openstack
/
puppet-nova
Code Issues Proposed changes

libvirt: Support native TLS for migration and disks over NBD 

https://review.openstack.org/625216 introduces a new setting which needs
set to true if native TLS for migration and disks over NBD is being used.

Change-Id: I347881cf4822583179c0c042c42fa1e33dbcedd2
Related-Bug: 1793093
This commit is contained in:
Martin Schuppert 2019-01-09 14:23:29 +01:00
parent bf3d8bd91e
commit 7cb9e0fc20
3 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
manifests/migration/libvirt.pp
View File

@ -34,6 +34,16 @@
# the availability of native encryption support in the hypervisor.
# Defaults to $::os_service_default
#
# [*live_migration_with_native_tls*]
# (optional) This option will allow both migration stream (guest RAM plus
# device state) *and* disk stream to be transported over native TLS, i.e.
# TLS support built into QEMU.
# Prerequisite: TLS environment is configured correctly on all relevant
# Compute nodes. This means, Certificate Authority (CA), server, client
# certificates, their corresponding keys, and their file permisssions are
# in place, and are validated.
# Defaults to $::os_service_default
#
# [*live_migration_completion_timeout*]
# (optional) Time to wait, in seconds, for migration to successfully complete
# transferring data before aborting the operation. Value is per GiB of guest
@ -73,6 +83,7 @@ class nova::migration::libvirt(
$listen_address = undef,
$live_migration_inbound_addr = $::os_service_default,
$live_migration_tunnelled = $::os_service_default,
$live_migration_with_native_tls = $::os_service_default,
$live_migration_completion_timeout = $::os_service_default,
$override_uuid = false,
$configure_libvirt = true,
@ -134,6 +145,7 @@ class nova::migration::libvirt(
nova_config {
'libvirt/live_migration_uri': value => $live_migration_uri;
'libvirt/live_migration_tunnelled': value => $live_migration_tunnelled;
'libvirt/live_migration_with_native_tls': value => $live_migration_with_native_tls;
'libvirt/live_migration_completion_timeout': value => $live_migration_completion_timeout;
'libvirt/live_migration_inbound_addr': value => $live_migration_inbound_addr;
}

5
releasenotes/notes/add_live_migration_with_native_tls-4293ca305e98cdc3.yaml Normal file
View File

@ -0,0 +1,5 @@
---
features:
- |
https://review.openstack.org/625216 introduces a new setting which needs
set to true if native TLS for migration and disks over NBD is being used.

10
spec/classes/nova_migration_libvirt_spec.rb
View File

@ -47,6 +47,7 @@ describe 'nova::migration::libvirt' do
it { is_expected.not_to contain_libvirtd_config('auth_tls') }
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value("\"none\"") }
it { is_expected.to contain_nova_config('libvirt/live_migration_tunnelled').with_value('<SERVICE DEFAULT>') }
it { is_expected.to contain_nova_config('libvirt/live_migration_with_native_tls').with_value('<SERVICE DEFAULT>') }
it { is_expected.to contain_nova_config('libvirt/live_migration_completion_timeout').with_value('<SERVICE DEFAULT>') }
it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tcp://%s/system') }
it { is_expected.to contain_nova_config('libvirt/live_migration_inbound_addr').with_value('<SERVICE DEFAULT>')}
@ -97,6 +98,15 @@ describe 'nova::migration::libvirt' do
it { is_expected.to contain_nova_config('libvirt/live_migration_inbound_addr').with_value('host1.example.com')}
end
context 'with live_migration_with_native_tls flags set' do
let :params do
{
:live_migration_with_native_tls => true,
}
end
it { is_expected.to contain_nova_config('libvirt/live_migration_with_native_tls').with(:value => true) }
end
context 'with migration flags set' do
let :params do
{