summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/profile/base/nova/migration/proxy.pp78
-rw-r--r--manifests/profile/base/nova/migration/target.pp7
-rw-r--r--manifests/profile/base/sshd.pp17
-rw-r--r--spec/classes/tripleo_profile_base_nova_migration_proxy_spec.rb103
-rw-r--r--spec/classes/tripleo_profile_base_nova_migration_target_spec.rb45
-rw-r--r--spec/classes/tripleo_profile_base_sshd_spec.rb52
6 files changed, 296 insertions, 6 deletions
diff --git a/manifests/profile/base/nova/migration/proxy.pp b/manifests/profile/base/nova/migration/proxy.pp
new file mode 100644
index 0000000..318a1f8
--- /dev/null
+++ b/manifests/profile/base/nova/migration/proxy.pp
@@ -0,0 +1,78 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::nova::migration::proxy
+#
+# Nova migration proxy profile for tripleo.
+# Used to proxy connections from baremetal sshd to dockerized sshd on a
+# different port during rolling upgrades.
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step of the deployment
+# Defaults to hiera('step')
+#
+# [*ssh_private_key*]
+# (Optional) SSH private_key for migration SSH tunnel.
+# Defaults to ''
+#
+# [*target_host*]
+# (Optional) SSH hostname to proxy.
+# Defaults to hiera('fqdn_internal_api', '127.0.0.1')
+#
+# [*target_port*]
+# (Optional) SSH port to proxy.
+# Defaults to 22
+
+class tripleo::profile::base::nova::migration::proxy (
+ $step = Integer(hiera('step')),
+ $ssh_private_key = '',
+ $target_host = hiera('fqdn_internal_api', '127.0.0.1'),
+ $target_port = 22
+) {
+
+ include ::tripleo::profile::base::nova::migration
+
+ if $step >= 4 {
+ if !empty($ssh_private_key) {
+ class { '::tripleo::profile::base::nova::migration::target':
+ step => $step,
+ wrapper_command => "/bin/ssh \
+-p ${target_port} \
+-i /etc/nova/migration/proxy_identity \
+-o BatchMode=yes \
+-o UserKnownHostsFile=/dev/null \
+nova_migration@${target_host} \
+\$SSH_ORIGINAL_COMMAND"
+ }
+
+ $migration_identity = $ssh_private_key
+ $migration_identity_ensure = 'present'
+ }
+ else {
+ $migration_identity = ''
+ $migration_identity_ensure = 'absent'
+ }
+
+ file { '/etc/nova/migration/proxy_identity':
+ ensure => $migration_identity_ensure,
+ content => $migration_identity,
+ mode => '0600',
+ owner => 'nova_migration',
+ group => 'nova_migration',
+ require => Package['openstack-nova-migration']
+ }
+ }
+}
diff --git a/manifests/profile/base/nova/migration/target.pp b/manifests/profile/base/nova/migration/target.pp
index 7c21028..a2f1256 100644
--- a/manifests/profile/base/nova/migration/target.pp
+++ b/manifests/profile/base/nova/migration/target.pp
@@ -37,12 +37,17 @@
# If the nova_migration_target service is not enabled then migration over
# ssh will be disabled.
# Defaults to hiera('service_names', [])
+#
+# [*wrapper_command*]
