to the host via the Vdsm API. But it would be still possible to renew the certificate if the operation wasn’t blocked in the web UI. Let’s permit enrolling certificates from the menu also for hosts in non-responsive state, to make life easier for users who ignore warning about upcoming certificate expiration until it actually happens. Of course, a host can become non-responsive also for other reasons than its certificate expiration. If the users decide to renew certificates in such states, it’s their own decision and risk. A host in such a state is not in a good shape anyway and restarting the services running on it, as needed by the certificate renewal, is not that much an issue. Bug-Url: https://bugzilla.redhat.com/2079901
OVN services are not restarted after OVN certificate update. Unlike other services, which are restarted after enrolling certificates, these ones are not restarted together with libvirtd restart and need their own restart action. Bug-Url: https://bugzilla.redhat.com/2079901
After updating Vdsm certificates, the corresponding services are not restarted. Or, actually, they are, but only as a part of ovirt-host-deploy-vnc-certificates role if those certificates happened to be updated as well (they usually do), which is not entirely sufficient. And ovirt-imageio is not restarted at all. Let’s make sure the services are always restarted after Vdsm certificates update. It’s sufficient to restart libvirtd (it restarts vdsmd etc. too) and ovirt-imageio (vdsmd wants it started but doesn’t ensure its restart). We check for both ‘enabled’ status and ‘running’ states. Some services may be stopped before updates, so checking for ‘running’ wouldn’t be sufficient. And ovirt-imageio may be running but not enabled, which is probably a bug but it doesn’t harm to check for both. This change also means that some services may be restarted more than once during a certificate update. Fixing this would need introducing inter-role service handling, which would be too complicated at the moment. Multiple restarts should be usually harmless because this is normally done in the maintenance mode. Bug-Url: https://bugzilla.redhat.com/2079901
Expose VdsCertificateValidityInDays in engine-config to allow to set custom validity period of hypervisor certificates. Bug-Url: https://bugzilla.redhat.com/2079890
Non-web certificates are not subjects to the lifetime limitations required by web browsers. Let’s extend the lifetime of non-web Engine certificates to 5 years (the same value as for the host certificates) to make the certificate updates much less frequent. Let’s also drop the check for long certificate lifetime. All web certificates should already have the shortened lifetime, otherwise they wouldn’t work with current browsers. Bug-Url: https://bugzilla.redhat.com/2079835
Checks for vmconsole-proxy-host and vmconsole-proxy-user certificates status were missing, resulting in those certificates not renewed when needed. This patch adds the missing checks. Bug-Url: https://bugzilla.redhat.com/2066084
michalskrivanek
requested review from
ljelinkova and
sandrobonazzola
as code owners
michalskrivanek
changed the title
mz-pdm
approved these changes
May 9, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
backport of certificate-related fixes
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2079799
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2079835
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2079890
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2075352
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2079901
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2066084