The nova migration config has always been applied by the base::nova profile.
It assumed that libvirtd/nova-compute and are all running on the
same host.
Where this config didn't apply (e.g a nova api host) it was disabled by a flag.
This approach is not compatible with containers. Hieradata for all containers
are combined so per-host flags no longer work, and we can no longer assume
libvirtd and nova-compute run in the same context.
This change refactors the profiles out of the base nova profile and into
a client profile and a target profile that can be included where appropriate.
Change-Id: I063a84a8e6da64ae3b09125cfa42e48df69adc12
Implements: blueprint tripleo-cold-migration
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('bootstrap_nodeid')
#
-# [*libvirt_enabled*]
-# (Optional) Whether or not Libvirt is enabled.
-# Defaults to false
-#
-# [*manage_migration*]
-# (Optional) Whether or not manage Nova Live migration
-# Defaults to false
-#
# [*oslomsg_rpc_proto*]
# Protocol driver for the oslo messaging rpc service
# Defaults to hiera('messaging_rpc_service_name', rabbit)
# Enable ssl oslo messaging services
# Defaults to hiera('nova::rabbit_use_ssl', '0')
#
-# [*nova_compute_enabled*]
-# (Optional) Whether or not nova-compute is enabled.
-# Defaults to false
-#
# [*step*]
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
-# [*migration_ssh_key*]
-# (Optional) SSH key pair for migration SSH tunnel.
-# Expects a hash with keys 'private_key' and 'public_key'.
-# Defaults to {}
-#
-# [*migration_ssh_localaddrs*]
-# (Optional) Restrict ssh migration to clients connecting via this list of
-# IPs.
-# Defaults to [] (no restriction)
-#
-# [*libvirt_tls*]
-# (Optional) Whether or not libvird TLS service is enabled.
-# Defaults to false
class tripleo::profile::base::nova (
- $bootstrap_node = hiera('bootstrap_nodeid', undef),
- $libvirt_enabled = false,
- $manage_migration = false,
- $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
- $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)),
- $oslomsg_rpc_password = hiera('nova::rabbit_password'),
- $oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'),
- $oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'),
- $oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'),
- $oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)),
- $oslomsg_notify_password = hiera('nova::rabbit_password'),
- $oslomsg_notify_port = hiera('nova::rabbit_port', '5672'),
- $oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'),
- $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'),
- $nova_compute_enabled = false,
- $step = Integer(hiera('step')),
- $migration_ssh_key = {},
- $migration_ssh_localaddrs = [],
- $libvirt_tls = false
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
+ $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
+ $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)),
+ $oslomsg_rpc_password = hiera('nova::rabbit_password'),
+ $oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'),
+ $oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'),
+ $oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'),
+ $oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)),
+ $oslomsg_notify_password = hiera('nova::rabbit_password'),
+ $oslomsg_notify_port = hiera('nova::rabbit_port', '5672'),
+ $oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'),
+ $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'),
+ $step = Integer(hiera('step')),
) {
+
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
} else {
$memcache_servers = suffix(hiera('memcached_node_ips'), ':11211')
}
- validate_array($migration_ssh_localaddrs)
- $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) }
- $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs)
-
if $step >= 4 or ($step >= 3 and $sync_db) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
include ::nova::config
}
include ::nova::placement
}
-
- if $step >= 4 {
- if $manage_migration {
- # Libvirt setup (live-migration)
- if $libvirt_tls {
- class { '::nova::migration::libvirt':
- transport => 'tls',
- configure_libvirt => $libvirt_enabled,
- configure_nova => $nova_compute_enabled,
- }
- } else {
- # Reuse the cold-migration SSH tunnel when TLS is not enabled
- class { '::nova::migration::libvirt':
- transport => 'ssh',
- configure_libvirt => $libvirt_enabled,
- configure_nova => $nova_compute_enabled,
- client_user => 'nova_migration',
- client_extraparams => {'keyfile' => '/etc/nova/migration/identity'}
- }
- }
-
- $services_enabled = hiera('service_names', [])
- if !empty($migration_ssh_key) and 'sshd' in $services_enabled {
- # Nova SSH tunnel setup (cold-migration)
-
- # Server side
- if !empty($migration_ssh_localaddrs_real) {
- $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,','))
- $deny_type = 'LocalAddress'
- $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!'))
