diff --git a/attributes/libvirtd_conf.rb b/attributes/libvirtd_conf.rb index 230d8b55..f203a0f9 100644 --- a/attributes/libvirtd_conf.rb +++ b/attributes/libvirtd_conf.rb @@ -1,18 +1,7 @@ # libvirtd_opts used in template for /etc/default/libvirt-bin default['openstack']['compute']['libvirt']['libvirtd_opts'] = '-l' -default['openstack']['compute']['libvirt']['auth_tcp'] = 'none' -# libvirt.max_clients (default: 20) -default['openstack']['compute']['libvirt']['max_clients'] = 20 -# libvirt.max_workers (default: 20) -default['openstack']['compute']['libvirt']['max_workers'] = 20 -# libvirt.max_requests (default: 20) -default['openstack']['compute']['libvirt']['max_requests'] = 20 -# libvirt.max_client_requests (default: 5) -default['openstack']['compute']['libvirt']['max_client_requests'] = 5 default['openstack']['compute']['libvirt']['group'] = 'libvirt' -default['openstack']['compute']['libvirt']['unix_sock_rw_perms'] = '0770' -default['openstack']['compute']['libvirt']['libvirt_inject_key'] = true default['openstack']['compute']['libvirt']['volume_backend'] = nil default['openstack']['compute']['libvirt']['rbd']['cinder']['pool'] = 'volumes' @@ -20,3 +9,16 @@ default['openstack']['compute']['libvirt']['rbd']['glance']['pool'] = 'images' default['openstack']['compute']['libvirt']['rbd']['nova']['pool'] = 'instances' default['openstack']['compute']['libvirt']['rbd']['cinder']['user'] = 'cinder' default['openstack']['compute']['libvirt']['rbd']['cinder']['secret_uuid'] = '00000000-0000-0000-0000-000000000000' + +default['openstack']['compute']['libvirt']['conf'].tap do |conf| + conf['listen_tls'] = '0' + conf['listen_tcp'] = '1' + conf['unix_sock_rw_perms'] = '"0770"' + conf['auth_unix_ro'] = '"none"' + conf['auth_unix_rw'] = '"none"' + conf['auth_tcp'] = '"none"' + conf['max_clients'] = '20' + conf['max_workers'] = '20' + conf['max_requests'] = '20' + conf['max_client_requests'] = '5' +end diff --git a/metadata.rb b/metadata.rb index 0058cbec..43b757d9 100644 --- a/metadata.rb +++ b/metadata.rb @@ -5,7 +5,7 @@ issues_url 'https://launchpad.net/openstack-chef' if respond_to?(:issues_u source_url 'https://github.com/openstack/cookbook-openstack-compute' if respond_to?(:source_url) license 'Apache-2.0' description 'The OpenStack Compute service Nova.' -version '16.0.2' +version '16.0.3' chef_version '>= 12.5' if respond_to?(:chef_version) long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) diff --git a/recipes/libvirt.rb b/recipes/libvirt.rb index c020f6fb..dcfc6c66 100644 --- a/recipes/libvirt.rb +++ b/recipes/libvirt.rb @@ -91,7 +91,8 @@ def update_boot_kernel_and_trigger_reboot(flavor = 'default') end end -group node['openstack']['compute']['libvirt']['group'] do +libvirt_group = node['openstack']['compute']['libvirt']['group'] +group libvirt_group do append true members [node['openstack']['compute']['group']] action :create @@ -122,15 +123,15 @@ execute 'Deleting default libvirt network' do only_if 'virsh net-list | grep -q default' end -# TODO(breu): this section needs to be rewritten to support key privisioning +node.default['openstack']['compute']['libvirt']['conf']['unix_sock_group'] = "'#{libvirt_group}'" + template '/etc/libvirt/libvirtd.conf' do source 'libvirtd.conf.erb' owner 'root' group 'root' mode 0o0644 variables( - auth_tcp: node['openstack']['compute']['libvirt']['auth_tcp'], - libvirt_group: node['openstack']['compute']['libvirt']['group'] + service_config: node['openstack']['compute']['libvirt']['conf'] ) notifies :restart, 'service[libvirt-bin]', :immediately end diff --git a/templates/default/libvirtd.conf.erb b/templates/default/libvirtd.conf.erb index aa5c6a6f..8b94d950 100644 --- a/templates/default/libvirtd.conf.erb +++ b/templates/default/libvirtd.conf.erb @@ -1,395 +1,9 @@ <%= node["openstack"]["compute"]["custom_template_banner"] %> - -# Master libvirt daemon configuration file -# -# For further information consult http://libvirt.org/format.html -# -# NOTE: the tests/daemon-conf regression test script requires -# that each "PARAMETER = VALUE" line in this file have the parameter -# name just after a leading "#". - -################################################################# -# -# Network connectivity controls -# - -# Flag listening