Make libvirt migration security configurable

Adding flags to choose between tls/tcp connections as well as
sasl/none authentication when configuring libvirt migration.

This allows to deploy proper libvirt security in combination with
the nova::compute class.

Change-Id: Ib479a1f4cd2df0d55347ed71fb8f0ab69aaeceef
This commit is contained in:
David Gurtner 2015-04-09 01:25:32 +02:00
parent 517b7b800c
commit 1383cee7d4
4 changed files with 137 additions and 20 deletions

View File

@ -135,7 +135,7 @@ class nova::compute::libvirt (
if $vncserver_listen != '0.0.0.0' and $vncserver_listen != '::0' {
fail('For migration support to work, you MUST set vncserver_listen to \'0.0.0.0\' or \'::0\'')
} else {
class { '::nova::migration::libvirt': }
include ::nova::migration::libvirt
}
}

View File

@ -2,7 +2,33 @@
#
# Sets libvirt config that is required for migration
#
class nova::migration::libvirt {
# === Parameters:
#
# [*use_tls*]
# (optional) Use tls for remote connections to libvirt
# Defaults to false
#
# [*auth*]
# (optional) Use this authentication scheme for remote libvirt connections.
# Valid options are none and sasl.
# Defaults to 'none'
#
class nova::migration::libvirt(
$use_tls = false,
$auth = 'none',
){
if $use_tls {
$listen_tls = '1'
$listen_tcp = '0'
nova_config {
'libvirt/live_migration_uri': value => 'qemu+tls://%s/system';
}
} else {
$listen_tls = '0'
$listen_tcp = '1'
}
validate_re($auth, [ '^sasl$', '^none$' ], 'Valid options for auth are none and sasl.')
Package['libvirt'] -> File_line<| path == '/etc/libvirt/libvirtd.conf' |>
@ -10,23 +36,32 @@ class nova::migration::libvirt {
'RedHat': {
file_line { '/etc/libvirt/libvirtd.conf listen_tls':
path => '/etc/libvirt/libvirtd.conf',
line => 'listen_tls = 0',
line => "listen_tls = ${listen_tls}",
match => 'listen_tls =',
notify => Service['libvirt'],
}
file_line { '/etc/libvirt/libvirtd.conf listen_tcp':
path => '/etc/libvirt/libvirtd.conf',
line => 'listen_tcp = 1',
line => "listen_tcp = ${listen_tcp}",
match => 'listen_tcp =',
notify => Service['libvirt'],
}
file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
path => '/etc/libvirt/libvirtd.conf',
line => 'auth_tcp = "none"',
match => 'auth_tcp =',
notify => Service['libvirt'],
if $use_tls {
file_line { '/etc/libvirt/libvirtd.conf auth_tls':
path => '/etc/libvirt/libvirtd.conf',
line => "auth_tls = \"${auth}\"",
match => 'auth_tls =',
notify => Service['libvirt'],
}
} else {
file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
path => '/etc/libvirt/libvirtd.conf',
line => "auth_tcp = \"${auth}\"",
match => 'auth_tcp =',
notify => Service['libvirt'],
}
}
file_line { '/etc/sysconfig/libvirtd libvirtd args':
@ -42,24 +77,34 @@ class nova::migration::libvirt {
'Debian': {
file_line { '/etc/libvirt/libvirtd.conf listen_tls':
path => '/etc/libvirt/libvirtd.conf',
line => 'listen_tls = 0',
line => "listen_tls = ${listen_tls}",
match => 'listen_tls =',
notify => Service['libvirt'],
}
file_line { '/etc/libvirt/libvirtd.conf listen_tcp':
path => '/etc/libvirt/libvirtd.conf',
line => 'listen_tcp = 1',
line => "listen_tcp = ${listen_tcp}",
match => 'listen_tcp =',
notify => Service['libvirt'],
}
file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
path => '/etc/libvirt/libvirtd.conf',
line => 'auth_tcp = "none"',
match => 'auth_tcp =',
notify => Service['libvirt'],
if $use_tls {
file_line { '/etc/libvirt/libvirtd.conf auth_tls':
path => '/etc/libvirt/libvirtd.conf',
line => "auth_tls = \"${auth}\"",
match => 'auth_tls =',
notify => Service['libvirt'],
}
} else {
file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
path => '/etc/libvirt/libvirtd.conf',
line => "auth_tcp = \"${auth}\"",
match => 'auth_tcp =',
notify => Service['libvirt'],
}
}
file_line { "/etc/default/${::nova::compute::libvirt::libvirt_service_name} libvirtd opts":
path => "/etc/default/${::nova::compute::libvirt::libvirt_service_name}",
line => 'libvirtd_opts="-d -l"',

View File

@ -90,6 +90,10 @@ describe 'nova::compute::libvirt' do
it { is_expected.to contain_class('nova::migration::libvirt')}
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('0.0.0.0')}
it { is_expected.to contain_file_line('/etc/default/libvirt-bin libvirtd opts').with(:line => 'libvirtd_opts="-d -l"') }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
end
context 'with vncserver_listen set to ::0' do
@ -101,6 +105,10 @@ describe 'nova::compute::libvirt' do
it { is_expected.to contain_class('nova::migration::libvirt')}
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('::0')}
it { is_expected.to contain_file_line('/etc/default/libvirt-bin libvirtd opts').with(:line => 'libvirtd_opts="-d -l"') }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
end
context 'with vncserver_listen not set to 0.0.0.0' do
@ -215,6 +223,26 @@ describe 'nova::compute::libvirt' do
it { is_expected.to contain_class('nova::migration::libvirt')}
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('0.0.0.0')}
it { is_expected.to contain_file_line('/etc/sysconfig/libvirtd libvirtd args').with(:line => 'LIBVIRTD_ARGS="--listen"') }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
end
context 'with vncserver_listen set to ::0' do
let :params do
{ :vncserver_listen => '::0',
:migration_support => true }
end
it { is_expected.to contain_class('nova::migration::libvirt')}
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('::0')}
it { is_expected.to contain_file_line('/etc/sysconfig/libvirtd libvirtd args').with(:line => 'LIBVIRTD_ARGS="--listen"') }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
end
context 'with vncserver_listen not set to 0.0.0.0' do

View File

@ -31,12 +31,56 @@ describe 'nova::migration::libvirt' do
shared_examples_for 'nova migration with libvirt' do
it 'configure libvirtd.conf' do
is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => 'listen_tls = 0')
is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => 'listen_tcp = 1')
is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => 'auth_tcp = "none"')
context 'with default params' do
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
end
context 'with tls enabled' do
let :params do
{
:use_tls => true,
}
end
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 1") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls').with(:line => "auth_tls = \"none\"") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp')}
it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
end
context 'with auth set to sasl' do
let :params do
{
:auth => 'sasl',
}
end
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"sasl\"") }
end
context 'with auth set to sasl and tls enabled' do
let :params do
{
:auth => 'sasl',
:use_tls => true
}
end
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls').with(:line => "auth_tls = \"sasl\"") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp')}
end
context 'with auth set to an invalid setting' do
let :params do
{
:auth => 'inexistent_auth',
}
end
it { expect { is_expected.to contain_class('nova::compute::libvirt') }.to \
raise_error(Puppet::Error, /Valid options for auth are none and sasl./) }
end
end
context 'on Debian platforms' do