Make libvirt migration security configurable
Adding flags to choose between tls/tcp connections as well as sasl/none authentication when configuring libvirt migration. This allows to deploy proper libvirt security in combination with the nova::compute class. Change-Id: Ib479a1f4cd2df0d55347ed71fb8f0ab69aaeceef
This commit is contained in:
parent
517b7b800c
commit
1383cee7d4
|
@ -135,7 +135,7 @@ class nova::compute::libvirt (
|
|||
if $vncserver_listen != '0.0.0.0' and $vncserver_listen != '::0' {
|
||||
fail('For migration support to work, you MUST set vncserver_listen to \'0.0.0.0\' or \'::0\'')
|
||||
} else {
|
||||
class { '::nova::migration::libvirt': }
|
||||
include ::nova::migration::libvirt
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -2,7 +2,33 @@
|
|||
#
|
||||
# Sets libvirt config that is required for migration
|
||||
#
|
||||
class nova::migration::libvirt {
|
||||
# === Parameters:
|
||||
#
|
||||
# [*use_tls*]
|
||||
# (optional) Use tls for remote connections to libvirt
|
||||
# Defaults to false
|
||||
#
|
||||
# [*auth*]
|
||||
# (optional) Use this authentication scheme for remote libvirt connections.
|
||||
# Valid options are none and sasl.
|
||||
# Defaults to 'none'
|
||||
#
|
||||
class nova::migration::libvirt(
|
||||
$use_tls = false,
|
||||
$auth = 'none',
|
||||
){
|
||||
if $use_tls {
|
||||
$listen_tls = '1'
|
||||
$listen_tcp = '0'
|
||||
nova_config {
|
||||
'libvirt/live_migration_uri': value => 'qemu+tls://%s/system';
|
||||
}
|
||||
} else {
|
||||
$listen_tls = '0'
|
||||
$listen_tcp = '1'
|
||||
}
|
||||
|
||||
validate_re($auth, [ '^sasl$', '^none$' ], 'Valid options for auth are none and sasl.')
|
||||
|
||||
Package['libvirt'] -> File_line<| path == '/etc/libvirt/libvirtd.conf' |>
|
||||
|
||||
|
@ -10,23 +36,32 @@ class nova::migration::libvirt {
|
|||
'RedHat': {
|
||||
file_line { '/etc/libvirt/libvirtd.conf listen_tls':
|
||||
path => '/etc/libvirt/libvirtd.conf',
|
||||
line => 'listen_tls = 0',
|
||||
line => "listen_tls = ${listen_tls}",
|
||||
match => 'listen_tls =',
|
||||
notify => Service['libvirt'],
|
||||
}
|
||||
|
||||
file_line { '/etc/libvirt/libvirtd.conf listen_tcp':
|
||||
path => '/etc/libvirt/libvirtd.conf',
|
||||
line => 'listen_tcp = 1',
|
||||
line => "listen_tcp = ${listen_tcp}",
|
||||
match => 'listen_tcp =',
|
||||
notify => Service['libvirt'],
|
||||
}
|
||||
|
||||
file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
|
||||
path => '/etc/libvirt/libvirtd.conf',
|
||||
line => 'auth_tcp = "none"',
|
||||
match => 'auth_tcp =',
|
||||
notify => Service['libvirt'],
|
||||
if $use_tls {
|
||||
file_line { '/etc/libvirt/libvirtd.conf auth_tls':
|
||||
path => '/etc/libvirt/libvirtd.conf',
|
||||
line => "auth_tls = \"${auth}\"",
|
||||
match => 'auth_tls =',
|
||||
notify => Service['libvirt'],
|
||||
}
|
||||
} else {
|
||||
file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
|
||||
path => '/etc/libvirt/libvirtd.conf',
|
||||
line => "auth_tcp = \"${auth}\"",
|
||||
match => 'auth_tcp =',
|
||||
notify => Service['libvirt'],
|
||||
}
|
||||
}
|
||||
|
||||
file_line { '/etc/sysconfig/libvirtd libvirtd args':
|
||||
|
@ -42,24 +77,34 @@ class nova::migration::libvirt {
|
|||
'Debian': {
|
||||
file_line { '/etc/libvirt/libvirtd.conf listen_tls':
|
||||
path => '/etc/libvirt/libvirtd.conf',
|
||||
line => 'listen_tls = 0',
|
||||
line => "listen_tls = ${listen_tls}",
|
||||
match => 'listen_tls =',
|
||||
notify => Service['libvirt'],
|
||||
}
|
||||
|
||||
file_line { '/etc/libvirt/libvirtd.conf listen_tcp':
|
||||
path => '/etc/libvirt/libvirtd.conf',
|
||||
line => 'listen_tcp = 1',
|
||||
line => "listen_tcp = ${listen_tcp}",
|
||||
match => 'listen_tcp =',
|
||||
notify => Service['libvirt'],
|
||||
}
|
||||
|
||||
file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
|
||||
path => '/etc/libvirt/libvirtd.conf',
|
||||
line => 'auth_tcp = "none"',
|
||||
match => 'auth_tcp =',
|
||||
notify => Service['libvirt'],
|
||||
if $use_tls {
|
||||
file_line { '/etc/libvirt/libvirtd.conf auth_tls':
|
||||
path => '/etc/libvirt/libvirtd.conf',
|
||||
line => "auth_tls = \"${auth}\"",
|
||||
match => 'auth_tls =',
|
||||
notify => Service['libvirt'],
|
||||
}
|
||||
} else {
|
||||
file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
|
||||
path => '/etc/libvirt/libvirtd.conf',
|
||||
line => "auth_tcp = \"${auth}\"",
|
||||
match => 'auth_tcp =',
|
||||
notify => Service['libvirt'],
