Use systemd units to enable tcp/tls in libvirt

Since v5.7.0, libvirt requires that proper socket unit is used to listen on tcp/tls, and the usage of --listen option is forbidden by default[1]. This patch makes puppet-nova depend on socket units instead of listen option, to avoid failure when systemd tries to start libvrit service. [1] 3a6a725b8f Change-Id: I902169f54ff723c8f35ce12a7909950f61b4b7c6 Closes-Bug: #1880619 (cherry picked from commit 87f2437bdc)
2020-05-26 09:22:22 +09:00 · 2020-05-26 09:22:22 +09:00 · 5dd7c20fa0
parent 2ebc3195c3
commit 5dd7c20fa0
4 changed files with 78 additions and 17 deletions
--- a/manifests/compute/libvirt/version.pp
+++ b/manifests/compute/libvirt/version.pp
@ -11,7 +11,9 @@ class nova::compute::libvirt::version {
    'RedHat': {
      case $facts['os']['name'] {
        'RedHat', 'CentOS': {
-          if versioncmp($facts['os']['release']['full'], '7.6') >= 0 {
+          if versioncmp($facts['os']['release']['full'], '8.1') >= 0 {
+            $default = '5.6'
+          } elsif versioncmp($facts['os']['release']['full'], '7.6') >= 0 {
            $default = '4.5'
          } else {
            $default = '3.9'
--- a/manifests/migration/libvirt.pp
+++ b/manifests/migration/libvirt.pp
@ -89,6 +89,11 @@
 #   "transport" option.
 #   Defaults to undef
 #
+# [*libvirt_version*]
+#   (optional) installed libvirt version. Default is automatic detected depending
+#   of the used OS installed via ::nova::compute::libvirt::version::default .
+#   Defaults to ::nova::compute::libvirt::version::default
+#
 class nova::migration::libvirt(
  $transport                         = undef,
  $auth                              = 'none',
@ -105,7 +110,8 @@ class nova::migration::libvirt(
  $client_extraparams                = {},
  $ca_file                           = undef,
  $crl_file                          = undef,
-){
+  $libvirt_version                   = $::nova::compute::libvirt::version::default,
+) inherits nova::compute::libvirt::version {

  include nova::deps

@ -233,12 +239,37 @@ class nova::migration::libvirt(

    case $::osfamily {
      'RedHat': {
-        if $transport_real != 'ssh' {
-          file_line { '/etc/sysconfig/libvirtd libvirtd args':
-            path  => '/etc/sysconfig/libvirtd',
-            line  => 'LIBVIRTD_ARGS="--listen"',
-            match => '^LIBVIRTD_ARGS=',
-            tag   => 'libvirt-file_line',
+        if versioncmp($libvirt_version, '5.6') >= 0 {
+          $manage_services = pick($::nova::compute::libvirt::manage_libvirt_services, true)
+
+          if $manage_services {
+            if $transport_real == 'tls' {
+              service { 'libvirtd-tls':
+                ensure  => 'running',
+                name    => 'libvirtd-tls.socket',
+                enable  => true,
+                require => Anchor['nova::config::end']
+              }
+              Service['libvirtd-tls'] -> Service<| title == 'libvirt' |>
+            } elsif $transport_real == 'tcp' {
+              service { 'libvirtd-tcp':
+                ensure  => 'running',
+                name    => 'libvirtd-tcp.socket',
+                enable  => true,
+                require => Anchor['nova::config::end']
+              }
+              Service['libvirtd-tcp'] -> Service<| title == 'libvirt' |>
+            }
+          }
+
+        } else {
+          if $transport_real != 'ssh' {
+            file_line { '/etc/sysconfig/libvirtd libvirtd args':
+              path  => '/etc/sysconfig/libvirtd',
+              line  => 'LIBVIRTD_ARGS="--listen"',
+              match => '^LIBVIRTD_ARGS=',
+              tag   => 'libvirt-file_line',
+            }
          }
        }
      }
--- a/releasenotes/notes/libvirt-systemd-socket-units-f7b0fc3a4f3c5219.yaml
+++ b/releasenotes/notes/libvirt-systemd-socket-units-f7b0fc3a4f3c5219.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Now puppet-nova supports configuration of libvirtd-tls.socket and
+    libvirtd-tcp.socket, which should be enabled according to the transport
+    protocol when libvirt is running under systemd. This feature is enforced
+    since libvirt v5.8.
--- a/spec/classes/nova_migration_libvirt_spec.rb
+++ b/spec/classes/nova_migration_libvirt_spec.rb
@ -239,6 +239,36 @@ describe 'nova::migration::libvirt' do

  end

+  shared_examples_for 'nova migration with libvirt in Debian' do
+    it { is_expected.to contain_file_line('/etc/default/libvirtd libvirtd opts').with(:line => 'libvirtd_opts="-l"') }
+  end
+
+  shared_examples_for 'nova migration with libvirt in RedHat' do
+    context 'with tls transport' do
+      let(:params) do
+        { :transport => 'tls' }
+      end
+
+      it { is_expected.to contain_service('libvirtd-tls').with(
+        :name   => 'libvirtd-tls.socket',
+        :ensure => 'running',
+        :enable => true,
+        )}
+    end
+
+    context 'with tls transport' do
+      let(:params) do
+        { :transport => 'tcp' }
+      end
+
+      it { is_expected.to contain_service('libvirtd-tcp').with(
+        :name   => 'libvirtd-tcp.socket',
+        :ensure => 'running',
+        :enable => true,
+        )}
+    end
+  end
+
  on_supported_os({
    :supported_os => OSDefaults.get_supported_os
  }).each do |os,facts|
@ -247,15 +277,6 @@ describe 'nova::migration::libvirt' do
        facts.merge!(OSDefaults.get_facts({ :os_workers => 5 }))
      end

-      let (:platform_params) do
-        case facts[:osfamily]
-        when 'Debian'
-            it { is_expected.to contain_file_line('/etc/default/libvirtd libvirtd opts').with(:line => 'libvirtd_opts="-l"') }
-        when 'RedHat'
-            it { is_expected.to contain_file_line('/etc/sysconfig/libvirtd libvirtd args').with(:line => 'LIBVIRTD_ARGS="--listen"') }
-        end
-      end
-
      it_configures 'nova migration with libvirt'
    end
  end