Add support for native TLS encryption on NBD for disk migration
The NBD protocol previously runs in clear text, offering no security protection for the data transferred, unless it is tunnelled over some external transport like SSH. Such tunnelling is inefficient and inconvenient to manage. Support for TLS to the NBD clients & servers provided by QEMU was added. This adds support to configure ndb related qemu.conf parameters. Related-Bug: 1793093 Change-Id: I2c613faf55731af56735f8363b18e6c0e6185d9c
This commit is contained in:
parent
4fcf801e0e
commit
0c54e9becb
|
@ -33,6 +33,10 @@
|
|||
# NOTE: big files will be stored here
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*nbd_tls*]
|
||||
# (optional) Enables TLS for nbd connections.
|
||||
# Defaults to false.
|
||||
#
|
||||
class nova::compute::libvirt::qemu(
|
||||
$configure_qemu = false,
|
||||
$group = undef,
|
||||
|
@ -40,7 +44,8 @@ class nova::compute::libvirt::qemu(
|
|||
$max_processes = 4096,
|
||||
$vnc_tls = false,
|
||||
$vnc_tls_verify = true,
|
||||
$memory_backing_dir = undef
|
||||
$memory_backing_dir = undef,
|
||||
$nbd_tls = false
|
||||
){
|
||||
|
||||
include ::nova::deps
|
||||
|
@ -63,11 +68,18 @@ class nova::compute::libvirt::qemu(
|
|||
$vnc_tls_verify_value = 0
|
||||
}
|
||||
|
||||
if $nbd_tls {
|
||||
$nbd_tls_value = 1
|
||||
} else {
|
||||
$nbd_tls_value = 0
|
||||
}
|
||||
|
||||
$augues_changes_default = [
|
||||
"set max_files ${max_files}",
|
||||
"set max_processes ${max_processes}",
|
||||
"set vnc_tls ${vnc_tls_value}",
|
||||
"set vnc_tls_x509_verify ${vnc_tls_verify_value}"
|
||||
"set vnc_tls_x509_verify ${vnc_tls_verify_value}",
|
||||
"set nbd_tls ${nbd_tls_value}"
|
||||
]
|
||||
if $group and !empty($group) {
|
||||
$augues_group_changes = ["set group ${group}"]
|
||||
|
@ -95,7 +107,8 @@ class nova::compute::libvirt::qemu(
|
|||
'rm group',
|
||||
'rm vnc_tls',
|
||||
'rm vnc_tls_x509_verify',
|
||||
'rm memory_backing_dir'
|
||||
'rm memory_backing_dir',
|
||||
'rm nbd_tls'
|
||||
],
|
||||
tag => 'qemu-conf-augeas',
|
||||
}
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Add support for native TLS encryption on NBD for disk migration
|
||||
|
||||
The NBD protocol previously runs in clear text, offering no security
|
||||
protection for the data transferred, unless it is tunnelled over some
|
||||
external transport like SSH. Such tunnelling is inefficient and
|
||||
inconvenient to manage. Support for TLS to the NBD clients & servers
|
||||
provided by QEMU was added. This adds support to configure ndb related
|
||||
qemu.conf parameters.
|
|
@ -18,7 +18,7 @@ describe 'nova::compute::libvirt::qemu' do
|
|||
end
|
||||
it { is_expected.to contain_augeas('qemu-conf-limits').with({
|
||||
:context => '/files/etc/libvirt/qemu.conf',
|
||||
:changes => [ "rm max_files", "rm max_processes", "rm group", "rm vnc_tls", "rm vnc_tls_x509_verify", "rm memory_backing_dir" ],
|
||||
:changes => [ "rm max_files", "rm max_processes", "rm group", "rm vnc_tls", "rm vnc_tls_x509_verify", "rm memory_backing_dir", "rm nbd_tls" ],
|
||||
}).that_notifies('Service[libvirt]') }
|
||||
end
|
||||
|
||||
|
@ -30,7 +30,7 @@ describe 'nova::compute::libvirt::qemu' do
|
|||
end
|
||||
it { is_expected.to contain_augeas('qemu-conf-limits').with({
|
||||
:context => '/files/etc/libvirt/qemu.conf',
|
||||
:changes => [ "set max_files 1024", "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0" ],
|
||||
:changes => [ "set max_files 1024", "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0", "set nbd_tls 0" ],
|
||||
:tag => 'qemu-conf-augeas',
|
||||
}).that_notifies('Service[libvirt]') }
|
||||
end
|
||||
|
@ -45,7 +45,7 @@ describe 'nova::compute::libvirt::qemu' do
|
|||
end
|
||||
it { is_expected.to contain_augeas('qemu-conf-limits').with({
|
||||
:context => '/files/etc/libvirt/qemu.conf',
|
||||
:changes => [ "set max_files 32768", "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0" ],
|
||||
:changes => [ "set max_files 32768", "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0", "set nbd_tls 0" ],
|
||||
:tag => 'qemu-conf-augeas',
|
||||
}).that_notifies('Service[libvirt]') }
|
||||
end
|
||||
|
@ -67,6 +67,7 @@ describe 'nova::compute::libvirt::qemu' do
|
|||
"set max_processes 131072",
|
||||
"set vnc_tls 0",
|
||||
"set vnc_tls_x509_verify 0",
|
||||
"set nbd_tls 0",
|
||||
"set group openvswitch",
|
||||
"set memory_backing_dir /tmp"
|
||||
],
|
||||
|
@ -87,7 +88,8 @@ describe 'nova::compute::libvirt::qemu' do
|
|||
"set max_files 1024",
|
||||
"set max_processes 4096",
|
||||
"set vnc_tls 1",
|
||||
"set vnc_tls_x509_verify 1"
|
||||
"set vnc_tls_x509_verify 1",
|
||||
"set nbd_tls 0"
|
||||
],
|
||||
:tag => 'qemu-conf-augeas',
|
||||
}).that_notifies('Service[libvirt]') }
|
||||
|
@ -107,7 +109,28 @@ describe 'nova::compute::libvirt::qemu' do
|
|||
"set max_files 1024",
|
||||
"set max_processes 4096",
|
||||
"set vnc_tls 1",
|
||||
"set vnc_tls_x509_verify 0"
|
||||
"set vnc_tls_x509_verify 0",
|
||||
"set nbd_tls 0"
|
||||
],
|
||||
:tag => 'qemu-conf-augeas',
|
||||
}).that_notifies('Service[libvirt]') }
|
||||
end
|
||||
|
||||
context 'when configuring qemu with nbd_tls' do
|
||||
let :params do
|
||||
{
|
||||
:configure_qemu => true,
|
||||
:nbd_tls => true
|
||||
}
|
||||
end
|
||||
it { is_expected.to contain_augeas('qemu-conf-limits').with({
|
||||
:context => '/files/etc/libvirt/qemu.conf',
|
||||
:changes => [
|
||||
"set max_files 1024",
|
||||
"set max_processes 4096",
|
||||
"set vnc_tls 0",
|
||||
"set vnc_tls_x509_verify 0",
|
||||
"set nbd_tls 1"
|
||||
],
|
||||
:tag => 'qemu-conf-augeas',
|
||||
}).that_notifies('Service[libvirt]') }
|
||||
|
|
Loading…
Reference in New Issue