-
- ssh::server::match_block { 'nova_migration deny':
- name => $deny_name,
- type => $deny_type,
- order => 2,
- options => {
- 'DenyUsers' => 'nova_migration'
- },
- notify => Service['sshd']
- }
- }
- else {
- $allow_type = 'User'
- }
- $allow_name = 'nova_migration'
-
- ssh::server::match_block { 'nova_migration allow':
- name => $allow_name,
- type => $allow_type,
- order => 1,
- options => {
- 'ForceCommand' => '/bin/nova-migration-wrapper',
- 'PasswordAuthentication' => 'no',
- 'AllowTcpForwarding' => 'no',
- 'X11Forwarding' => 'no',
- 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
- },
- notify => Service['sshd']
- }
-
- $migration_authorized_keys = $migration_ssh_key['public_key']
- $migration_identity = $migration_ssh_key['private_key']
- $migration_user_shell = '/bin/bash'
- }
- else {
- # Remove the keys and prevent login when migration over SSH is not enabled
- $migration_authorized_keys = '# Migration over SSH disabled by TripleO'
- $migration_identity = '# Migration over SSH disabled by TripleO'
- $migration_user_shell = '/sbin/nologin'
- }
-
- package { 'openstack-nova-migration':
- ensure => present,
- tag => ['openstack', 'nova-package'],
- }
-
- file { '/etc/nova/migration/authorized_keys':
- content => $migration_authorized_keys,
- mode => '0640',
- owner => 'root',
- group => 'nova_migration',
- require => Package['openstack-nova-migration']
- }
-
- file { '/etc/nova/migration/identity':
- content => $migration_identity,
- mode => '0600',
- owner => 'nova',
- group => 'nova',
- require => Package['openstack-nova-migration']
- }
-
- user {'nova_migration':
- shell => $migration_user_shell,
- require => Package['openstack-nova-migration']
- }
- }
- }
}
) {
if $step >= 4 {
include ::tripleo::profile::base::nova::compute
+ include ::tripleo::profile::base::nova::migration::client
# Ceph + Libvirt
$rbd_ephemeral_storage = hiera('nova::compute::rbd::ephemeral_storage', false)
) {
if $step >= 4 {
include ::tripleo::profile::base::nova
+ include ::tripleo::profile::base::nova::migration::client
include ::nova::compute::libvirt::services
file { ['/etc/libvirt/qemu/networks/autostart/default.xml',
--- /dev/null
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::nova::migration
+#
+# Nova migration profile for tripleo, common to both client and target.
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step of the deployment
+# Defaults to hiera('step')
+#
+
+class tripleo::profile::base::nova::migration (
+ $step = Integer(hiera('step')),
+) {
+ if $step >= 3 {
+ package { 'openstack-nova-migration':
+ ensure => present,
+ tag => ['openstack', 'nova-package'],
+ }
+ }
+}
--- /dev/null
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::nova::migration
+#
+# Nova migration client profile for tripleo
+#
+# === Parameters
+#
+# [*libvirt_enabled*]
+# (Optional) Whether or not Libvirt is enabled.
+# Defaults to false
+#
+# [*nova_compute_enabled*]
+# (Optional) Whether or not nova-compute is enabled.
+# Defaults to false
+#
+# [*step*]
+# (Optional) The current step of the deployment
+# Defaults to hiera('step')
+#
+# [*ssh_private_key*]
+# (Optional) SSH private_key for migration SSH tunnel.
+# Defaults to ''
+#
+# [*ssh_port*]
+# (Optional) Port that SSH target services is listening on.
+# Defaults to 22
+#
+# [*libvirt_tls*]
+# (Optional) Whether or not libvird TLS service is enabled.
+# Defaults to false
+
+class tripleo::profile::base::nova::migration::client (
+ $libvirt_enabled = false,
+ $nova_compute_enabled = false,
+ $step = Integer(hiera('step')),
+ $ssh_private_key = '',
+ $ssh_port = 22,
+ $libvirt_tls = false,
+) {
+
+ include ::tripleo::profile::base::nova::migration
+
+ if $step >= 4 {
+
+ # Libvirt setup (live-migration)
+ if $libvirt_tls {
+ class { '::nova::migration::libvirt':
+ transport => 'tls',
+ configure_libvirt => $libvirt_enabled,
+ configure_nova => $nova_compute_enabled,
+ }
+ } else {
+ # Reuse the cold-migration SSH tunnel when TLS is not enabled
+ class { '::nova::migration::libvirt':
+ transport => 'ssh',
+ configure_libvirt => $libvirt_enabled,
+ configure_nova => $nova_compute_enabled,
+ client_user => 'nova_migration',
+ client_extraparams => {'keyfile' => '/etc/nova/migration/identity'},
+ client_port => $ssh_port
+ }
+ }
+
+ if !empty($ssh_private_key) {
+ # Nova SSH tunnel setup (cold-migration)
+ $migration_identity = $ssh_private_key
+ }
+ else {
+ $migration_identity = '# Migration over SSH disabled by TripleO'
+ }
+
+ file { '/etc/nova/migration/identity':
+ content => $migration_identity,
+ mode => '0600',
+ owner => 'nova',
+ group => 'nova',
+ require => Package['openstack-nova-migration']
+ }
+
+ file_line { 'nova_ssh_port':
+ ensure => present,
+ path => '/var/lib/nova/.ssh/config',
+ after => '^Host \*$',
+ line => " Port ${ssh_port}",
+ }
+ }
+}
--- /dev/null
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::nova::migration::target
+#
+# Nova migration target profile for tripleo
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step of the deployment
+# Defaults to hiera('step')
+#
+# [*ssh_authorized_keys*]
+# (Optional) List of SSH public keys authorized for migration.