+# (Internal) Used to override the wrapper command when proxying
+# Defaults to /bin/nova-migration-wrapper
class tripleo::profile::base::nova::migration::target (
$step = Integer(hiera('step')),
$ssh_authorized_keys = [],
$ssh_localaddrs = [],
$services_enabled = hiera('service_names', []),
+ $wrapper_command = '/bin/nova-migration-wrapper',
) {
include ::tripleo::profile::base::nova::migration
@@ -81,7 +86,7 @@ class tripleo::profile::base::nova::migration::target (
type => $allow_type,
order => 1,
options => {
- 'ForceCommand' => '/bin/nova-migration-wrapper',
+ 'ForceCommand' => $wrapper_command,
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp
index 3f0245d..22520e9 100644
--- a/manifests/profile/base/sshd.pp
+++ b/manifests/profile/base/sshd.pp
@@ -31,11 +31,16 @@
# Hash of SSHD options to set. See the puppet-ssh module documentation for
# details.
# Defaults to {}
+#
+# [*port*]
+# SSH port or list of ports to bind to
+# Defaults to [22]
class tripleo::profile::base::sshd (
$bannertext = hiera('BannerText', undef),
$motd = hiera('MOTD', undef),
- $options = {}
+ $options = {},
+ $port = [22],
) {
if $bannertext and $bannertext != '' {
@@ -67,10 +72,18 @@ class tripleo::profile::base::sshd (
$sshd_options_motd = {}
}
+ if $options['Port'] {
+ $sshd_options_port = {'Port' => unique(concat(any2array($options['Port']), $port))}
+ }
+ else {
+ $sshd_options_port = {'Port' => unique(any2array($port))}
+ }
+
$sshd_options = merge(
$options,
$sshd_options_banner,
- $sshd_options_motd
+ $sshd_options_motd,
+ $sshd_options_port
)
# NB (owalsh) in puppet-ssh hiera takes precedence over the class param
diff --git a/spec/classes/tripleo_profile_base_nova_migration_proxy_spec.rb b/spec/classes/tripleo_profile_base_nova_migration_proxy_spec.rb
new file mode 100644
index 0000000..71aaf79
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_nova_migration_proxy_spec.rb
@@ -0,0 +1,103 @@
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::nova::migration::proxy' do
+ shared_examples_for 'tripleo::profile::base::nova::migration::proxy' do
+
+ context 'with step 4 with defaults (disabled)' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ } }
+
+ it {
+ is_expected.to_not contain_class('tripleo::profile::base::nova::migration::target')
+ is_expected.to contain_file('/etc/nova/migration/proxy_identity').with(:ensure => 'absent')
+ }
+ end
+
+ context 'with step 4 with ssh_private_key' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :ssh_private_key => 'foo',
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration::target').with(
+ :wrapper_command => '/bin/ssh -p 22 -i /etc/nova/migration/proxy_identity -o BatchMode=yes -o UserKnownHostsFile=/dev/null nova_migration@127.0.0.1 $SSH_ORIGINAL_COMMAND'
+ )
+ is_expected.to contain_file('/etc/nova/migration/proxy_identity').with(
+ :content => 'foo',
+ :mode => '0600',
+ :owner => 'nova_migration',
+ :group => 'nova_migration',
+ )
+ }
+ end
+
+ context 'with step 4 with host and port' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :ssh_private_key => 'foo',
+ :target_host => 'node.example.com',
+ :target_port => 1000
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration::target').with(
+ :wrapper_command => '/bin/ssh -p 1000 -i /etc/nova/migration/proxy_identity -o BatchMode=yes -o UserKnownHostsFile=/dev/null nova_migration@node.example.com $SSH_ORIGINAL_COMMAND'
+ )
+ is_expected.to contain_file('/etc/nova/migration/proxy_identity').with(
+ :content => 'foo',
+ :mode => '0600',
+ :owner => 'nova_migration',
+ :group => 'nova_migration',
+ )
+ }
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({ :hostname => 'node.example.com' })
+ end
+ it_behaves_like 'tripleo::profile::base::nova::migration::proxy'
+ end
+ end
+end \ No newline at end of file
diff --git a/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb b/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb
