aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile/base/nova
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/profile/base/nova')
-rw-r--r--manifests/profile/base/nova/authtoken.pp28
-rw-r--r--manifests/profile/base/nova/compute/libvirt.pp7
-rw-r--r--manifests/profile/base/nova/libvirt.pp1
-rw-r--r--manifests/profile/base/nova/migration.pp35
-rw-r--r--manifests/profile/base/nova/migration/client.pp100
-rw-r--r--manifests/profile/base/nova/migration/target.pp120
6 files changed, 266 insertions, 25 deletions
diff --git a/manifests/profile/base/nova/authtoken.pp b/manifests/profile/base/nova/authtoken.pp
index d8285ba..7eb37bc 100644
--- a/manifests/profile/base/nova/authtoken.pp
+++ b/manifests/profile/base/nova/authtoken.pp
@@ -21,34 +21,22 @@
# for more details.
# Defaults to hiera('step')
#
-# [*use_ipv6*]
-# (Optional) Flag indicating if ipv6 should be used for caching
-# Defaults to hiera('nova::use_ipv6', false)
-#
-# [*memcache_nodes_ipv6*]
-# (Optional) Array of ipv6 addresses for memcache. Used if use_ipv6 is true.
-# Defaults to hiera('memcached_node_ipvs_v6', ['::1'])
-#
-# [*memcache_nodes_ipv4*]
-# (Optional) Array of ipv4 addresses for memcache. Used by default unless
-# use_ipv6 is set to true.
-# Defaults to hiera('memcached_node_ips', ['127.0.0.1'])
+# [*memcached_ips*]
+# (Optional) Array of ipv4 or ipv6 addresses for memcache.
+# Defaults to hiera('memcached_node_ips')
#
class tripleo::profile::base::nova::authtoken (
$step = Integer(hiera('step')),
- $use_ipv6 = hiera('nova::use_ipv6', false),
- $memcache_nodes_ipv6 = hiera('memcached_node_ips_v6', ['::1']),
- $memcache_nodes_ipv4 = hiera('memcached_node_ips', ['127.0.0.1']),
+ $memcached_ips = hiera('memcached_node_ips'),
) {
if $step >= 3 {
- $memcached_ips = $use_ipv6 ? {
- true => $memcache_nodes_ipv6,
- default => $memcache_nodes_ipv4
+ if is_ipv6_address($memcached_ips[0]) {
+ $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211'), 'inet6:')
+ } else {
+ $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
}
- $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
-
class { '::nova::keystone::authtoken':
memcached_servers => $memcache_servers
}
diff --git a/manifests/profile/base/nova/compute/libvirt.pp b/manifests/profile/base/nova/compute/libvirt.pp
index ec592cb..8a7c4d6 100644
--- a/manifests/profile/base/nova/compute/libvirt.pp
+++ b/manifests/profile/base/nova/compute/libvirt.pp
@@ -28,16 +28,13 @@ class tripleo::profile::base::nova::compute::libvirt (
) {
if $step >= 4 {
include ::tripleo::profile::base::nova::compute
+ include ::tripleo::profile::base::nova::migration::client
# Ceph + Libvirt
$rbd_ephemeral_storage = hiera('nova::compute::rbd::ephemeral_storage', false)
$rbd_persistent_storage = hiera('rbd_persistent_storage', false)
if $rbd_ephemeral_storage or $rbd_persistent_storage {
- $client_keys = hiera('ceph::profile::params::client_keys')
- $client_user = join(['client.', hiera('nova::compute::rbd::libvirt_rbd_user')])
- class { '::nova::compute::rbd':
- libvirt_rbd_secret_key => $client_keys[$client_user]['secret'],
- }
+ include ::nova::compute::rbd
}
if $rbd_ephemeral_storage {
diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp
index b639858..06baa39 100644
--- a/manifests/profile/base/nova/libvirt.pp
+++ b/manifests/profile/base/nova/libvirt.pp
@@ -28,6 +28,7 @@ class tripleo::profile::base::nova::libvirt (
) {
if $step >= 4 {
include ::tripleo::profile::base::nova
+ include ::tripleo::profile::base::nova::migration::client
include ::nova::compute::libvirt::services
file { ['/etc/libvirt/qemu/networks/autostart/default.xml',
diff --git a/manifests/profile/base/nova/migration.pp b/manifests/profile/base/nova/migration.pp
new file mode 100644
index 0000000..0c4c844
--- /dev/null
+++ b/manifests/profile/base/nova/migration.pp
@@ -0,0 +1,35 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::nova::migration
+#
+# Nova migration profile for tripleo, common to both client and target.
