diff options
-rw-r--r-- | manifests/profile/base/nova.pp | 57 | ||||
-rw-r--r-- | spec/classes/tripleo_profile_base_nova_spec.rb | 60 |
2 files changed, 83 insertions, 34 deletions
diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 65355d4..6065e62 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -217,31 +217,42 @@ class tripleo::profile::base::nova ( notify => Service['sshd'] } - file { '/etc/nova/migration/authorized_keys': - content => $migration_ssh_key['public_key'], - mode => '0640', - owner => 'root', - group => 'nova_migration', - require => Package['openstack-nova-migration'], - } + $migration_authorized_keys = $migration_ssh_key['public_key'] + $migration_identity = $migration_ssh_key['private_key'] + $migration_user_shell = '/bin/bash' + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_identity = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' + } - # Client side - file { '/etc/nova/migration/identity': - content => $migration_ssh_key['private_key'], - mode => '0600', - owner => 'nova', - group => 'nova', - require => Package['openstack-nova-migration'], - } - $migration_pkg_ensure = installed - } else { - $migration_pkg_ensure = absent + package { 'openstack-nova-migration': + ensure => present, + tag => ['openstack', 'nova-package'], + } + + file { '/etc/nova/migration/authorized_keys': + content => $migration_authorized_keys, + mode => '0640', + owner => 'root', + group => 'nova_migration', + require => Package['openstack-nova-migration'] + } + + file { '/etc/nova/migration/identity': + content => $migration_identity, + mode => '0600', + owner => 'nova', + group => 'nova', + require => Package['openstack-nova-migration'] + } + + user {'nova_migration': + shell => $migration_user_shell, + require => Package['openstack-nova-migration'] } - } else { - $migration_pkg_ensure = absent - } - package {'openstack-nova-migration': - ensure => $migration_pkg_ensure } } } diff --git a/spec/classes/tripleo_profile_base_nova_spec.rb b/spec/classes/tripleo_profile_base_nova_spec.rb index d77ba1b..a48c94f 100644 --- a/spec/classes/tripleo_profile_base_nova_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_spec.rb @@ -95,9 +95,8 @@ describe 'tripleo::profile::base::nova' do is_expected.to contain_class('nova::cache') is_expected.to contain_class('nova::placement') is_expected.to_not contain_class('nova::migration::libvirt') - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'absent' - ) + is_expected.to_not contain_file('/etc/nova/migration/authorized_keys') + is_expected.to_not contain_file('/etc/nova/migration/identity') } end @@ -132,7 +131,22 @@ describe 'tripleo::profile::base::nova' do :configure_nova => params[:nova_compute_enabled] ) is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'absent' + :ensure => 'present' + ) + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/sbin/nologin' ) } end @@ -169,7 +183,22 @@ describe 'tripleo::profile::base::nova' do :configure_nova => params[:nova_compute_enabled], ) is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'absent' + :ensure => 'present' + ) + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/sbin/nologin' ) } end @@ -223,6 +252,9 @@ describe 'tripleo::profile::base::nova' do } ) is_expected.to_not contain_ssh__server__match_block('nova_migration deny') + is_expected.to contain_package('openstack-nova-migration').with( + :ensure => 'present' + ) is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( :content => 'ssh-rsa bar', :mode => '0640', @@ -235,8 +267,8 @@ describe 'tripleo::profile::base::nova' do :owner => 'nova', :group => 'nova', ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'installed' + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' ) } end @@ -297,6 +329,9 @@ describe 'tripleo::profile::base::nova' do 'DenyUsers' => 'nova_migration' } ) + is_expected.to contain_package('openstack-nova-migration').with( + :ensure => 'present' + ) is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( :content => 'ssh-rsa bar', :mode => '0640', @@ -309,8 +344,8 @@ describe 'tripleo::profile::base::nova' do :owner => 'nova', :group => 'nova', ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'installed' + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' ) } end @@ -365,6 +400,9 @@ describe 'tripleo::profile::base::nova' do } ) is_expected.to_not contain_ssh__server__match_block('nova_migration deny') + is_expected.to contain_package('openstack-nova-migration').with( + :ensure => 'present' + ) is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( :content => 'ssh-rsa bar', :mode => '0640', @@ -377,8 +415,8 @@ describe 'tripleo::profile::base::nova' do :owner => 'nova', :group => 'nova', ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'installed' + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' ) } end |