index a14b89a..4c872b7 100644
--- a/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb
@@ -269,6 +269,51 @@ eos
it { is_expected.to_not compile }
end
+ context 'with step 4 with wrapper_command' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => {}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
+ :services_enabled => ['docker', 'nova_migration_target'],
+ :wrapper_command => '/bin/true'
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration')
+ is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
+ :type => 'User',
+ :name => 'nova_migration',
+ :options => {
+ 'ForceCommand' => '/bin/true',
+ 'PasswordAuthentication' => 'no',
+ 'AllowTcpForwarding' => 'no',
+ 'X11Forwarding' => 'no',
+ 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
+ }
+ )
+ is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
+ is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+ :content => 'ssh-rsa bar\nssh-rsa baz',
+ :mode => '0640',
+ :owner => 'root',
+ :group => 'nova_migration',
+ )
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/bin/bash'
+ )
+ }
+ end
+
end
diff --git a/spec/classes/tripleo_profile_base_sshd_spec.rb b/spec/classes/tripleo_profile_base_sshd_spec.rb
index 58b271f..6333e6b 100644
--- a/spec/classes/tripleo_profile_base_sshd_spec.rb
+++ b/spec/classes/tripleo_profile_base_sshd_spec.rb
@@ -26,7 +26,9 @@ describe 'tripleo::profile::base::sshd' do
it do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
- 'options' => {}
+ 'options' => {
+ 'Port' => [22]
+ }
})
is_expected.to_not contain_file('/etc/issue')
is_expected.to_not contain_file('/etc/issue.net')
@@ -39,7 +41,9 @@ describe 'tripleo::profile::base::sshd' do
it do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
- 'options' => {}
+ 'options' => {
+ 'Port' => [22]
+ }
})
is_expected.to_not contain_file('/etc/issue')
is_expected.to_not contain_file('/etc/issue.net')
@@ -47,13 +51,50 @@ describe 'tripleo::profile::base::sshd' do
end
end
+ context 'with port configured' do
+ let(:params) {{ :port => 123 }}
+ it do
+ is_expected.to contain_class('ssh::server').with({
+ 'storeconfigs_enabled' => false,
+ 'options' => {
+ 'Port' => [123]
+ }
+ })
+ end
+ end
+
+ context 'with port configured and port option' do
+ let(:params) {{ :port => 123, :options => {'Port' => 456} }}
+ it do
+ is_expected.to contain_class('ssh::server').with({
+ 'storeconfigs_enabled' => false,
+ 'options' => {
+ 'Port' => [456, 123]
+ }
+ })
+ end
+ end
+
+ context 'with port configured and same port option' do
+ let(:params) {{ :port => 123, :options => {'Port' => 123} }}
+ it do
+ is_expected.to contain_class('ssh::server').with({
+ 'storeconfigs_enabled' => false,
+ 'options' => {
+ 'Port' => [123]
+ }
+ })
+ end
+ end
+
context 'with issue and issue.net configured' do
let(:params) {{ :bannertext => 'foo' }}
it do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {
- 'Banner' => '/etc/issue.net'
+ 'Banner' => '/etc/issue.net',
+ 'Port' => [22]
}
})
is_expected.to contain_file('/etc/issue').with({
@@ -78,6 +119,7 @@ describe 'tripleo::profile::base::sshd' do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {
+ 'Port' => [22],
'PrintMotd' => 'yes'
}
})
@@ -98,6 +140,7 @@ describe 'tripleo::profile::base::sshd' do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {
+ 'Port' => [22],
'X11Forwarding' => 'no'
}
})
@@ -117,6 +160,7 @@ describe 'tripleo::profile::base::sshd' do
'storeconfigs_enabled' => false,
'options' => {
'Banner' => '/etc/issue.net',
+ 'Port' => [22],
'PrintMotd' => 'yes'
}
})
@@ -146,6 +190,7 @@ describe 'tripleo::profile::base::sshd' do
:bannertext => 'foo',
:motd => 'foo',
:options => {
+ 'Port' => [22],
'PrintMotd' => 'no', # this should be overridden
'X11Forwarding' => 'no'
}
@@ -155,6 +200,7 @@ describe 'tripleo::profile::base::sshd' do
'storeconfigs_enabled' => false,
'options' => {
'Banner' => '/etc/issue.net',
+ 'Port' => [22],
'PrintMotd' => 'yes',
'X11Forwarding' => 'no'
}