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step of the deployment
+# Defaults to hiera('step')
+#
+
+class tripleo::profile::base::nova::migration (
+ $step = Integer(hiera('step')),
+) {
+ if $step >= 3 {
+ package { 'openstack-nova-migration':
+ ensure => present,
+ tag => ['openstack', 'nova-package'],
+ }
+ }
+}
diff --git a/manifests/profile/base/nova/migration/client.pp b/manifests/profile/base/nova/migration/client.pp
new file mode 100644
index 0000000..12b83dc
--- /dev/null
+++ b/manifests/profile/base/nova/migration/client.pp
@@ -0,0 +1,100 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::nova::migration
+#
+# Nova migration client profile for tripleo
+#
+# === Parameters
+#
+# [*libvirt_enabled*]
+# (Optional) Whether or not Libvirt is enabled.
+# Defaults to false
+#
+# [*nova_compute_enabled*]
+# (Optional) Whether or not nova-compute is enabled.
+# Defaults to false
+#
+# [*step*]
+# (Optional) The current step of the deployment
+# Defaults to hiera('step')
+#
+# [*ssh_private_key*]
+# (Optional) SSH private_key for migration SSH tunnel.
+# Defaults to ''
+#
+# [*ssh_port*]
+# (Optional) Port that SSH target services is listening on.
+# Defaults to 22
+#
+# [*libvirt_tls*]
+# (Optional) Whether or not libvird TLS service is enabled.
+# Defaults to false
+
+class tripleo::profile::base::nova::migration::client (
+ $libvirt_enabled = false,
+ $nova_compute_enabled = false,
+ $step = Integer(hiera('step')),
+ $ssh_private_key = '',
+ $ssh_port = 22,
+ $libvirt_tls = false,
+) {
+
+ include ::tripleo::profile::base::nova::migration
+
+ if $step >= 4 {
+
+ # Libvirt setup (live-migration)
+ if $libvirt_tls {
+ class { '::nova::migration::libvirt':
+ transport => 'tls',
+ configure_libvirt => $libvirt_enabled,
+ configure_nova => $nova_compute_enabled,
+ }
+ } else {
+ # Reuse the cold-migration SSH tunnel when TLS is not enabled
+ class { '::nova::migration::libvirt':
+ transport => 'ssh',
+ configure_libvirt => $libvirt_enabled,
+ configure_nova => $nova_compute_enabled,
+ client_user => 'nova_migration',
+ client_extraparams => {'keyfile' => '/etc/nova/migration/identity'},
+ client_port => $ssh_port
+ }
+ }
+
+ if !empty($ssh_private_key) {
+ # Nova SSH tunnel setup (cold-migration)
+ $migration_identity = $ssh_private_key
+ }
+ else {
+ $migration_identity = '# Migration over SSH disabled by TripleO'
+ }
+
+ file { '/etc/nova/migration/identity':
+ content => $migration_identity,
+ mode => '0600',
+ owner => 'nova',
+ group => 'nova',
+ require => Package['openstack-nova-migration']
+ }
+
+ file_line { 'nova_ssh_port':
+ ensure => present,
+ path => '/var/lib/nova/.ssh/config',
+ after => '^Host \*$',
+ line => " Port ${ssh_port}",
+ }
+ }
+}
diff --git a/manifests/profile/base/nova/migration/target.pp b/manifests/profile/base/nova/migration/target.pp
new file mode 100644
index 0000000..7c21028
--- /dev/null
+++ b/manifests/profile/base/nova/migration/target.pp
@@ -0,0 +1,120 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::nova::migration::target
+#
+# Nova migration target profile for tripleo
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step of the deployment
+# Defaults to hiera('step')
+#
+# [*ssh_authorized_keys*]
+# (Optional) List of SSH public keys authorized for migration.