+# If no keys are provided then migration over ssh will be disabled.
+# Defaults to []
+#
+# [*ssh_localaddrs*]
+# (Optional) Restrict ssh migration to clients connecting via this list of
+# IPs.
+# Defaults to [] (no restriction)
+#
+# [*services_enabled*]
+# (Optional) List of services enabled on the current role.
+# If the nova_migration_target service is not enabled then migration over
+# ssh will be disabled.
+# Defaults to hiera('service_names', [])
+
+class tripleo::profile::base::nova::migration::target (
+ $step = Integer(hiera('step')),
+ $ssh_authorized_keys = [],
+ $ssh_localaddrs = [],
+ $services_enabled = hiera('service_names', []),
+) {
+
+ include ::tripleo::profile::base::nova::migration
+
+ validate_array($ssh_localaddrs)
+ $ssh_localaddrs.each |$x| { validate_ip_address($x) }
+ $ssh_localaddrs_real = unique($ssh_localaddrs)
+ validate_array($ssh_authorized_keys)
+ $ssh_authorized_keys_real = join($ssh_authorized_keys, '\n')
+
+ if $step >= 4 {
+ if !empty($ssh_authorized_keys_real) {
+ if ('nova_migration_target' in $services_enabled) {
+ if !empty($ssh_localaddrs_real) {
+ $allow_type = sprintf('LocalAddress %s User', join($ssh_localaddrs_real,','))
+ $deny_type = 'LocalAddress'
+ $deny_name = sprintf('!%s', join($ssh_localaddrs_real,',!'))
+
+ ssh::server::match_block { 'nova_migration deny':
+ name => $deny_name,
+ type => $deny_type,
+ order => 2,
+ options => {
+ 'DenyUsers' => 'nova_migration'
+ },
+ notify => Service['sshd']
+ }
+ }
+ else {
+ $allow_type = 'User'
+ }
+ $allow_name = 'nova_migration'
+
+ ssh::server::match_block { 'nova_migration allow':
+ name => $allow_name,
+ type => $allow_type,
+ order => 1,
+ options => {
+ 'ForceCommand' => '/bin/nova-migration-wrapper',
+ 'PasswordAuthentication' => 'no',
+ 'AllowTcpForwarding' => 'no',
+ 'X11Forwarding' => 'no',
+ 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
+ },
+ notify => Service['sshd']
+ }
+ $migration_authorized_keys = $ssh_authorized_keys_real
+ $migration_user_shell = '/bin/bash'
+ }
+ else {
+ # Remove the keys and prevent login when migration over SSH is not enabled
+ $migration_authorized_keys = '# Migration over SSH disabled by TripleO'
+ $migration_user_shell = '/sbin/nologin'
+ }
+ }
+ else {
+ # Remove the keys and prevent login when migration over SSH is not enabled
+ $migration_authorized_keys = '# Migration over SSH disabled by TripleO'
+ $migration_user_shell = '/sbin/nologin'
+ }
+
+ file { '/etc/nova/migration/authorized_keys':
+ content => $migration_authorized_keys,
+ mode => '0640',
+ owner => 'root',
+ group => 'nova_migration',
+ require => Package['openstack-nova-migration']
+ }
+
+ user {'nova_migration':
+ shell => $migration_user_shell,
+ require => Package['openstack-nova-migration']
+ }
+ }
+}
class { '::tripleo::profile::base::nova::compute':
step => #{params[:step]},
}
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::tripleo::profile::base::nova::migration::client':
+ step => #{params[:step]}
+ }
eos
end
step => #{params[:step]},
oslomsg_rpc_hosts => [ '127.0.0.1' ],
}
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::tripleo::profile::base::nova::migration::client':
+ step => #{params[:step]}
+ }
eos
end
step => #{params[:step]},
oslomsg_rpc_hosts => [ '127.0.0.1' ],
}
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::tripleo::profile::base::nova::migration::client':
+ step => #{params[:step]}
+ }
eos
end
--- /dev/null
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::nova::migration::client' do
+ shared_examples_for 'tripleo::profile::base::nova::migration::client' do
+
+ context 'with step 4' do
+ let(:pre_condition) {
+ <<-eos
+ include ::nova::compute::libvirt::services
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration')
+ is_expected.to contain_class('nova::migration::libvirt').with(
+ :transport => 'ssh',
+ :configure_libvirt => false,
+ :configure_nova => false
+ )
+ is_expected.to contain_file('/etc/nova/migration/identity').with(
+ :content => '# Migration over SSH disabled by TripleO',
+ :mode => '0600',
+ :owner => 'nova',
+ :group => 'nova',
+ )
+ }
+ end
+
+ context 'with step 4 with libvirt' do
+ let(:pre_condition) {
+ <<-eos
+ include ::nova::compute::libvirt::services