|
||||
}
|
||||
}
|
||||
|
||||
file_line { "/etc/default/${::nova::compute::libvirt::libvirt_service_name} libvirtd opts":
|
||||
path => "/etc/default/${::nova::compute::libvirt::libvirt_service_name}",
|
||||
line => 'libvirtd_opts="-d -l"',
|
||||
|
|
|
@ -90,6 +90,10 @@ describe 'nova::compute::libvirt' do
|
|||
it { is_expected.to contain_class('nova::migration::libvirt')}
|
||||
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('0.0.0.0')}
|
||||
it { is_expected.to contain_file_line('/etc/default/libvirt-bin libvirtd opts').with(:line => 'libvirtd_opts="-d -l"') }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
|
||||
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
|
||||
end
|
||||
|
||||
context 'with vncserver_listen set to ::0' do
|
||||
|
@ -101,6 +105,10 @@ describe 'nova::compute::libvirt' do
|
|||
it { is_expected.to contain_class('nova::migration::libvirt')}
|
||||
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('::0')}
|
||||
it { is_expected.to contain_file_line('/etc/default/libvirt-bin libvirtd opts').with(:line => 'libvirtd_opts="-d -l"') }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
|
||||
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
|
||||
end
|
||||
|
||||
context 'with vncserver_listen not set to 0.0.0.0' do
|
||||
|
@ -215,6 +223,26 @@ describe 'nova::compute::libvirt' do
|
|||
|
||||
it { is_expected.to contain_class('nova::migration::libvirt')}
|
||||
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('0.0.0.0')}
|
||||
it { is_expected.to contain_file_line('/etc/sysconfig/libvirtd libvirtd args').with(:line => 'LIBVIRTD_ARGS="--listen"') }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
|
||||
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
|
||||
end
|
||||
|
||||
context 'with vncserver_listen set to ::0' do
|
||||
let :params do
|
||||
{ :vncserver_listen => '::0',
|
||||
:migration_support => true }
|
||||
end
|
||||
|
||||
it { is_expected.to contain_class('nova::migration::libvirt')}
|
||||
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('::0')}
|
||||
it { is_expected.to contain_file_line('/etc/sysconfig/libvirtd libvirtd args').with(:line => 'LIBVIRTD_ARGS="--listen"') }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
|
||||
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
|
||||
end
|
||||
|
||||
context 'with vncserver_listen not set to 0.0.0.0' do
|
||||
|
|
|
@ -31,12 +31,56 @@ describe 'nova::migration::libvirt' do
|
|||
|
||||
shared_examples_for 'nova migration with libvirt' do
|
||||
|
||||
it 'configure libvirtd.conf' do
|
||||
is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => 'listen_tls = 0')
|
||||
is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => 'listen_tcp = 1')
|
||||
is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => 'auth_tcp = "none"')
|
||||
context 'with default params' do
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
|
||||
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
|
||||
end
|
||||
|
||||
context 'with tls enabled' do
|
||||
let :params do
|
||||
{
|
||||
:use_tls => true,
|
||||
}
|
||||
end
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 1") }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 0") }
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls').with(:line => "auth_tls = \"none\"") }
|
||||
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp')}
|
||||
it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
|
||||
end
|
||||
|
||||
context 'with auth set to sasl' do
|
||||
let :params do
|
||||
{
|
||||
:auth => 'sasl',
|
||||
}
|
||||
end
|
||||
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"sasl\"") }
|
||||
end
|
||||
|
||||
context 'with auth set to sasl and tls enabled' do
|
||||
let :params do
|
||||
{
|
||||
:auth => 'sasl',
|
||||
:use_tls => true
|
||||
}
|
||||
end
|
||||
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls').with(:line => "auth_tls = \"sasl\"") }
|
||||
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp')}
|
||||
end
|
||||
|
||||
context 'with auth set to an invalid setting' do
|
||||
let :params do
|
||||
{
|
||||
:auth => 'inexistent_auth',
|
||||
}
|
||||
end
|
||||
it { expect { is_expected.to contain_class('nova::compute::libvirt') }.to \
|
||||
raise_error(Puppet::Error, /Valid options for auth are none and sasl./) }
|
||||
end
|
||||
end
|
||||
|
||||
context 'on Debian platforms' do
|
||||
|
|
Loading…
Reference in New Issue