compute: include VIR_MIGRATE_TUNNELLED when doing VM shared storage
authorEmilien Macchi <emilien@redhat.com>
Tue, 1 Mar 2016 13:24:25 +0000 (08:24 -0500)
committerEmilien Macchi <emilien@redhat.com>
Thu, 10 Mar 2016 22:42:41 +0000 (17:42 -0500)
This patch makes sure:

* When doing shared storage
Nova is configured with block_migration_flag and live_migration_flag = '(...),VIR_MIGRATE_TUNNELLED'
flag for security improvements.

* When not doing shared storage
Nova is not configured with VIR_MIGRATE_TUNNELLED flag because it's not
supported by Qemu yet. We need to make sure the value is unset otherwise
live migration will fail when not running shared storage for VMs.

Note: this patch will be backport to stable branches. In a further
iteration, we'll probably use live_migration_tunnelled new Nova
parameter which is a simplier way to manage this feature.

Co-Authored-By: Kashyap Chamarthy <kchamart@redhat.com>
Change-Id: I557c1624ee944a32b1831d504f7b189308cd1961

puppet/manifests/overcloud_compute.pp

index 7c8cda7..b7f65f5 100644 (file)
@@ -53,12 +53,6 @@ include ::nova
 include ::nova::config
 include ::nova::compute
 
-nova_config {
-  'DEFAULT/my_ip':                     value => $ipaddress;
-  'DEFAULT/linuxnet_interface_driver': value => 'nova.network.linux_net.LinuxOVSInterfaceDriver';
-  'DEFAULT/host':                      value => $fqdn;
-}
-
 $rbd_ephemeral_storage = hiera('nova::compute::rbd::ephemeral_storage', false)
 $rbd_persistent_storage = hiera('rbd_persistent_storage', false)
 if $rbd_ephemeral_storage or $rbd_persistent_storage {
@@ -99,6 +93,34 @@ if str2bool(hiera('nova::use_ipv6', false)) {
 class { '::nova::compute::libvirt' :
   vncserver_listen => $vncserver_listen,
 }
+
+# TUNNELLED mode provides a security enhancement when using shared storage but is not
+# supported when not using shared storage.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1301986#c12
+if $rbd_ephemeral_storage {
+  $block_migration_flag = 'VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED, VIR_MIGRATE_NON_SHARED_INC'
+  $live_migration_flag = 'VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED'
+} else {
+  $block_migration_flag = 'VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_NON_SHARED_INC'
+  $live_migration_flag = 'VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE'
+}
+
+nova_config {
+  'DEFAULT/my_ip':                     value => $ipaddress;
+  'DEFAULT/linuxnet_interface_driver': value => 'nova.network.linux_net.LinuxOVSInterfaceDriver';
+  'DEFAULT/host':                      value => $fqdn;
+  # In future versions of Nova, the live/block migration flags will be deprecated [1].
+  # Tunnelling (encryption) will be handled via a single _new_ Nova
+  # config attribute 'live_migration_tunnelled'[2], thus
+  # avoiding users to have to supply libvirt flags.
+  # In future versions of QEMU (2.6, mostly), Dan's native encryption
+  # work will obsolete the need to use TUNNELLED transport mode.
+  # [1] https://review.openstack.org/#/c/263436/
+  # [2] https://review.openstack.org/#/c/263434/
+  'libvirt/block_migration_flag':      value => $block_migration_flag;
+  'libvirt/live_migration_flag':       value => $live_migration_flag;
+}
+
 if hiera('neutron::core_plugin') == 'midonet.neutron.plugin_v1.MidonetPluginV2' {
   file {'/etc/libvirt/qemu.conf':
     ensure  => present,