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :libvirt_enabled => true,
+ :nova_compute_enabled => true,
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration')
+ is_expected.to contain_class('nova::migration::libvirt').with(
+ :transport => 'ssh',
+ :configure_libvirt => params[:libvirt_enabled],
+ :configure_nova => params[:nova_compute_enabled]
+ )
+ is_expected.to contain_file('/etc/nova/migration/identity').with(
+ :content => '# Migration over SSH disabled by TripleO',
+ :mode => '0600',
+ :owner => 'nova',
+ :group => 'nova',
+ )
+ }
+ end
+
+ context 'with step 4 with libvirt TLS' do
+ let(:pre_condition) {
+ <<-eos
+ include ::nova::compute::libvirt::services
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :libvirt_enabled => true,
+ :nova_compute_enabled => true,
+ :libvirt_tls => true,
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration')
+ is_expected.to contain_class('nova::migration::libvirt').with(
+ :transport => 'tls',
+ :configure_libvirt => params[:libvirt_enabled],
+ :configure_nova => params[:nova_compute_enabled],
+ )
+ is_expected.to contain_file('/etc/nova/migration/identity').with(
+ :content => '# Migration over SSH disabled by TripleO',
+ :mode => '0600',
+ :owner => 'nova',
+ :group => 'nova',
+ )
+ }
+ end
+
+ context 'with step 4 with libvirt and migration ssh key' do
+ let(:pre_condition) {
+ <<-eos
+ include ::nova::compute::libvirt::services
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :libvirt_enabled => true,
+ :nova_compute_enabled => true,
+ :ssh_private_key => 'foo'
+ } }
+
+ it {
+ is_expected.to contain_class('nova::migration::libvirt').with(
+ :transport => 'ssh',
+ :configure_libvirt => params[:libvirt_enabled],
+ :configure_nova => params[:nova_compute_enabled]
+ )
+ is_expected.to contain_file('/etc/nova/migration/identity').with(
+ :content => 'foo',
+ :mode => '0600',
+ :owner => 'nova',
+ :group => 'nova',
+ )
+ }
+ end
+
+ context 'with step 4 with libvirt TLS and migration ssh key' do
+ let(:pre_condition) {
+ <<-eos
+ include ::nova::compute::libvirt::services
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :libvirt_enabled => true,
+ :nova_compute_enabled => true,
+ :libvirt_tls => true,
+ :ssh_private_key => 'foo'
+ } }
+
+ it {
+ is_expected.to contain_class('nova::migration::libvirt').with(
+ :transport => 'tls',
+ :configure_libvirt => params[:libvirt_enabled],
+ :configure_nova => params[:nova_compute_enabled]
+ )
+ is_expected.to contain_file('/etc/nova/migration/identity').with(
+ :content => 'foo',
+ :mode => '0600',
+ :owner => 'nova',
+ :group => 'nova',
+ )
+ }
+ end
+
+ end
+
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({ :hostname => 'node.example.com' })
+ end
+ it_behaves_like 'tripleo::profile::base::nova::migration::client'
+ end
+ end
+end
--- /dev/null
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::nova::migration' do
+ shared_examples_for 'tripleo::profile::base::nova::migration' do
+
+ context 'with step 3' do
+ let(:params) { {
+ :step => 3,
+ } }
+
+ it {
+ is_expected.to contain_package('openstack-nova-migration')
+ }
+ end
+
+ end
+
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ it_behaves_like 'tripleo::profile::base::nova::migration'
+ end
+ end
+end
--- /dev/null
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::nova::migration::target' do
+ shared_examples_for 'tripleo::profile::base::nova::migration::target' do
+
+ context 'with step 4 without authorized_keys' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => {}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :services_enabled => ['docker', 'nova_migration_target']
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration')
+ is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+ :content => '# Migration over SSH disabled by TripleO',
+ :mode => '0640',
+ :owner => 'root',
+ :group => 'nova_migration',
+ )
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/sbin/nologin'
+ )
+ }
+ end
+
+ context 'with step 4 without nova_migration_target service enabled' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => {}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :ssh_authorized_keys => ['bar', 'baz'],
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration')
