From 4e398a76dea38c0593b4965d4ec75ab1836d2369 Mon Sep 17 00:00:00 2001
From: Oliver Walsh <owalsh@redhat.com>
Date: Tue, 28 Mar 2017 16:02:18 +0100
Subject: Configure migration SSH tunnel

This patch configures SSH tunneling for nova cold-migration and reuses the
tunnel for libvirt live-migration unless TLS has been enabled.

Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06
Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
(cherry picked from commit ccbcd11276c7bc3ffc8f013d9a5b2d3944bf76cf)
---
 manifests/profile/base/nova.pp | 87 +++++++++++++++++++++++++++++++++---------
 1 file changed, 68 insertions(+), 19 deletions(-)

(limited to 'manifests/profile')

diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index cb34521..b4330a9 100644
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -62,6 +62,15 @@
 #   (Optional) The current step of the deployment
 #   Defaults to hiera('step')
 #
+# [*migration_ssh_key*]
+#   (Optional) SSH key pair for migration SSH tunnel.
+#   Expects a hash with keys 'private_key' and 'public_key'.
+#   Defaults to {}
+#
+# [*libvirt_tls*]
+#   (Optional) Whether or not libvird TLS service is enabled.
+#   Defaults to false
+
 class tripleo::profile::base::nova (
   $bootstrap_node       = hiera('bootstrap_nodeid', undef),
   $libvirt_enabled      = false,
@@ -74,6 +83,8 @@ class tripleo::profile::base::nova (
   $messaging_use_ssl    = hiera('nova::rabbit_use_ssl', '0'),
   $nova_compute_enabled = false,
   $step                 = hiera('step'),
+  $migration_ssh_key       = {},
+  $libvirt_tls             = false
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $sync_db = true
@@ -89,18 +100,6 @@ class tripleo::profile::base::nova (
 
   if $step >= 4 or ($step >= 3 and $sync_db) {
     $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool($messaging_use_ssl)))
-    # TODO(ccamacho): remove sprintf once we properly type the port, needs
-    # to be a string for the os_transport_url function.
-    class { '::nova' :
-      default_transport_url => os_transport_url({
-        'transport' => $messaging_driver,
-        'hosts'     => $messaging_hosts,
-        'port'      => sprintf('%s', $messaging_port),
-        'username'  => $messaging_username,
-        'password'  => $messaging_password,
-        'ssl'       => $messaging_use_ssl_real,
-      }),
-    }
     include ::nova::config
     class { '::nova::cache':
       enabled          => true,
@@ -108,15 +107,65 @@ class tripleo::profile::base::nova (
       memcache_servers => $memcache_servers,
     }
     include ::nova::placement
-  }
 
-  if $step >= 4 {
-    if $manage_migration {
-      class { '::nova::migration::libvirt':
-        configure_libvirt => $libvirt_enabled,
-        configure_nova    => $nova_compute_enabled,
+    if $step >= 4 and $manage_migration {
+
+      # Libvirt setup (live-migration)
+      if $libvirt_tls {
+        class { '::nova::migration::libvirt':
+          transport         => 'tls',
+          configure_libvirt => $libvirt_enabled,
+          configure_nova    => $nova_compute_enabled,
+        }
+      } else {
+        # Reuse the cold-migration SSH tunnel when TLS is not enabled
+        class { '::nova::migration::libvirt':
+          transport          => 'ssh',
+          configure_libvirt  => $libvirt_enabled,
+          configure_nova     => $nova_compute_enabled,
+          client_user        => 'nova',
+          client_extraparams => {'keyfile' => '/var/lib/nova/.ssh/id_rsa'}
+        }
       }
+
+      if $migration_ssh_key != {} {
+        # Nova SSH tunnel setup (cold-migration)
+
+        #TODO: Remove me when https://review.rdoproject.org/r/#/c/4008 lands
+        user { 'nova':
+          ensure => present,
+          shell  => '/bin/bash',
+        }
+
+        $private_key_parts = split($migration_ssh_key['public_key'], ' ')
+        $nova_public_key = {
+          'type' => $private_key_parts[0],
+          key    => $private_key_parts[1]
+        }
+        $nova_private_key = {
+          'type' => $private_key_parts[0],
+          key    => $migration_ssh_key['private_key']
+        }
+      } else {
+        $nova_public_key = undef
+        $nova_private_key = undef
+      }
+    } else {
+      $nova_public_key = undef
+      $nova_private_key = undef
     }
-  }
 
+    class { '::nova' :
+      default_transport_url => os_transport_url({
+        'transport' => $messaging_driver,
+        'hosts'     => $messaging_hosts,
+        'port'      => sprintf('%s', $messaging_port),
+        'username'  => $messaging_username,
+        'password'  => $messaging_password,
+        'ssl'       => $messaging_use_ssl_real,
+      }),
+      nova_public_key       => $nova_public_key,
+      nova_private_key      => $nova_private_key,
+    }
+  }
 }
-- 
cgit 1.2.3-korg