+# If no keys are provided then migration over ssh will be disabled.
+# Defaults to []
+#
+# [*ssh_localaddrs*]
+# (Optional) Restrict ssh migration to clients connecting via this list of
+# IPs.
+# Defaults to [] (no restriction)
+#
+# [*services_enabled*]
+# (Optional) List of services enabled on the current role.
+# If the nova_migration_target service is not enabled then migration over
+# ssh will be disabled.
+# Defaults to hiera('service_names', [])
+
+class tripleo::profile::base::nova::migration::target (
+ $step = Integer(hiera('step')),
+ $ssh_authorized_keys = [],
+ $ssh_localaddrs = [],
+ $services_enabled = hiera('service_names', []),
+) {
+
+ include ::tripleo::profile::base::nova::migration
+
+ validate_array($ssh_localaddrs)
+ $ssh_localaddrs.each |$x| { validate_ip_address($x) }
+ $ssh_localaddrs_real = unique($ssh_localaddrs)
+ validate_array($ssh_authorized_keys)
+ $ssh_authorized_keys_real = join($ssh_authorized_keys, '\n')
+
+ if $step >= 4 {
+ if !empty($ssh_authorized_keys_real) {
+ if ('nova_migration_target' in $services_enabled) {
+ if !empty($ssh_localaddrs_real) {
+ $allow_type = sprintf('LocalAddress %s User', join($ssh_localaddrs_real,','))
+ $deny_type = 'LocalAddress'
+ $deny_name = sprintf('!%s', join($ssh_localaddrs_real,',!'))
+
+ ssh::server::match_block { 'nova_migration deny':
+ name => $deny_name,
+ type => $deny_type,
+ order => 2,
+ options => {
+ 'DenyUsers' => 'nova_migration'
+ },
+ notify => Service['sshd']
+ }
+ }
+ else {
+ $allow_type = 'User'
+ }
+ $allow_name = 'nova_migration'
+
+ ssh::server::match_block { 'nova_migration allow':
+ name => $allow_name,
+ type => $allow_type,
+ order => 1,
+ options => {
+ 'ForceCommand' => '/bin/nova-migration-wrapper',
+ 'PasswordAuthentication' => 'no',
+ 'AllowTcpForwarding' => 'no',
+ 'X11Forwarding' => 'no',
+ 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
+ },
+ notify => Service['sshd']
+ }
+ $migration_authorized_keys = $ssh_authorized_keys_real
+ $migration_user_shell = '/bin/bash'
+ }
+ else {
+ # Remove the keys and prevent login when migration over SSH is not enabled
+ $migration_authorized_keys = '# Migration over SSH disabled by TripleO'
+ $migration_user_shell = '/sbin/nologin'
+ }
+ }
+ else {
+ # Remove the keys and prevent login when migration over SSH is not enabled
+ $migration_authorized_keys = '# Migration over SSH disabled by TripleO'
+ $migration_user_shell = '/sbin/nologin'
+ }
+
+ file { '/etc/nova/migration/authorized_keys':
+ content => $migration_authorized_keys,
+ mode => '0640',
+ owner => 'root',
+ group => 'nova_migration',
+ require => Package['openstack-nova-migration']
+ }
+
+ user {'nova_migration':
+ shell => $migration_user_shell,
+ require => Package['openstack-nova-migration']
+ }
+ }
+}