+ is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+ :content => '# Migration over SSH disabled by TripleO',
+ :mode => '0640',
+ :owner => 'root',
+ :group => 'nova_migration',
+ )
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/sbin/nologin'
+ )
+ }
+ end
+
+ context 'with step 4 with invalid ssh_authorized_keys' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => {}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :ssh_authorized_keys => 'ssh-rsa bar',
+ } }
+
+ it { is_expected.to_not compile }
+ end
+
+ context 'with step 4 with nova_migration_target services enabled' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => {}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
+ :services_enabled => ['docker', 'nova_migration_target']
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration')
+ is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
+ :type => 'User',
+ :name => 'nova_migration',
+ :options => {
+ 'ForceCommand' => '/bin/nova-migration-wrapper',
+ 'PasswordAuthentication' => 'no',
+ 'AllowTcpForwarding' => 'no',
+ 'X11Forwarding' => 'no',
+ 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
+ }
+ )
+ is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
+ is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+ :content => 'ssh-rsa bar\nssh-rsa baz',
+ :mode => '0640',
+ :owner => 'root',
+ :group => 'nova_migration',
+ )
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/bin/bash'
+ )
+ }
+ end
+
+ context 'with step 4 with ssh_localaddrs' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => {}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
+ :services_enabled => ['docker', 'nova_migration_target'],
+ :ssh_localaddrs => ['127.0.0.1', '127.0.0.2']
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration')
+ is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
+ :type => 'LocalAddress 127.0.0.1,127.0.0.2 User',
+ :name => 'nova_migration',
+ :options => {
+ 'ForceCommand' => '/bin/nova-migration-wrapper',
+ 'PasswordAuthentication' => 'no',
+ 'AllowTcpForwarding' => 'no',
+ 'X11Forwarding' => 'no',
+ 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
+ }
+ )
+ is_expected.to contain_ssh__server__match_block('nova_migration deny').with(
+ :type => 'LocalAddress',
+ :name => '!127.0.0.1,!127.0.0.2',
+ :options => {
+ 'DenyUsers' => 'nova_migration'
+ }
+ )
+ is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+ :content => 'ssh-rsa bar\nssh-rsa baz',
+ :mode => '0640',
+ :owner => 'root',
+ :group => 'nova_migration',
+ )
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/bin/bash'
+ )
+ }
+ end
+
+ context 'with step 4 with duplicate ssh_localaddrs' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => {}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
+ :services_enabled => ['docker', 'nova_migration_target'],
+ :ssh_localaddrs => ['127.0.0.1', '127.0.0.1']
+ } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::migration')
+ is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
+ :type => 'LocalAddress 127.0.0.1 User',
+ :name => 'nova_migration',
+ :options => {
+ 'ForceCommand' => '/bin/nova-migration-wrapper',
+ 'PasswordAuthentication' => 'no',
+ 'AllowTcpForwarding' => 'no',
+ 'X11Forwarding' => 'no',
+ 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
+ }
+ )
+ is_expected.to contain_ssh__server__match_block('nova_migration deny').with(
+ :type => 'LocalAddress',
+ :name => '!127.0.0.1',
+ :options => {
+ 'DenyUsers' => 'nova_migration'
+ }
+ )
+ is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+ :content => 'ssh-rsa bar\nssh-rsa baz',
+ :mode => '0640',
+ :owner => 'root',
+ :group => 'nova_migration',
+ )
+ is_expected.to contain_user('nova_migration').with(
+ :shell => '/bin/bash'
+ )
+ }
+ end
+
+ context 'with step 4 with invalid ssh_localaddrs' do
+ let(:pre_condition) {
+ <<-eos
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::ssh::server':
+ storeconfigs_enabled => false,
+ options => {}
+ }
+eos
+ }
+ let(:params) { {
+ :step => 4,
+ :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
+ :services_enabled => ['docker', 'nova_migration_target'],
+ :ssh_localaddrs => ['127.0.0.1', '']
+ } }
+
+ it { is_expected.to_not compile }
