diff options
-rw-r--r-- | manifests/profile/base/nova/migration/proxy.pp | 78 | ||||
-rw-r--r-- | manifests/profile/base/nova/migration/target.pp | 7 | ||||
-rw-r--r-- | manifests/profile/base/sshd.pp | 17 | ||||
-rw-r--r-- | spec/classes/tripleo_profile_base_nova_migration_proxy_spec.rb | 103 | ||||
-rw-r--r-- | spec/classes/tripleo_profile_base_nova_migration_target_spec.rb | 45 | ||||
-rw-r--r-- | spec/classes/tripleo_profile_base_sshd_spec.rb | 52 |
6 files changed, 296 insertions, 6 deletions
diff --git a/manifests/profile/base/nova/migration/proxy.pp b/manifests/profile/base/nova/migration/proxy.pp new file mode 100644 index 0000000..318a1f8 --- /dev/null +++ b/manifests/profile/base/nova/migration/proxy.pp @@ -0,0 +1,78 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::migration::proxy +# +# Nova migration proxy profile for tripleo. +# Used to proxy connections from baremetal sshd to dockerized sshd on a +# different port during rolling upgrades. +# +# === Parameters +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# +# [*ssh_private_key*] +# (Optional) SSH private_key for migration SSH tunnel. +# Defaults to '' +# +# [*target_host*] +# (Optional) SSH hostname to proxy. +# Defaults to hiera('fqdn_internal_api', '127.0.0.1') +# +# [*target_port*] +# (Optional) SSH port to proxy. +# Defaults to 22 + +class tripleo::profile::base::nova::migration::proxy ( + $step = Integer(hiera('step')), + $ssh_private_key = '', + $target_host = hiera('fqdn_internal_api', '127.0.0.1'), + $target_port = 22 +) { + + include ::tripleo::profile::base::nova::migration + + if $step >= 4 { + if !empty($ssh_private_key) { + class { '::tripleo::profile::base::nova::migration::target': + step => $step, + wrapper_command => "/bin/ssh \ +-p ${target_port} \ +-i /etc/nova/migration/proxy_identity \ +-o BatchMode=yes \ +-o UserKnownHostsFile=/dev/null \ +nova_migration@${target_host} \ +\$SSH_ORIGINAL_COMMAND" + } + + $migration_identity = $ssh_private_key + $migration_identity_ensure = 'present' + } + else { + $migration_identity = '' + $migration_identity_ensure = 'absent' + } + + file { '/etc/nova/migration/proxy_identity': + ensure => $migration_identity_ensure, + content => $migration_identity, + mode => '0600', + owner => 'nova_migration', + group => 'nova_migration', + require => Package['openstack-nova-migration'] + } + } +} diff --git a/manifests/profile/base/nova/migration/target.pp b/manifests/profile/base/nova/migration/target.pp index 7c21028..a2f1256 100644 --- a/manifests/profile/base/nova/migration/target.pp +++ b/manifests/profile/base/nova/migration/target.pp @@ -37,12 +37,17 @@ # If the nova_migration_target service is not enabled then migration over # ssh will be disabled. # Defaults to hiera('service_names', []) +# +# [*wrapper_command*] +# (Internal) Used to override the wrapper command when proxying +# Defaults to /bin/nova-migration-wrapper class tripleo::profile::base::nova::migration::target ( $step = Integer(hiera('step')), $ssh_authorized_keys = [], $ssh_localaddrs = [], $services_enabled = hiera('service_names', []), + $wrapper_command = '/bin/nova-migration-wrapper', ) { include ::tripleo::profile::base::nova::migration @@ -81,7 +86,7 @@ class tripleo::profile::base::nova::migration::target ( type => $allow_type, order => 1, options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', + 'ForceCommand' => $wrapper_command, 'PasswordAuthentication' => 'no', 'AllowTcpForwarding' => 'no', 'X11Forwarding' => 'no', diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp index 3f0245d..22520e9 100644 --- a/manifests/profile/base/sshd.pp +++ b/manifests/profile/base/sshd.pp @@ -31,11 +31,16 @@ # Hash of SSHD options to set. See the puppet-ssh module documentation for # details. # Defaults to {} +# +# [*port*] +# SSH port or list of ports to bind to +# Defaults to [22] class tripleo::profile::base::sshd ( $bannertext = hiera('BannerText', undef), $motd = hiera('MOTD', undef), - $options = {} + $options = {}, + $port = [22], ) { if $bannertext and $bannertext != '' { @@ -67,10 +72,18 @@ class tripleo::profile::base::sshd ( $sshd_options_motd = {} } + if $options['Port'] { + $sshd_options_port = {'Port' => unique(concat(any2array($options['Port']), $port))} + } + else { + $sshd_options_port = {'Port' => unique(any2array($port))} + } + $sshd_options = merge( $options, $sshd_options_banner, - $sshd_options_motd + $sshd_options_motd, + $sshd_options_port ) # NB (owalsh) in puppet-ssh hiera takes precedence over the class param diff --git a/spec/classes/tripleo_profile_base_nova_migration_proxy_spec.rb b/spec/classes/tripleo_profile_base_nova_migration_proxy_spec.rb new file mode 100644 index 0000000..71aaf79 --- /dev/null +++ b/spec/classes/tripleo_profile_base_nova_migration_proxy_spec.rb @@ -0,0 +1,103 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::nova::migration::proxy' do + shared_examples_for 'tripleo::profile::base::nova::migration::proxy' do + + context 'with step 4 with defaults (disabled)' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + } } + + it { + is_expected.to_not contain_class('tripleo::profile::base::nova::migration::target') + is_expected.to contain_file('/etc/nova/migration/proxy_identity').with(:ensure => 'absent') + } + end + + context 'with step 4 with