Merge "Add support for native TLS encryption on NBD for disk migration"

This commit is contained in:
Zuul 2018-10-09 20:38:32 +00:00 committed by Gerrit Code Review
commit aa2893d7e0
3 changed files with 55 additions and 8 deletions

View File

@ -33,6 +33,10 @@
# NOTE: big files will be stored here
# Defaults to undef.
#
# [*nbd_tls*]
# (optional) Enables TLS for nbd connections.
# Defaults to false.
#
class nova::compute::libvirt::qemu(
$configure_qemu = false,
$group = undef,
@ -40,7 +44,8 @@ class nova::compute::libvirt::qemu(
$max_processes = 4096,
$vnc_tls = false,
$vnc_tls_verify = true,
$memory_backing_dir = undef
$memory_backing_dir = undef,
$nbd_tls = false
){
include ::nova::deps
@ -63,11 +68,18 @@ class nova::compute::libvirt::qemu(
$vnc_tls_verify_value = 0
}
if $nbd_tls {
$nbd_tls_value = 1
} else {
$nbd_tls_value = 0
}
$augues_changes_default = [
"set max_files ${max_files}",
"set max_processes ${max_processes}",
"set vnc_tls ${vnc_tls_value}",
"set vnc_tls_x509_verify ${vnc_tls_verify_value}"
"set vnc_tls_x509_verify ${vnc_tls_verify_value}",
"set nbd_tls ${nbd_tls_value}"
]
if $group and !empty($group) {
$augues_group_changes = ["set group ${group}"]
@ -95,7 +107,8 @@ class nova::compute::libvirt::qemu(
'rm group',
'rm vnc_tls',
'rm vnc_tls_x509_verify',
'rm memory_backing_dir'
'rm memory_backing_dir',
'rm nbd_tls'
],
tag => 'qemu-conf-augeas',
}

View File

@ -0,0 +1,11 @@
---
features:
- |
Add support for native TLS encryption on NBD for disk migration
The NBD protocol previously runs in clear text, offering no security
protection for the data transferred, unless it is tunnelled over some
external transport like SSH. Such tunnelling is inefficient and
inconvenient to manage. Support for TLS to the NBD clients & servers
provided by QEMU was added. This adds support to configure ndb related
qemu.conf parameters.

View File

@ -18,7 +18,7 @@ describe 'nova::compute::libvirt::qemu' do
end
it { is_expected.to contain_augeas('qemu-conf-limits').with({
:context => '/files/etc/libvirt/qemu.conf',
:changes => [ "rm max_files", "rm max_processes", "rm group", "rm vnc_tls", "rm vnc_tls_x509_verify", "rm memory_backing_dir" ],
:changes => [ "rm max_files", "rm max_processes", "rm group", "rm vnc_tls", "rm vnc_tls_x509_verify", "rm memory_backing_dir", "rm nbd_tls" ],
}).that_notifies('Service[libvirt]') }
end
@ -30,7 +30,7 @@ describe 'nova::compute::libvirt::qemu' do
end
it { is_expected.to contain_augeas('qemu-conf-limits').with({
:context => '/files/etc/libvirt/qemu.conf',
:changes => [ "set max_files 1024", "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0" ],
:changes => [ "set max_files 1024", "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0", "set nbd_tls 0" ],
:tag => 'qemu-conf-augeas',
}).that_notifies('Service[libvirt]') }
end
@ -45,7 +45,7 @@ describe 'nova::compute::libvirt::qemu' do
end
it { is_expected.to contain_augeas('qemu-conf-limits').with({
:context => '/files/etc/libvirt/qemu.conf',
:changes => [ "set max_files 32768", "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0" ],
:changes => [ "set max_files 32768", "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0", "set nbd_tls 0" ],
:tag => 'qemu-conf-augeas',
}).that_notifies('Service[libvirt]') }
end
@ -67,6 +67,7 @@ describe 'nova::compute::libvirt::qemu' do
"set max_processes 131072",
"set vnc_tls 0",
"set vnc_tls_x509_verify 0",
"set nbd_tls 0",
"set group openvswitch",
"set memory_backing_dir /tmp"
],
@ -87,7 +88,8 @@ describe 'nova::compute::libvirt::qemu' do
"set max_files 1024",
"set max_processes 4096",
"set vnc_tls 1",
"set vnc_tls_x509_verify 1"
"set vnc_tls_x509_verify 1",
"set nbd_tls 0"
],
:tag => 'qemu-conf-augeas',
}).that_notifies('Service[libvirt]') }
@ -107,7 +109,28 @@ describe 'nova::compute::libvirt::qemu' do
"set max_files 1024",
"set max_processes 4096",
"set vnc_tls 1",
"set vnc_tls_x509_verify 0"
"set vnc_tls_x509_verify 0",
"set nbd_tls 0"
],
:tag => 'qemu-conf-augeas',
}).that_notifies('Service[libvirt]') }
end
context 'when configuring qemu with nbd_tls' do
let :params do
{
:configure_qemu => true,
:nbd_tls => true
}
end
it { is_expected.to contain_augeas('qemu-conf-limits').with({
:context => '/files/etc/libvirt/qemu.conf',
:changes => [
"set max_files 1024",
"set max_processes 4096",
"set vnc_tls 0",
"set vnc_tls_x509_verify 0",
"set nbd_tls 1"
],
:tag => 'qemu-conf-augeas',
}).that_notifies('Service[libvirt]') }