+ end
+
+ end
+
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({ :hostname => 'node.example.com' })
+ end
+ it_behaves_like 'tripleo::profile::base::nova::migration::target'
+ end
+ end
+end
\ No newline at end of file
}
end
- context 'with step 4 with libvirt' do
- let(:pre_condition) {
- 'include ::nova::compute::libvirt::services'
- }
- let(:params) { {
- :step => 4,
- :libvirt_enabled => true,
- :manage_migration => true,
- :nova_compute_enabled => true,
- :bootstrap_node => 'node.example.com',
- :oslomsg_rpc_hosts => [ 'localhost' ],
- :oslomsg_rpc_password => 'foo',
- } }
-
- it {
- is_expected.to contain_class('tripleo::profile::base::nova')
- is_expected.to contain_class('nova').with(
- :default_transport_url => /.+/,
- :notification_transport_url => /.+/,
- :nova_public_key => nil,
- :nova_private_key => nil,
- )
- is_expected.to contain_class('nova::config')
- is_expected.to contain_class('nova::placement')
- is_expected.to contain_class('nova::cache')
- is_expected.to contain_class('nova::migration::libvirt').with(
- :transport => 'ssh',
- :configure_libvirt => params[:libvirt_enabled],
- :configure_nova => params[:nova_compute_enabled]
- )
- is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'present'
- )
- is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
- :content => '# Migration over SSH disabled by TripleO',
- :mode => '0640',
- :owner => 'root',
- :group => 'nova_migration',
- )
- is_expected.to contain_file('/etc/nova/migration/identity').with(
- :content => '# Migration over SSH disabled by TripleO',
- :mode => '0600',
- :owner => 'nova',
- :group => 'nova',
- )
- is_expected.to contain_user('nova_migration').with(
- :shell => '/sbin/nologin'
- )
- }
- end
-
- context 'with step 4 with libvirt TLS' do
- let(:pre_condition) {
- 'include ::nova::compute::libvirt::services'
- }
- let(:params) { {
- :step => 4,
- :libvirt_enabled => true,
- :manage_migration => true,
- :nova_compute_enabled => true,
- :bootstrap_node => 'node.example.com',
- :oslomsg_rpc_hosts => [ 'localhost' ],
- :oslomsg_rpc_password => 'foo',
- :libvirt_tls => true,
- } }
-
- it {
- is_expected.to contain_class('tripleo::profile::base::nova')
- is_expected.to contain_class('nova').with(
- :default_transport_url => /.+/,
- :notification_transport_url => /.+/,
- :nova_public_key => nil,
- :nova_private_key => nil,
- )
- is_expected.to contain_class('nova::config')
- is_expected.to contain_class('nova::placement')
- is_expected.to contain_class('nova::cache')
- is_expected.to contain_class('nova::migration::libvirt').with(
- :transport => 'tls',
- :configure_libvirt => params[:libvirt_enabled],
- :configure_nova => params[:nova_compute_enabled],
- )
- is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'present'
- )
- is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
- :content => '# Migration over SSH disabled by TripleO',
- :mode => '0640',
- :owner => 'root',
- :group => 'nova_migration',
- )
- is_expected.to contain_file('/etc/nova/migration/identity').with(
- :content => '# Migration over SSH disabled by TripleO',
- :mode => '0600',
- :owner => 'nova',
- :group => 'nova',
- )
- is_expected.to contain_user('nova_migration').with(
- :shell => '/sbin/nologin'
- )
- }
- end
-
- context 'with step 4 with libvirt and migration ssh key' do
- let(:pre_condition) do
- <<-eof
- include ::nova::compute::libvirt::services
- class { '::ssh::server':
- storeconfigs_enabled => false,
- options => {}
- }
- eof
- end
- let(:params) { {
- :step => 4,
- :libvirt_enabled => true,
- :manage_migration => true,
- :nova_compute_enabled => true,
- :bootstrap_node => 'node.example.com',
- :oslomsg_rpc_hosts => [ 'localhost' ],
- :oslomsg_rpc_password => 'foo',
- :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}
- } }
-
- it {
- is_expected.to contain_class('tripleo::profile::base::nova')
- is_expected.to contain_class('nova').with(
- :default_transport_url => /.+/,
- :notification_transport_url => /.+/,
- :nova_public_key => nil,
- :nova_private_key => nil,
- )
- is_expected.to contain_class('nova::config')
- is_expected.to contain_class('nova::placement')
- is_expected.to contain_class('nova::cache')
- is_expected.to contain_class('nova::migration::libvirt').with(
