aboutsummaryrefslogtreecommitdiffstats
path: root/spec/classes/tripleo_profile_base_nova_spec.rb
AgeCommit message (Collapse)AuthorFilesLines
2017-07-03Refactor nova migration config into client & target profilesOliver Walsh1-423/+0
The nova migration config has always been applied by the base::nova profile. It assumed that libvirtd/nova-compute and are all running on the same host. Where this config didn't apply (e.g a nova api host) it was disabled by a flag. This approach is not compatible with containers. Hieradata for all containers are combined so per-host flags no longer work, and we can no longer assume libvirtd and nova-compute run in the same context. This change refactors the profiles out of the base nova profile and into a client profile and a target profile that can be included where appropriate. Change-Id: I063a84a8e6da64ae3b09125cfa42e48df69adc12 Implements: blueprint tripleo-cold-migration
2017-05-05Handle duplicate/invalid entries in migration SSH inbound addressesOliver Walsh1-0/+102
An error (e.g a typo) in a custom tripleo-heat-templates environment file could lead to an invalid match block in /etc/ssh/sshd_config. SSH fails-safe and refuses all logins in this case. This change validates the migration_ssh_localaddrs parameter is an array of IP addresses and removes and duplicate entries. Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25 Closes-Bug: #1688308
2017-05-05Disable SSH login for nova_migration user when migration over ssh is disabled.Oliver Walsh1-11/+49
If migration over ssh is enabled, and then later disabled, the ssh config for the nova_migration user remains intact. This change clobbers the migration SSH key to disable login when it is not necessary. Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3 Closes-Bug: #1688321
2017-05-03Restrict nova migration ssh tunnelOliver Walsh1-10/+159
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
2017-04-03Configure migration SSH tunnelOliver Walsh1-2/+116
This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
2017-02-17Use rpc and notify transport_url for oslo_messaging backendsAndrew Smith1-11/+11
This commit adds the transport_url for specifying the oslo.messaging rpc and notify transport schemes. The rpc or notification backend can be one of rabbit, amqp, zmq, etc. Oslo.messaging is deprecating the host, port and auth configuration options. All drivers will get the options via the transport_url. This patch: * Adds transport_url to base services * Updates the corresponding specs * Adds to default hierdata Depends-On: I1cf93d2caebfa1f7373c16754a2ad9bd15eb1a40 Change-Id: Iea5607dbb3ee6b1dd50acc1395de52dc920aa915
2017-02-13nova: move placement credentials config at step 3Emilien Macchi1-0/+4
nova placement credentials in nova.conf need to be configured at step 3 so Nova services can use them as soon as they start. Change-Id: I0abdd305b7e6c8d83f23e25b3872e98eb56dd299
2017-01-09Rspec tests for nova profilesAlex Schultz1-0/+131
This change fixes the hiera calls in the base nova profile to use the parameter rather than continue to call hiera. Additionally this change includes basic test coverage for the various nova profiles. Change-Id: If393606eeb3c39ed3a2655bd89c5c276a9cf106e