From 71b6c8c5f78d0f3cabb99ab5038feb1cd4349558 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Fri, 31 Mar 2017 10:16:21 +0300
Subject: [PATCH] Use newer configuration options for libvirt's live migration
 URI

The live_migration_uri option that was being used in case TLS is used in
live migration doesn't permit the usage of a host other than the one
detected automatically by nova. This is problematic for cases like TLS
where the address needs to match the certificate's SubjectAltName entry.
So instead, this patch takes into use the two recommended options:

* live_migration_inbound_addr
* live_migration_scheme

These will be used by nova to determine the URI.

On the other hand, libvirt_migration_uri is set to be deprecated at some
point. But, a way to add the query parameters to the query is
needed before this happens.

Change-Id: I0a1684397ebefaa8dc00237e0b7952e9296381fa
---
 manifests/migration/libvirt.pp                | 20 ++++++++++++++++--
 ...ound-addr-and-scheme-b5f864ce3f0e58f9.yaml | 11 ++++++++++
 spec/classes/nova_migration_libvirt_spec.rb   | 21 ++++++++++++++++++-
 3 files changed, 49 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/add-live-migration-inbound-addr-and-scheme-b5f864ce3f0e58f9.yaml

diff --git a/manifests/migration/libvirt.pp b/manifests/migration/libvirt.pp
index 64bf9c264..cb0c768d9 100644
--- a/manifests/migration/libvirt.pp
+++ b/manifests/migration/libvirt.pp
@@ -18,6 +18,14 @@
 #   (optional) Bind libvirtd tcp/tls socket to the given address.
 #   Defaults to undef (bind to all addresses)
 #
+# [*live_migration_inbound_addr*]
+#   (optional) The IP address or hostname to be used as the target for live
+#   migration traffic. If left unset, and if TLS is enabled, this module will
+#   default the 'live_migration_uri' to 'qemu+tls://%s/system' to be compatible
+#   with the previous behavior of this module. However, the usage of
+#   'live_migration_uri' is not recommended as it's scheduled for removal.
+#   Defaults to $::os_service_default
+#
 # [*live_migration_tunnelled*]
 #   (optional) Whether to use tunnelled migration, where migration data is
 #   transported over the libvirtd connection.
@@ -79,6 +87,7 @@ class nova::migration::libvirt(
   $transport                         = undef,
   $auth                              = 'none',
   $listen_address                    = undef,
+  $live_migration_inbound_addr       = $::os_service_default,
   $live_migration_tunnelled          = $::os_service_default,
   $live_migration_completion_timeout = $::os_service_default,
   $live_migration_progress_timeout   = $::os_service_default,
@@ -120,7 +129,6 @@ class nova::migration::libvirt(
   }
 
   if $configure_nova {
-
     if $transport_real == 'ssh' {
       if $client_user {
         $prefix =  "${client_user}@"
@@ -145,13 +153,21 @@ class nova::migration::libvirt(
       $extra_params =''
     }
 
-    $live_migration_uri = "qemu+${transport_real}://${prefix}%s${postfix}/system${extra_params}"
+    if is_service_default($live_migration_inbound_addr) {
+      $live_migration_uri = "qemu+${transport_real}://${prefix}%s${postfix}/system${extra_params}"
+      $live_migration_scheme = $::os_service_default
+    } else {
+      $live_migration_uri = $::os_service_default
+      $live_migration_scheme = $transport_real
+    }
 
     nova_config {
       'libvirt/live_migration_uri':                value => $live_migration_uri;
       'libvirt/live_migration_tunnelled':          value => $live_migration_tunnelled;
       'libvirt/live_migration_completion_timeout': value => $live_migration_completion_timeout;
       'libvirt/live_migration_progress_timeout':   value => $live_migration_progress_timeout;
+      'libvirt/live_migration_inbound_addr':       value => $live_migration_inbound_addr;
+      'libvirt/live_migration_scheme':             value => $live_migration_scheme;
     }
   }
 
diff --git a/releasenotes/notes/add-live-migration-inbound-addr-and-scheme-b5f864ce3f0e58f9.yaml b/releasenotes/notes/add-live-migration-inbound-addr-and-scheme-b5f864ce3f0e58f9.yaml
new file mode 100644
index 000000000..93b97dbd6
--- /dev/null
+++ b/releasenotes/notes/add-live-migration-inbound-addr-and-scheme-b5f864ce3f0e58f9.yaml
@@ -0,0 +1,11 @@
+---
+features:
+  - The paremeter 'live_migration_inbound_addr' was introduced to the libvirt
+    live migration module. This sets the configuration option with the same
+    name in the nova configuration, in the 'libvirt' section.
+  - If TLS is enabled for libvirt's live migration, the module will set the
+    configuration option named 'live_migration_scheme' in the 'libvirt' section
+    to have the value 'tls'. This will be used by nova to form the scheme for
+    the live migration URI, e.g. 'qemu+tls://...'.
+  - Note that the usage of 'live_migratin_inbound_addr' doesn't permit adding
+    extra parameters to the live migration URI as of the writing of this.
diff --git a/spec/classes/nova_migration_libvirt_spec.rb b/spec/classes/nova_migration_libvirt_spec.rb
index eef40a64e..8b413ca4f 100644
--- a/spec/classes/nova_migration_libvirt_spec.rb
+++ b/spec/classes/nova_migration_libvirt_spec.rb
@@ -48,7 +48,8 @@ describe 'nova::migration::libvirt' do
       it { is_expected.to contain_nova_config('libvirt/live_migration_completion_timeout').with_value('<SERVICE DEFAULT>') }
       it { is_expected.to contain_nova_config('libvirt/live_migration_progress_timeout').with_value('<SERVICE DEFAULT>') }
       it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tcp://%s/system') }
-
+      it { is_expected.to contain_nova_config('libvirt/live_migration_inbound_addr').with_value('<SERVICE DEFAULT>')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_scheme').with_value('<SERVICE DEFAULT>')}
     end
 
     context 'with override_uuid enabled' do
@@ -79,6 +80,8 @@ describe 'nova::migration::libvirt' do
       it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls').with(:line => "auth_tls = \"none\"") }
       it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp')}
       it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_inbound_addr').with_value('<SERVICE DEFAULT>')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_scheme').with_value('<SERVICE DEFAULT>')}
     end
 
     context 'with tls enabled' do
@@ -94,6 +97,22 @@ describe 'nova::migration::libvirt' do
       it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
     end
 
+    context 'with tls enabled and inbound addr set' do
+      let :params do
+        {
+          :transport                   => 'tls',
+          :live_migration_inbound_addr => 'host1.example.com',
+        }
+      end
+      it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 1") }
+      it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 0") }
+      it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls').with(:line => "auth_tls = \"none\"") }
+      it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('<SERVICE DEFAULT>')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_inbound_addr').with_value('host1.example.com')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_scheme').with_value('tls')}
+    end
+
     context 'with migration flags set' do
       let :params do
         {