- :transport => 'ssh',
- :configure_libvirt => params[:libvirt_enabled],
- :configure_nova => params[:nova_compute_enabled]
- )
- is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
- :type => 'User',
- :name => 'nova_migration',
- :options => {
- 'ForceCommand' => '/bin/nova-migration-wrapper',
- 'PasswordAuthentication' => 'no',
- 'AllowTcpForwarding' => 'no',
- 'X11Forwarding' => 'no',
- 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
- }
- )
- is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
- is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'present'
- )
- is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
- :content => 'ssh-rsa bar',
- :mode => '0640',
- :owner => 'root',
- :group => 'nova_migration',
- )
- is_expected.to contain_file('/etc/nova/migration/identity').with(
- :content => 'foo',
- :mode => '0600',
- :owner => 'nova',
- :group => 'nova',
- )
- is_expected.to contain_user('nova_migration').with(
- :shell => '/bin/bash'
- )
- }
- end
-
- context 'with step 4 with libvirt and migration ssh key and migration_ssh_localaddrs' do
- let(:pre_condition) do
- <<-eof
- include ::nova::compute::libvirt::services
- class { '::ssh::server':
- storeconfigs_enabled => false,
- options => {}
- }
- eof
- end
- let(:params) { {
- :step => 4,
- :libvirt_enabled => true,
- :manage_migration => true,
- :nova_compute_enabled => true,
- :bootstrap_node => 'node.example.com',
- :oslomsg_rpc_hosts => [ 'localhost' ],
- :oslomsg_rpc_password => 'foo',
- :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'},
- :migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.2']
- } }
-
- it {
- is_expected.to contain_class('tripleo::profile::base::nova')
- is_expected.to contain_class('nova').with(
- :default_transport_url => /.+/,
- :notification_transport_url => /.+/,
- :nova_public_key => nil,
- :nova_private_key => nil,
- )
- is_expected.to contain_class('nova::config')
- is_expected.to contain_class('nova::placement')
- is_expected.to contain_class('nova::cache')
- is_expected.to contain_class('nova::migration::libvirt').with(
- :transport => 'ssh',
- :configure_libvirt => params[:libvirt_enabled],
- :configure_nova => params[:nova_compute_enabled]
- )
- is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
- :type => 'LocalAddress 127.0.0.1,127.0.0.2 User',
- :name => 'nova_migration',
- :options => {
- 'ForceCommand' => '/bin/nova-migration-wrapper',
- 'PasswordAuthentication' => 'no',
- 'AllowTcpForwarding' => 'no',
- 'X11Forwarding' => 'no',
- 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
- }
- )
- is_expected.to contain_ssh__server__match_block('nova_migration deny').with(
- :type => 'LocalAddress',
- :name => '!127.0.0.1,!127.0.0.2',
- :options => {
- 'DenyUsers' => 'nova_migration'
- }
- )
- is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'present'
- )
- is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
- :content => 'ssh-rsa bar',
- :mode => '0640',
- :owner => 'root',
- :group => 'nova_migration',
- )
- is_expected.to contain_file('/etc/nova/migration/identity').with(
- :content => 'foo',
- :mode => '0600',
- :owner => 'nova',
- :group => 'nova',
- )
- is_expected.to contain_user('nova_migration').with(
- :shell => '/bin/bash'
- )
- }
- end
-
- context 'with step 4 with libvirt and migration ssh key and invalid migration_ssh_localaddrs' do
- let(:pre_condition) do
- <<-eof
- include ::nova::compute::libvirt::services
- class { '::ssh::server':
- storeconfigs_enabled => false,
- options => {}
- }
- eof
- end
- let(:params) { {
- :step => 4,
- :libvirt_enabled => true,
- :manage_migration => true,
- :nova_compute_enabled => true,
- :bootstrap_node => 'node.example.com',
- :oslomsg_rpc_hosts => [ 'localhost' ],
- :oslomsg_rpc_password => 'foo',
- :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'},
- :migration_ssh_localaddrs => ['127.0.0.1', '']
- } }
-
- it { is_expected.to_not compile }
- end
-
- context 'with step 4 with libvirt and migration ssh key and duplicate migration_ssh_localaddrs' do
- let(:pre_condition) do
- <<-eof
- include ::nova::compute::libvirt::services
- class { '::ssh::server':
- storeconfigs_enabled => false,
- options => {}
- }
- eof
- end
- let(:params) { {
