summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/profile/base/nova.pp67
-rw-r--r--spec/classes/tripleo_profile_base_nova_spec.rb160
2 files changed, 191 insertions, 36 deletions
diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index 65355d4..d786940 100644
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -129,6 +129,10 @@ class tripleo::profile::base::nova (
$memcache_servers = suffix(hiera('memcached_node_ips'), ':11211')
}
+ validate_array($migration_ssh_localaddrs)
+ $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) }
+ $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs)
+
if $step >= 4 or ($step >= 3 and $sync_db) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
include ::nova::config
@@ -183,10 +187,10 @@ class tripleo::profile::base::nova (
# Nova SSH tunnel setup (cold-migration)
# Server side
- if !empty($migration_ssh_localaddrs) {
- $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs,','))
+ if !empty($migration_ssh_localaddrs_real) {
+ $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,','))
$deny_type = 'LocalAddress'
- $deny_name = sprintf('!%s', join($migration_ssh_localaddrs,',!'))
+ $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!'))
ssh::server::match_block { 'nova_migration deny':
name => $deny_name,
@@ -217,31 +221,42 @@ class tripleo::profile::base::nova (
notify => Service['sshd']
}
- file { '/etc/nova/migration/authorized_keys':
- content => $migration_ssh_key['public_key'],
- mode => '0640',
- owner => 'root',
- group => 'nova_migration',
- require => Package['openstack-nova-migration'],
- }
+ $migration_authorized_keys = $migration_ssh_key['public_key']
+ $migration_identity = $migration_ssh_key['private_key']
+ $migration_user_shell = '/bin/bash'
+ }
+ else {
+ # Remove the keys and prevent login when migration over SSH is not enabled
+ $migration_authorized_keys = '# Migration over SSH disabled by TripleO'
+ $migration_identity = '# Migration over SSH disabled by TripleO'
+ $migration_user_shell = '/sbin/nologin'
+ }
- # Client side
- file { '/etc/nova/migration/identity':
- content => $migration_ssh_key['private_key'],
- mode => '0600',
- owner => 'nova',
- group => 'nova',
- require => Package['openstack-nova-migration'],
- }
- $migration_pkg_ensure = installed
- } else {
- $migration_pkg_ensure = absent
+ package { 'openstack-nova-migration':
+ ensure => present,
+ tag => ['openstack', 'nova-package'],
+ }
+
+ file { '/etc/nova/migration/authorized_keys':
+ content => $migration_authorized_keys,
+ mode => '0640',
+ owner => 'root',
+ group => 'nova_migration',
+ require => Package['openstack-nova-migration']
+ }
+
+ file { '/etc/nova/migration/identity':
+ content => $migration_identity,
+ mode => '0600',
+ owner => 'nova',
+ group => 'nova',
+ require => Package['openstack-nova-migration']
+ }
+
+ user {'nova_migration':
+ shell => $migration_user_shell,
+ require => Package['openstack-nova-migration']
}
- } else {
- $migration_pkg_ensure = absent
- }
- package {'openstack-nova-migration':
- ensure => $migration_pkg_ensure
}
}
}
diff --git a/spec/classes/tripleo_profile_base_nova_spec.rb b/spec/classes/tripleo_profile_base_nova_spec.rb
index d77ba1b..a7f1cce 100644
--- a/spec/classes/tripleo_profile_base_nova_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_spec.rb
@@ -95,9 +95,8 @@ describe 'tripleo::profile::base::nova' do
is_expected.to contain_class('nova::cache')
is_expected.to contain_class('nova::placement')
is_expected.to_not contain_class('nova::migration::libvirt')
- is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'absent'
- )
+ is_expected.to_not contain_file('/etc/nova/migration/authorized_keys')
+ is_expected.to_not contain_file('/etc/nova/migration/identity')
}
end
@@ -132,7 +131,22 @@ describe 'tripleo::profile::base::nova' do
:configure_nova => params[:nova_compute_enabled]
)
is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'absent'
+ :ensure => 'present'
+ )
+ is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+ :content => '# Migration over SSH disabled by TripleO',
+ :mode => '0640',
+ :owner => 'root',
+ :group => 'nova_migration',
+ )
+ is_expected.to contain_file('/etc/nova/migration/identity').with(
+ :content => '# Migration over SSH disabled by TripleO',
+ :mode => '0600',
+ :owner => 'nova',
+ :group => 'nova',
+ )
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/sbin/nologin'
)
}
end
@@ -169,7 +183,22 @@ describe 'tripleo::profile::base::nova' do
:configure_nova => params[:nova_compute_enabled],
)
is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'absent'
+ :ensure => 'present'
+ )
+ is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+ :content => '# Migration over SSH disabled by TripleO',
