From 0c54e9becb362c24e4e322ab75b885fbb6691e4e Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Tue, 11 Sep 2018 11:20:54 +0200 Subject: [PATCH] Add support for native TLS encryption on NBD for disk migration The NBD protocol previously runs in clear text, offering no security protection for the data transferred, unless it is tunnelled over some external transport like SSH. Such tunnelling is inefficient and inconvenient to manage. Support for TLS to the NBD clients & servers provided by QEMU was added. This adds support to configure ndb related qemu.conf parameters. Related-Bug: 1793093 Change-Id: I2c613faf55731af56735f8363b18e6c0e6185d9c --- manifests/compute/libvirt/qemu.pp | 19 +++++++++-- ..._qemu_nbd_parameters-f8b975e695d6efd9.yaml | 11 +++++++ .../classes/nova_compute_libvirt_qemu_spec.rb | 33 ++++++++++++++++--- 3 files changed, 55 insertions(+), 8 deletions(-) create mode 100644 releasenotes/notes/add_qemu_nbd_parameters-f8b975e695d6efd9.yaml diff --git a/manifests/compute/libvirt/qemu.pp b/manifests/compute/libvirt/qemu.pp index 5400e2c23..415e0cad7 100644 --- a/manifests/compute/libvirt/qemu.pp +++ b/manifests/compute/libvirt/qemu.pp @@ -33,6 +33,10 @@ # NOTE: big files will be stored here # Defaults to undef. # +# [*nbd_tls*] +# (optional) Enables TLS for nbd connections. +# Defaults to false. +# class nova::compute::libvirt::qemu( $configure_qemu = false, $group = undef, @@ -40,7 +44,8 @@ class nova::compute::libvirt::qemu( $max_processes = 4096, $vnc_tls = false, $vnc_tls_verify = true, - $memory_backing_dir = undef + $memory_backing_dir = undef, + $nbd_tls = false ){ include ::nova::deps @@ -63,11 +68,18 @@ class nova::compute::libvirt::qemu( $vnc_tls_verify_value = 0 } + if $nbd_tls { + $nbd_tls_value = 1 + } else { + $nbd_tls_value = 0 + } + $augues_changes_default = [ "set max_files ${max_files}", "set max_processes ${max_processes}", "set vnc_tls ${vnc_tls_value}", - "set vnc_tls_x509_verify ${vnc_tls_verify_value}" + "set vnc_tls_x509_verify ${vnc_tls_verify_value}", + "set nbd_tls ${nbd_tls_value}" ] if $group and !empty($group) { $augues_group_changes = ["set group ${group}"] @@ -95,7 +107,8 @@ class nova::compute::libvirt::qemu( 'rm group', 'rm vnc_tls', 'rm vnc_tls_x509_verify', - 'rm memory_backing_dir' + 'rm memory_backing_dir', + 'rm nbd_tls' ], tag => 'qemu-conf-augeas', } diff --git a/releasenotes/notes/add_qemu_nbd_parameters-f8b975e695d6efd9.yaml b/releasenotes/notes/add_qemu_nbd_parameters-f8b975e695d6efd9.yaml new file mode 100644 index 000000000..341ecfe29 --- /dev/null +++ b/releasenotes/notes/add_qemu_nbd_parameters-f8b975e695d6efd9.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + Add support for native TLS encryption on NBD for disk migration + + The NBD protocol previously runs in clear text, offering no security + protection for the data transferred, unless it is tunnelled over some + external transport like SSH. Such tunnelling is inefficient and + inconvenient to manage. Support for TLS to the NBD clients & servers + provided by QEMU was added. This adds support to configure ndb related + qemu.conf parameters. diff --git a/spec/classes/nova_compute_libvirt_qemu_spec.rb b/spec/classes/nova_compute_libvirt_qemu_spec.rb index 3d35e674f..485aca8cf 100644 --- a/spec/classes/nova_compute_libvirt_qemu_spec.rb +++ b/spec/classes/nova_compute_libvirt_qemu_spec.rb @@ -18,7 +18,7 @@ describe 'nova::compute::libvirt::qemu' do end it { is_expected.to contain_augeas('qemu-conf-limits').with({ :context => '/files/etc/libvirt/qemu.conf', - :changes => [ "rm max_files", "rm max_processes", "rm group", "rm vnc_tls", "rm vnc_tls_x509_verify", "rm memory_backing_dir" ], + :changes => [ "rm max_files", "rm max_processes", "rm group", "rm vnc_tls", "rm vnc_tls_x509_verify", "rm memory_backing_dir", "rm nbd_tls" ], }).that_notifies('Service[libvirt]') } end @@ -30,7 +30,7 @@ describe 'nova::compute::libvirt::qemu' do end it { is_expected.to contain_augeas('qemu-conf-limits').with({ :context => '/files/etc/libvirt/qemu.conf', - :changes => [ "set max_files 1024", "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0" ], + :changes => [ "set max_files 1024", "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0", "set nbd_tls 0" ], :tag => 'qemu-conf-augeas', }).that_notifies('Service[libvirt]') } end @@ -45,7 +45,7 @@ describe 'nova::compute::libvirt::qemu' do end it { is_expected.to contain_augeas('qemu-conf-limits').with({ :context => '/files/etc/libvirt/qemu.conf', - :changes => [ "set max_files 32768", "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0" ], + :changes => [ "set max_files 32768", "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0", "set nbd_tls 0" ], :tag => 'qemu-conf-augeas', }).that_notifies('Service[libvirt]') } end @@ -67,6 +67,7 @@ describe 'nova::compute::libvirt::qemu' do "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0", + "set nbd_tls 0", "set group openvswitch", "set memory_backing_dir /tmp" ], @@ -87,7 +88,8 @@ describe 'nova::compute::libvirt::qemu' do "set max_files 1024", "set max_processes 4096", "set vnc_tls 1", - "set vnc_tls_x509_verify 1" + "set vnc_tls_x509_verify 1", + "set nbd_tls 0" ], :tag => 'qemu-conf-augeas', }).that_notifies('Service[libvirt]') } @@ -107,7 +109,28 @@ describe 'nova::compute::libvirt::qemu' do "set max_files 1024", "set max_processes 4096", "set vnc_tls 1", - "set vnc_tls_x509_verify 0" + "set vnc_tls_x509_verify 0", + "set nbd_tls 0" + ], + :tag => 'qemu-conf-augeas', + }).that_notifies('Service[libvirt]') } + end + + context 'when configuring qemu with nbd_tls' do + let :params do + { + :configure_qemu => true, + :nbd_tls => true + } + end + it { is_expected.to contain_augeas('qemu-conf-limits').with({ + :context => '/files/etc/libvirt/qemu.conf', + :changes => [ + "set max_files 1024", + "set max_processes 4096", + "set vnc_tls 0", + "set vnc_tls_x509_verify 0", + "set nbd_tls 1" ], :tag => 'qemu-conf-augeas', }).that_notifies('Service[libvirt]') }