# [*step*]
# step defaults to hiera('step')
#
-# [*configure_libvirt_polkit*]
-# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host.
-# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled
-#
-# [*docker_nova_uid*]
-# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container.
-# Defaults to 42436
-#
-# [*services_enabled*]
-# List of TripleO services enabled on the role.
-# Defaults to hiera('services_names')
-#
# DEPRECATED PARAMETERS
#
# [*docker_namespace*]
$configure_storage = true,
$storage_options = '-s overlay2',
$step = Integer(hiera('step')),
- $configure_libvirt_polkit = undef,
- $docker_nova_uid = 42436,
- $services_enabled = hiera('service_names', []),
# DEPRECATED PARAMETERS
$docker_namespace = undef,
$insecure_registry = false,
) {
- if $configure_libvirt_polkit == undef {
- $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled
- } else {
- $configure_libvirt_polkit_real = $configure_libvirt_polkit
- }
-
if $step >= 1 {
package {'docker':
ensure => installed,
}
}
- if ($step >= 4 and $configure_libvirt_polkit_real) {
- # Workaround for polkit authorization for libvirtd socket on host
- #
- # This creates a local user with the kolla nova uid, and sets the polkit rule to
- # allow both it and the nova user from the nova rpms, should it exist (uid 162).
-
- group { 'docker_nova_group':
- name => 'docker_nova',
- gid => $docker_nova_uid
- }
- -> user { 'docker_nova_user':
- name => 'docker_nova',
- uid => $docker_nova_uid,
- gid => $docker_nova_uid,
- shell => '/sbin/nologin',
- comment => 'OpenStack Nova Daemons',
- groups => ['nobody']
- }
-
- # Similar to the polkit rule in the openstack-nova rpm spec
- # but allow both the 'docker_nova' and 'nova' user
- $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions
-polkit.addRule(function(action, subject) {
- if (action.id == "org.libvirt.unix.manage" &&
- /^(docker_)?nova$/.test(subject.user)) {
- return polkit.Result.YES;
- }
-});
-'
- package {'polkit':
- ensure => installed,
- }
- -> file {'/etc/polkit-1/rules.d/50-nova.rules':
- content => $docker_nova_polkit_rule,
- mode => '0644'
- }
- }
}
# for more details.
# Defaults to hiera('step')
#
+# [*libvirtd_config*]
+# (Optional) Overrides for libvirtd config options
+# Default to {}
+#
class tripleo::profile::base::nova::libvirt (
$step = Integer(hiera('step')),
+ $libvirtd_config = {},
) {
include ::tripleo::profile::base::nova::compute_libvirt_shared
include ::tripleo::profile::base::nova::migration::client
include ::nova::compute::libvirt::services
+ $libvirtd_config_default = {
+ unix_sock_group => {value => '"libvirt"'},
+ auth_unix_ro => {value => '"none"'},
+ auth_unix_rw => {value => '"none"'},
+ unix_sock_ro_perms => {value => '"0777"'},
+ unix_sock_rw_perms => {value => '"0770"'}
+ }
+
+ class { '::nova::compute::libvirt::config':
+ libvirtd_config => merge($libvirtd_config_default, $libvirtd_config)
+ }
+
file { ['/etc/libvirt/qemu/networks/autostart/default.xml',
'/etc/libvirt/qemu/networks/default.xml']:
ensure => absent,
}
end
- context 'with step 4 and configure_libvirt_polkit disabled' do
- let(:params) { {
- :step => 4,
- :configure_libvirt_polkit => false
- } }
- it {
- is_expected.to_not contain_group('docker_nova_group')
- is_expected.to_not contain_user('docker_nova_user')
- is_expected.to_not contain_package('polkit')
- is_expected.to_not contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
-
- context 'with step 4 and configure_libvirt_polkit enabled' do
- let(:params) { {
- :step => 4,
- :configure_libvirt_polkit => true
- } }
- it {
- is_expected.to contain_group('docker_nova_group').with(
- :name => 'docker_nova',
- :gid => 42436
- )
- is_expected.to contain_user('docker_nova_user').with(
- :name => 'docker_nova',
- :uid => 42436,
- :gid => 42436,
- :shell => '/sbin/nologin',
- :groups => ['nobody']
- )
- is_expected.to contain_package('polkit')
- is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
-
- context 'with step 4 and nova_compute service installed' do
- let(:params) { {
- :step => 4,
- :services_enabled => ['docker', 'nova_compute']
- } }
- it {
- is_expected.to contain_group('docker_nova_group').with(
- :name => 'docker_nova',
- :gid => 42436
- )
- is_expected.to contain_user('docker_nova_user').with(
- :name => 'docker_nova',
- :uid => 42436,
- :gid => 42436,
- :shell => '/sbin/nologin',
- :groups => ['nobody']
- )
- is_expected.to contain_package('polkit')
- is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
-
- context 'with step 4 and configure_libvirt_polkit enabled and docker_nova uid' do
- let(:params) { {
- :step => 4,
- :configure_libvirt_polkit => true,
- :docker_nova_uid => 12345
- } }
- it {
- is_expected.to contain_group('docker_nova_group').with(
- :name => 'docker_nova',
- :gid => 12345
- )
- is_expected.to contain_user('docker_nova_user').with(
- :name => 'docker_nova',
- :uid => 12345,
- :gid => 12345,
- :shell => '/sbin/nologin',
- :groups => ['nobody']
- )
- is_expected.to contain_package('polkit')
- is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
end
on_supported_os.each do |os, facts|
is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
is_expected.to contain_exec('libvirt-default-net-destroy')
+ is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+ "unix_sock_group" => {"value" => '"libvirt"'},
+ "auth_unix_ro" => {"value" => '"none"'},
+ "auth_unix_rw" => {"value" => '"none"'},
+ "unix_sock_ro_perms" => {"value" => '"0777"'},
+ "unix_sock_rw_perms" => {"value" => '"0770"'}
+ })
+ }
+ end
+
+ context 'with step 4 and libvirtd_config' do
+ let(:pre_condition) do
+ <<-eos
+ class { '::tripleo::profile::base::nova':
+ step => #{params[:step]},
+ oslomsg_rpc_hosts => [ '127.0.0.1' ],
+ }
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::tripleo::profile::base::nova::migration::client':
+ step => #{params[:step]}
+ }
+ class { '::tripleo::profile::base::nova::compute_libvirt_shared':
+ step => #{params[:step]}
+ }
+eos
+ end
+
+ let(:params) { { :step => 4, :libvirtd_config => { "unix_sock_group" => {"value" => '"foobar"'}} } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::libvirt')
+ is_expected.to contain_class('tripleo::profile::base::nova')
+ is_expected.to contain_class('nova::compute::libvirt::services')
+ is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
+ is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
+ is_expected.to contain_exec('libvirt-default-net-destroy')
+ is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+ "unix_sock_group" => {"value" => '"foobar"'},
+ "auth_unix_ro" => {"value" => '"none"'},
+ "auth_unix_rw" => {"value" => '"none"'},
+ "unix_sock_ro_perms" => {"value" => '"0777"'},
+ "unix_sock_rw_perms" => {"value" => '"0770"'}
+ })
}
end
end
Code Review / apex-puppet-tripleo.git / commitdiff