+ :mode => '0640',
+ :owner => 'root',
+ :group => 'nova_migration',
+ )
+ is_expected.to contain_file('/etc/nova/migration/identity').with(
+ :content => '# Migration over SSH disabled by TripleO',
+ :mode => '0600',
+ :owner => 'nova',
+ :group => 'nova',
+ )
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/sbin/nologin'
)
}
end
@@ -223,6 +252,9 @@ describe 'tripleo::profile::base::nova' do
}
)
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
+ is_expected.to contain_package('openstack-nova-migration').with(
+ :ensure => 'present'
+ )
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar',
:mode => '0640',
@@ -235,8 +267,8 @@ describe 'tripleo::profile::base::nova' do
:owner => 'nova',
:group => 'nova',
)
- is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'installed'
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/bin/bash'
)
}
end
@@ -297,6 +329,9 @@ describe 'tripleo::profile::base::nova' do
'DenyUsers' => 'nova_migration'
}
)
+ is_expected.to contain_package('openstack-nova-migration').with(
+ :ensure => 'present'
+ )
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar',
:mode => '0640',
@@ -309,8 +344,110 @@ describe 'tripleo::profile::base::nova' do
:owner => 'nova',
:group => 'nova',
)
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/bin/bash'
+ )
+ }
+ end
+
+ context 'with step 4 with libvirt and migration ssh key and invalid migration_ssh_localaddrs' do
+ let(:pre_condition) do
+ <<-eof
+ include ::nova::compute::libvirt::services
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => {}
+ }
+ eof
+ end
+ let(:params) { {
+ :step => 4,
+ :libvirt_enabled => true,
+ :manage_migration => true,
+ :nova_compute_enabled => true,
+ :bootstrap_node => 'node.example.com',
+ :oslomsg_rpc_hosts => [ 'localhost' ],
+ :oslomsg_rpc_password => 'foo',
+ :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'},
+ :migration_ssh_localaddrs => ['127.0.0.1', '']
+ } }
+
+ it { is_expected.to_not compile }
+ end
+
+ context 'with step 4 with libvirt and migration ssh key and duplicate migration_ssh_localaddrs' do
+ let(:pre_condition) do
+ <<-eof
+ include ::nova::compute::libvirt::services
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => {}
+ }
+ eof
+ end
+ let(:params) { {
+ :step => 4,
+ :libvirt_enabled => true,
+ :manage_migration => true,
+ :nova_compute_enabled => true,
+ :bootstrap_node => 'node.example.com',
+ :oslomsg_rpc_hosts => [ 'localhost' ],
+ :oslomsg_rpc_password => 'foo',
+ :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'},
+ :migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.1']
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova')
+ is_expected.to contain_class('nova').with(
+ :default_transport_url => /.+/,
+ :notification_transport_url => /.+/,
+ :nova_public_key => nil,
+ :nova_private_key => nil,
+ )
+ is_expected.to contain_class('nova::config')
+ is_expected.to contain_class('nova::placement')
+ is_expected.to contain_class('nova::cache')
+ is_expected.to contain_class('nova::migration::libvirt').with(
+ :transport => 'ssh',
+ :configure_libvirt => params[:libvirt_enabled],
+ :configure_nova => params[:nova_compute_enabled]
+ )
+ is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
+ :type => 'LocalAddress 127.0.0.1 User',
+ :name => 'nova_migration',
+ :options => {
+ 'ForceCommand' => '/bin/nova-migration-wrapper',
+ 'PasswordAuthentication' => 'no',
+ 'AllowTcpForwarding' => 'no',
+ 'X11Forwarding' => 'no',
+ 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
+ }
+ )
+ is_expected.to contain_ssh__server__match_block('nova_migration deny').with(
+ :type => 'LocalAddress',
+ :name => '!127.0.0.1',
+ :options => {
+ 'DenyUsers' => 'nova_migration'
+ }
+ )
is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'installed'
+ :ensure => 'present'
+ )
+ is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+ :content => 'ssh-rsa bar',
+ :mode => '0640',
+ :owner => 'root',
+ :group => 'nova_migration',
+ )
+ is_expected.to contain_file('/etc/nova/migration/identity').with(
+ :content => 'foo',
+ :mode => '0600',
+ :owner => 'nova',
+ :group => 'nova',
+ )
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/bin/bash'
)
}
end
@@ -365,6 +502,9 @@ describe 'tripleo::profile::base::nova' do
}
)
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
+ is_expected.to contain_package('openstack-nova-migration').with(
+ :ensure => 'present'
+ )
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar',
:mode => '0640',
@@ -377,8 +517,8 @@ describe 'tripleo::profile::base::nova' do
:owner => 'nova',
:group => 'nova',
)
- is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'installed'
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/bin/bash'
)
}
end