for secure TLS connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# It is necessary to setup a CA and issue server certificates before -# using this capability. -# -# This is enabled by default, uncomment this to disable it -listen_tls = 0 - -# Listen for unencrypted TCP connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# Using the TCP socket requires SASL authentication by default. Only -# SASL mechanisms which support data encryption are allowed. This is -# DIGEST_MD5 and GSSAPI (Kerberos5) -# -# This is disabled by default, uncomment this to enable it. -listen_tcp = 1 - - - -# Override the port for accepting secure TLS connections -# This can be a port number, or service name -# -#tls_port = "16514" - -# Override the port for accepting insecure TCP connections -# This can be a port number, or service name -# -#tcp_port = "16509" - - -# Override the default configuration which binds to all network -# interfaces. This can be a numeric IPv4/6 address, or hostname -# -#listen_addr = "192.168.0.1" - - -# Flag toggling mDNS advertizement of the libvirt service. -# -# Alternatively can disable for all services on a host by -# stopping the Avahi daemon -# -# This is enabled by default, uncomment this to disable it -#mdns_adv = 0 - -# Override the default mDNS advertizement name. This must be -# unique on the immediate broadcast network. -# -# The default is "Virtualization Host HOSTNAME", where HOSTNAME -# is subsituted for the short hostname of the machine (without domain) -# -#mdns_name = "Virtualization Host Joe Demo" - - -################################################################# -# -# UNIX socket access controls -# - -# Set the UNIX domain socket group ownership. This can be used to -# allow a 'trusted' set of users access to management capabilities -# without becoming root. -# -# This is restricted to 'root' by default. -unix_sock_group = "<%= @libvirt_group %>" - -# Set the UNIX socket permissions for the R/O socket. This is used -# for monitoring VM status only -# -# Default allows any user. If setting group ownership may want to -# restrict this to: -#unix_sock_ro_perms = "0777" - -# Set the UNIX socket permissions for the R/W socket. This is used -# for full management of VMs -# -# Default allows only root. If PolicyKit is enabled on the socket, -# the default will change to allow everyone (eg, 0777) -# -# If not using PolicyKit and setting group ownership for access -# control then you may want to relax this to: -unix_sock_rw_perms = "<%= node['openstack']['compute']['libvirt']['unix_sock_rw_perms']%>" - -# Set the name of the directory in which sockets will be found/created. -#unix_sock_dir = "/var/run/libvirt" - -################################################################# -# -# Authentication. -# -# - none: do not perform auth checks. If you can connect to the -# socket you are allowed. This is suitable if there are -# restrictions on connecting to the socket (eg, UNIX -# socket permissions), or if there is a lower layer in -# the network providing auth (eg, TLS/x509 certificates) -# -# - sasl: use SASL infrastructure. The actual auth scheme is then -# controlled from /etc/sasl2/libvirt.conf. For the TCP -# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. -# For non-TCP or TLS sockets, any scheme is allowed. -# -# - polkit: use PolicyKit to authenticate. This is only suitable -# for use on the UNIX sockets. The default policy will -# require a user to supply their own password to gain -# full read/write access (aka sudo like), while anyone -# is allowed read/only access. -# -# Set an authentication scheme for UNIX read-only sockets -# By default socket permissions allow anyone to connect -# -# To restrict monitoring of domains you may wish to enable -# an authentication mechanism here -auth_unix_ro = "none" - -# Set an authentication scheme for UNIX read-write sockets -# By default socket permissions only allow root. If PolicyKit -# support was compiled into libvirt, the default will be to -# use 'polkit' auth. -# -# If the unix_sock_rw_perms are changed you may wish to enable -# an authentication mechanism here -auth_unix_rw = "none" - -# Change the authentication scheme for TCP sockets. -# -# If you don't enable SASL, then all