- :step => 4,
- :libvirt_enabled => true,
- :manage_migration => true,
- :nova_compute_enabled => true,
- :bootstrap_node => 'node.example.com',
- :oslomsg_rpc_hosts => [ 'localhost' ],
- :oslomsg_rpc_password => 'foo',
- :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'},
- :migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.1']
- } }
-
- it {
- is_expected.to contain_class('tripleo::profile::base::nova')
- is_expected.to contain_class('nova').with(
- :default_transport_url => /.+/,
- :notification_transport_url => /.+/,
- :nova_public_key => nil,
- :nova_private_key => nil,
- )
- is_expected.to contain_class('nova::config')
- is_expected.to contain_class('nova::placement')
- is_expected.to contain_class('nova::cache')
- is_expected.to contain_class('nova::migration::libvirt').with(
- :transport => 'ssh',
- :configure_libvirt => params[:libvirt_enabled],
- :configure_nova => params[:nova_compute_enabled]
- )
- is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
- :type => 'LocalAddress 127.0.0.1 User',
- :name => 'nova_migration',
- :options => {
- 'ForceCommand' => '/bin/nova-migration-wrapper',
- 'PasswordAuthentication' => 'no',
- 'AllowTcpForwarding' => 'no',
- 'X11Forwarding' => 'no',
- 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
- }
- )
- is_expected.to contain_ssh__server__match_block('nova_migration deny').with(
- :type => 'LocalAddress',
- :name => '!127.0.0.1',
- :options => {
- 'DenyUsers' => 'nova_migration'
- }
- )
- is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'present'
- )
- is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
- :content => 'ssh-rsa bar',
- :mode => '0640',
- :owner => 'root',
- :group => 'nova_migration',
- )
- is_expected.to contain_file('/etc/nova/migration/identity').with(
- :content => 'foo',
- :mode => '0600',
- :owner => 'nova',
- :group => 'nova',
- )
- is_expected.to contain_user('nova_migration').with(
- :shell => '/bin/bash'
- )
- }
- end
-
- context 'with step 4 with libvirt TLS and migration ssh key' do
- let(:pre_condition) do
- <<-eof
- include ::nova::compute::libvirt::services
- class { '::ssh::server':
- storeconfigs_enabled => false,
- options => {}
- }
- eof
- end
- let(:params) { {
- :step => 4,
- :libvirt_enabled => true,
- :manage_migration => true,
- :nova_compute_enabled => true,
- :bootstrap_node => 'node.example.com',
- :oslomsg_rpc_hosts => [ 'localhost' ],
- :oslomsg_rpc_password => 'foo',
- :libvirt_tls => true,
- :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}
- } }
-
- it {
- is_expected.to contain_class('tripleo::profile::base::nova')
- is_expected.to contain_class('nova').with(
- :default_transport_url => /.+/,
- :notification_transport_url => /.+/,
- :nova_public_key => nil,
- :nova_private_key => nil,
- )
- is_expected.to contain_class('nova::config')
- is_expected.to contain_class('nova::placement')
- is_expected.to contain_class('nova::cache')
- is_expected.to contain_class('nova::migration::libvirt').with(
- :transport => 'tls',
- :configure_libvirt => params[:libvirt_enabled],
- :configure_nova => params[:nova_compute_enabled]
- )
- is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
- :type => 'User',
- :name => 'nova_migration',
- :options => {
- 'ForceCommand' => '/bin/nova-migration-wrapper',
- 'PasswordAuthentication' => 'no',
- 'AllowTcpForwarding' => 'no',
- 'X11Forwarding' => 'no',
- 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
- }
- )
- is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
- is_expected.to contain_package('openstack-nova-migration').with(
- :ensure => 'present'
- )
- is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
- :content => 'ssh-rsa bar',
- :mode => '0640',
- :owner => 'root',
- :group => 'nova_migration',
- )
- is_expected.to contain_file('/etc/nova/migration/identity').with(
- :content => 'foo',
- :mode => '0600',
- :owner => 'nova',
- :group => 'nova',
- )
- is_expected.to contain_user('nova_migration').with(
- :shell => '/bin/bash'
- )
- }
- end
-
end
# octavia related items
octavia::rabbit_password: 'password'
horizon::secret_key: 'secrete'
-service_names: ['sshd']
#Neutron related
neutron::rabbit_password: 'password'
Code Review / apex-puppet-tripleo.git / commitdiff