ssh_private_key' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + :ssh_private_key => 'foo', + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration::target').with( + :wrapper_command => '/bin/ssh -p 22 -i /etc/nova/migration/proxy_identity -o BatchMode=yes -o UserKnownHostsFile=/dev/null nova_migration@127.0.0.1 $SSH_ORIGINAL_COMMAND' + ) + is_expected.to contain_file('/etc/nova/migration/proxy_identity').with( + :content => 'foo', + :mode => '0600', + :owner => 'nova_migration', + :group => 'nova_migration', + ) + } + end + + context 'with step 4 with host and port' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + :ssh_private_key => 'foo', + :target_host => 'node.example.com', + :target_port => 1000 + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration::target').with( + :wrapper_command => '/bin/ssh -p 1000 -i /etc/nova/migration/proxy_identity -o BatchMode=yes -o UserKnownHostsFile=/dev/null nova_migration@node.example.com $SSH_ORIGINAL_COMMAND' + ) + is_expected.to contain_file('/etc/nova/migration/proxy_identity').with( + :content => 'foo', + :mode => '0600', + :owner => 'nova_migration', + :group => 'nova_migration', + ) + } + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + it_behaves_like 'tripleo::profile::base::nova::migration::proxy' + end + end +end
\ No newline at end of file diff --git a/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb b/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb index a14b89a..4c872b7 100644 --- a/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb @@ -269,6 +269,51 @@ eos it { is_expected.to_not compile } end + context 'with step 4 with wrapper_command' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'], + :services_enabled => ['docker', 'nova_migration_target'], + :wrapper_command => '/bin/true' + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_ssh__server__match_block('nova_migration allow').with( + :type => 'User', + :name => 'nova_migration', + :options => { + 'ForceCommand' => '/bin/true', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + } + ) + is_expected.to_not contain_ssh__server__match_block('nova_migration deny') + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => 'ssh-rsa bar\nssh-rsa baz', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' + ) + } + end + end diff --git a/spec/classes/tripleo_profile_base_sshd_spec.rb b/spec/classes/tripleo_profile_base_sshd_spec.rb index 58b271f..6333e6b 100644 --- a/spec/classes/tripleo_profile_base_sshd_spec.rb +++ b/spec/classes/tripleo_profile_base_sshd_spec.rb @@ -26,7 +26,9 @@ describe 'tripleo::profile::base::sshd' do it do is_expected.to contain_class('ssh::server').with({ 'storeconfigs_enabled' => false, - 'options' => {} + 'options' => { + 'Port' => [22] + } }) is_expected.to_not contain_file('/etc/issue') is_expected.to_not contain_file('/etc/issue.net') @@ -39,7 +41,9 @@ describe 'tripleo::profile::base::sshd' do it do is_expected.to contain_class('ssh::server').with({ 'storeconfigs_enabled' => false, - 'options' => {} + 'options' => { + 'Port' => [22] + } }) is_expected.to_not contain_file('/etc/issue') is_expected.to_not contain_file('/etc/issue.net') @@ -47,13 +51,50 @@ describe 'tripleo::profile::base::sshd' do end end + context 'with port configured' do + let(:params) {{ :port => 123 }} + it do + is_expected.to contain_class('ssh::server').with({ + 'storeconfigs_enabled' => false, + 'options' => { + 'Port' => [123] + } + }) + end + end + + context 'with port configured and port option' do + let(:params) {{ :port => 123, :options => {'Port' => 456} }} + it do + is_expected.to contain_class('ssh::server').with({ + 'storeconfigs_enabled' => false, + 'options' => { + 'Port' => [456, 123] + } + }) + end + end + + context 'with port configured and same port option' do + let(:params) {{ :port => 123, :options => {'Port' => 123} }} + it do + is_expected.to contain_class('ssh::server').with({ + 'storeconfigs_enabled' => false, + 'options' => { + 'Port' => [123] + } + }) + end + end + context 'with issue and issue.net configured' do let(:params) {{ :bannertext => 'foo' }} it do is_expected.to contain_class('ssh::server').with({ 'storeconfigs_enabled' => false, 'options' => { - 'Banner' => '/etc/issue.net' + 'Banner' => '/etc/issue.net', + 'Port' => [22] } }) is_expected.to contain_file('/etc/issue').with({ @@ -78,6 +119,7 @@ describe 'tripleo::profile::base::sshd' do is_expected.to contain_class('ssh::server').with({ 'storeconfigs_enabled' => false, 'options' => { + 'Port' => [22], 'PrintMotd' => 'yes' } }) @@ -98,6 +140,7 @@ describe 'tripleo::profile::base::sshd' do is_expected.to contain_class('ssh::server').with({ 'storeconfigs_enabled' => false, 'options' => { + 'Port' => [22], 'X11Forwarding' => 'no' } }) @@ -117,6 +160,7 @@ describe 'tripleo::profile::base::sshd' do 'storeconfigs_enabled' => false, 'options' => { 'Banner' => '/etc/issue.net', + 'Port' => [22], 'PrintMotd' => 'yes' } }) @@ -146,6 +190,7 @@ describe 'tripleo::profile::base::sshd' do :bannertext => 'foo', :motd => 'foo', :options => { + 'Port' => [22], 'PrintMotd' => 'no', # this should be overridden 'X11Forwarding' => 'no' } @@ -155,6 +200,7 @@ describe 'tripleo::profile::base::sshd' do 'storeconfigs_enabled' => false, 'options' => { 'Banner' => '/etc/issue.net', + 'Port' => [22], 'PrintMotd' => 'yes', 'X11Forwarding' => 'no' } |