TCP traffic is cleartext. -# Don't do this outside of a dev/test scenario. For real world -# use, always enable SASL and use the GSSAPI or DIGEST-MD5 -# mechanism in /etc/sasl2/libvirt.conf -auth_tcp = "<%= @auth_tcp %>" - -# Change the authentication scheme for TLS sockets. -# -# TLS sockets already have encryption provided by the TLS -# layer, and limited authentication is done by certificates -# -# It is possible to make use of any SASL authentication -# mechanism as well, by using 'sasl' for this option -#auth_tls = "none" - - - -################################################################# -# -# TLS x509 certificate configuration -# - - -# Override the default server key file path -# -#key_file = "/etc/pki/libvirt/private/serverkey.pem" - -# Override the default server certificate file path -# -#cert_file = "/etc/pki/libvirt/servercert.pem" - -# Override the default CA certificate path -# -#ca_file = "/etc/pki/CA/cacert.pem" - -# Specify a certificate revocation list. -# -# Defaults to not using a CRL, uncomment to enable it -#crl_file = "/etc/pki/CA/crl.pem" - - - -################################################################# -# -# Authorization controls -# - - -# Flag to disable verification of our own server certificates -# -# When libvirtd starts it performs some sanity checks against -# its own certificates. -# -# Default is to always run sanity checks. Uncommenting this -# will disable sanity checks which is not a good idea -#tls_no_sanity_certificate = 1 - -# Flag to disable verification of client certificates -# -# Client certificate verification is the primary authentication mechanism. -# Any client which does not present a certificate signed by the CA -# will be rejected. -# -# Default is to always verify. Uncommenting this will disable -# verification - make sure an IP whitelist is set -#tls_no_verify_certificate = 1 - - -# A whitelist of allowed x509 Distinguished Names -# This list may contain wildcards such as -# -# "C=GB,ST=London,L=London,O=Red Hat,CN=*" -# -# See the POSIX fnmatch function for the format of the wildcards. -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no DN's are checked -#tls_allowed_dn_list = ["DN1", "DN2"] - - -# A whitelist of allowed SASL usernames. The format for usernames -# depends on the SASL authentication mechanism. Kerberos usernames -# look like username@REALM -# -# This list may contain wildcards such as -# -# "*@EXAMPLE.COM" -# -# See the POSIX fnmatch function for the format of the wildcards. -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no Username's are checked -#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] - - - -################################################################# -# -# Processing controls -# - -# The maximum number of concurrent client connections to allow -# over all sockets combined. -max_clients = <%= node['openstack']['compute']['libvirt']['max_clients'] %> - - -# The minimum limit sets the number of workers to start up -# initially. If the number of active clients exceeds this, -# then more threads are spawned, upto max_workers limit. -# Typically you'd want max_workers to equal maximum number -# of clients allowed -#min_workers = 5 -max_workers = <%= node['openstack']['compute']['libvirt']['max_workers'] %> - - -# The number of priority workers. If all workers from above -# pool will stuck, some calls marked as high priority -# (notably domainDestroy) can be executed in this pool. -#prio_workers = 5 - -# Total global limit on concurrent RPC calls. Should be -# at least as large as max_workers. Beyond this, RPC requests -# will be read into memory and queued. This directly impact -# memory usage, currently each request requires 256 KB of -# memory. So by default upto 5 MB of memory is used -# -# XXX this isn't actually enforced yet, only the per-client -# limit is used so far -max_requests = <%= node['openstack']['compute']['libvirt']['max_requests'] %> - -# Limit on concurrent requests from a single client -# connection. To avoid one client monopolizing the server -# this should be a small fraction of the global max_requests -# and max_workers parameter -max_client_requests = <%= node['openstack']['compute']['libvirt']['max_client_requests'] %> - -################################################################# -# -# Logging