diff options
author | Jenkins <jenkins@review.openstack.org> | 2016-03-14 15:58:03 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2016-03-14 15:58:03 +0000 |
commit | 0b5459c178b8fdbda36b2fd2c5362b06303b2b6d (patch) | |
tree | b4b65ba1eb5db37850bee540a7923185be7bfc0e | |
parent | 31cb956bd4dc6bd08e7a3612798b4a939b326e93 (diff) | |
parent | 27f1bbd41447bb7aceed991f28d565b4ace95bdf (diff) |
Merge "compute: include VIR_MIGRATE_TUNNELLED when doing VM shared storage"
-rw-r--r-- | puppet/manifests/overcloud_compute.pp | 34 |
1 files changed, 28 insertions, 6 deletions
diff --git a/puppet/manifests/overcloud_compute.pp b/puppet/manifests/overcloud_compute.pp index 7c8cda71..b7f65f53 100644 --- a/puppet/manifests/overcloud_compute.pp +++ b/puppet/manifests/overcloud_compute.pp @@ -53,12 +53,6 @@ include ::nova include ::nova::config include ::nova::compute -nova_config { - 'DEFAULT/my_ip': value => $ipaddress; - 'DEFAULT/linuxnet_interface_driver': value => 'nova.network.linux_net.LinuxOVSInterfaceDriver'; - 'DEFAULT/host': value => $fqdn; -} - $rbd_ephemeral_storage = hiera('nova::compute::rbd::ephemeral_storage', false) $rbd_persistent_storage = hiera('rbd_persistent_storage', false) if $rbd_ephemeral_storage or $rbd_persistent_storage { @@ -99,6 +93,34 @@ if str2bool(hiera('nova::use_ipv6', false)) { class { '::nova::compute::libvirt' : vncserver_listen => $vncserver_listen, } + +# TUNNELLED mode provides a security enhancement when using shared storage but is not +# supported when not using shared storage. +# See https://bugzilla.redhat.com/show_bug.cgi?id=1301986#c12 +if $rbd_ephemeral_storage { + $block_migration_flag = 'VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED, VIR_MIGRATE_NON_SHARED_INC' + $live_migration_flag = 'VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED' +} else { + $block_migration_flag = 'VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_NON_SHARED_INC' + $live_migration_flag = 'VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE' +} + +nova_config { + 'DEFAULT/my_ip': value => $ipaddress; + 'DEFAULT/linuxnet_interface_driver': value => 'nova.network.linux_net.LinuxOVSInterfaceDriver'; + 'DEFAULT/host': value => $fqdn; + # In future versions of Nova, the live/block migration flags will be deprecated [1]. + # Tunnelling (encryption) will be handled via a single _new_ Nova + # config attribute 'live_migration_tunnelled'[2], thus + # avoiding users to have to supply libvirt flags. + # In future versions of QEMU (2.6, mostly), Dan's native encryption + # work will obsolete the need to use TUNNELLED transport mode. + # [1] https://review.openstack.org/#/c/263436/ + # [2] https://review.openstack.org/#/c/263434/ + 'libvirt/block_migration_flag': value => $block_migration_flag; + 'libvirt/live_migration_flag': value => $live_migration_flag; +} + if hiera('neutron::core_plugin') == 'midonet.neutron.plugin_v1.MidonetPluginV2' { file {'/etc/libvirt/qemu.conf': ensure => present, |