Skip to content

Commit b57c3b5

Browse files
anjastrunkanjastrunk
committed
Remove bare URLs
Signed-off-by: Anja Strunk <[email protected]>
1 parent 2be9a0a commit b57c3b5

File tree

1 file changed

+4
-12
lines changed

1 file changed

+4
-12
lines changed

Standards/scs-0122-v1-secure-connections.md

Lines changed: 4 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -88,26 +88,18 @@ As such, severe risks are associated with unauthorized access to this interface
8888

8989
This is acknowledged in the OpenStack Security Note [OSSN-0007](https://wiki.openstack.org/wiki/OSSN/OSSN-0007), which recommends either configuring SASL and/or TLS for libvirt connections or utilizing the UNIX socket in combination with SSH.
9090

91-
The OpenStack kolla-ansible documentation on Nova libvirt connections states[^1]:
91+
The OpenStack [kolla-ansible documentation](https://docs.openstack.org/kolla-ansible/latest/reference/compute/libvirt-guide.html#sasl-authentication) on Nova libvirt connections state:
9292

9393
> This should not be considered as providing a secure, encrypted channel, since the username/password SASL mechanisms available for TCP are no longer considered cryptographically secure.
9494
95-
[^1]: https://docs.openstack.org/kolla-ansible/latest/reference/compute/libvirt-guide.html#sasl-authentication
96-
9795
This leaves only TLS or UNIX socket with SSH as viable options for securing the channel.
9896

9997
#### TLS for libvirt and live migration
10098

101-
Since the Stein release of OpenStack, Nova supports QEMU-native TLS[^2] which protects the migration data streams using TLS.
102-
It requires to add `LIBVIRTD_ARGS="--listen"` to the QEMU configuration, which will lead to TLS being active on the libvirt interface per default (due to `listen_tls` defaulting to being enabled[^3]).
99+
Since the Stein release of OpenStack, Nova supports [QEMU-native TLS](https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html) which protects the migration data streams using TLS.
100+
It requires to add `LIBVIRTD_ARGS="--listen"` to the [QEMU configuration](https://libvirt.org/remote.html#libvirtd-configuration-file), which will lead to TLS being active on the libvirt interface per default (due to `listen_tls` defaulting to being enabled).
103101
This protects data streams for migration as well as the hypervisor control channel data flow with TLS but does not restrict access.
104-
Client certificates must be deployed additionally and libvirt configured accordingly[^4] in order to meaningfully restrict access to the interface as advised by the OSSN-0007 document.
105-
106-
[^2]: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html
107-
108-
[^3]: https://libvirt.org/remote.html#libvirtd-configuration-file
109-
110-
[^4]: https://wiki.libvirt.org/TLSDaemonConfiguration.html#restricting-access
102+
Client certificates must be deployed additionally and libvirt configured accordingly[^4] in order to meaningfully restrict access to the interface as advised by the OSSN-0007 document, see restricting-access in [Libvirt doc](https://wiki.libvirt.org/TLSDaemonConfiguration.html#restricting-access).
111103

112104
#### Local UNIX socket and SSH live migration
113105

0 commit comments

Comments
 (0)