controls -# - -# Logging level: 4 errors, 3 warnings, 2 information, 1 debug -# basically 1 will log everything possible -#log_level = 3 - -# Logging filters: -# A filter allows to select a different logging level for a given category -# of logs -# The format for a filter is: -# x:name -# where name is a match string e.g. remote or qemu -# the x prefix is the minimal level where matching messages should be logged -# 1: DEBUG -# 2: INFO -# 3: WARNING -# 4: ERROR -# -# Multiple filter can be defined in a single @filters, they just need to be -# separated by spaces. -# -# e.g: -# log_filters="3:remote 4:event" -# to only get warning or errors from the remote layer and only errors from -# the event layer. - -# Logging outputs: -# An output is one of the places to save logging information -# The format for an output can be: -# x:stderr -# output goes to stderr -# x:syslog:name -# use syslog for the output and use the given name as the ident -# x:file:file_path -# output to a file, with the given filepath -# In all case the x prefix is the minimal level, acting as a filter -# 1: DEBUG -# 2: INFO -# 3: WARNING -# 4: ERROR -# -# Multiple output can be defined, they just need to be separated by spaces. -# e.g.: -# log_outputs="3:syslog:libvirtd" -# to log all warnings and errors to syslog under the libvirtd ident - -# Log debug buffer size: default 64 -# The daemon keeps an internal debug log buffer which will be dumped in case -# of crash or upon receiving a SIGUSR2 signal. This setting allows to override -# the default buffer size in kilobytes. -# If value is 0 or less the debug log buffer is deactivated -#log_buffer_size = 64 - - -################################################################## -# -# Auditing -# -# This setting allows usage of the auditing subsystem to be altered: -# -# audit_level == 0 -> disable all auditing -# audit_level == 1 -> enable auditing, only if enabled on host (default) -# audit_level == 2 -> enable auditing, and exit if disabled on host -# -#audit_level = 2 -# -# If set to 1, then audit messages will also be sent -# via libvirt logging infrastructure. Defaults to 0 -# -#audit_logging = 1 - -################################################################### -# UUID of the host: -# Provide the UUID of the host here in case the command -# 'dmidecode -s system-uuid' does not provide a valid uuid. In case -# 'dmidecode' does not provide a valid UUID and none is provided here, a -# temporary UUID will be generated. -# Keep the format of the example UUID below. UUID must not have all digits -# be the same. - -# NB This default all-zeros UUID will not work. Replace -# it with the output of the 'uuidgen' command and then -# uncomment this entry -#host_uuid = "00000000-0000-0000-0000-000000000000" - -################################################################### -# Keepalive protocol: -# This allows libvirtd to detect broken client connections or even -# dead client. A keepalive message is sent to a client after -# keepalive_interval seconds of inactivity to check if the client is -# still responding; keepalive_count is a maximum number of keepalive -# messages that are allowed to be sent to the client without getting -# any response before the connection is considered broken. In other -# words, the connection is automatically closed approximately after -# keepalive_interval * (keepalive_count + 1) seconds since the last -# message received from the client. If keepalive_interval is set to -# -1, libvirtd will never send keepalive requests; however clients -# can still send them and the deamon will send responses. When -# keepalive_count is set to 0, connections will be automatically -# closed after keepalive_interval seconds of inactivity without -# sending any keepalive messages. -# -#keepalive_interval = 5 -#keepalive_count = 5 -# -# If set to 1, libvirtd will refuse to talk to clients that do not -# support keepalive protocol. Defaults to 0. -# -#keepalive_required = 1 +<% @service_config.each do |key, value| -%> + <% if value.class == Hash -%> +<%= "# #{value['comment']}" -%> +<%= key %> = <%= value['set_to'] %> + <% else -%> +<%= key %> = <%= value %> + <% end -%> +<% end -%>