From 7688084aeddd1111e91f659db6844fac539df530 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 18 Mar 2023 16:14:03 +0900 Subject: [PATCH] Add strict validation about boolean parameters This ensures the parameters used by if-else logic accept only boolean values because non-boolean can result in unexpected behavior. Change-Id: I3a27d94e453f9cfbea701337308a7086693c89bb --- manifests/api.pp | 6 ++++++ manifests/compute.pp | 7 +++++++ manifests/compute/libvirt.pp | 3 +++ manifests/compute/libvirt/networks.pp | 2 ++ manifests/compute/libvirt/qemu.pp | 1 + manifests/compute/libvirt_guests.pp | 3 +++ manifests/compute/rbd.pp | 3 +++ manifests/compute/spice.pp | 2 ++ manifests/conductor.pp | 3 +++ manifests/cron/archive_deleted_rows.pp | 6 ++++++ manifests/cron/purge_shadow_tables.pp | 3 +++ manifests/db/mysql.pp | 2 ++ manifests/db/postgresql.pp | 2 ++ manifests/db/sync_api.pp | 2 ++ manifests/generic_service.pp | 3 +++ manifests/init.pp | 2 ++ manifests/migration/libvirt.pp | 4 ++++ manifests/migration/qemu.pp | 3 ++- manifests/scheduler.pp | 3 +++ manifests/serialproxy.pp | 7 +++++-- manifests/spicehtml5proxy.pp | 3 +++ manifests/vncproxy.pp | 5 +++++ 22 files changed, 72 insertions(+), 3 deletions(-) diff --git a/manifests/api.pp b/manifests/api.pp index d42daf6b3..467d8d010 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -209,6 +209,12 @@ class nova::api( include nova::availability_zone include nova::pci + validate_legacy(Boolean, 'validate_bool', $enabled) + validate_legacy(Boolean, 'validate_bool', $manage_service) + validate_legacy(Boolean, 'validate_bool', $sync_db) + validate_legacy(Boolean, 'validate_bool', $sync_db_api) + validate_legacy(Boolean, 'validate_bool', $db_online_data_migrations) + if !$nova_metadata_wsgi_enabled { warning('Running nova metadata api via evenlet is deprecated and will be removed in Stein release.') } diff --git a/manifests/compute.pp b/manifests/compute.pp index 38a15967e..4ed6397bb 100644 --- a/manifests/compute.pp +++ b/manifests/compute.pp @@ -308,6 +308,13 @@ class nova::compute ( include nova::deps include nova::params + validate_legacy(Boolean, 'validate_bool', $manage_service) + validate_legacy(Boolean, 'validate_bool', $enabled) + validate_legacy(Boolean, 'validate_bool', $vnc_enabled) + validate_legacy(Boolean, 'validate_bool', $force_config_drive) + validate_legacy(Boolean, 'validate_bool', $instance_usage_audit) + + $image_type_exclude_list_real = pick(join(any2array($image_type_exclude_list), ','), $facts['os_service_default']) include nova::policy diff --git a/manifests/compute/libvirt.pp b/manifests/compute/libvirt.pp index 094b478e4..c00c538f8 100644 --- a/manifests/compute/libvirt.pp +++ b/manifests/compute/libvirt.pp @@ -294,6 +294,9 @@ class nova::compute::libvirt ( include nova::deps include nova::params + validate_legacy(Boolean, 'validate_bool', $migration_support) + validate_legacy(Boolean, 'validate_bool', $manage_libvirt_services) + # cpu_mode has different defaults depending on hypervisor. if !$cpu_mode { case $virt_type { diff --git a/manifests/compute/libvirt/networks.pp b/manifests/compute/libvirt/networks.pp index e485bb4c9..e68c773a5 100644 --- a/manifests/compute/libvirt/networks.pp +++ b/manifests/compute/libvirt/networks.pp @@ -14,6 +14,8 @@ class nova::compute::libvirt::networks( include nova::deps + validate_legacy(Boolean, 'validate_bool', $disable_default_network) + if $disable_default_network { exec { 'libvirt-default-net-disable-autostart': command => 'virsh net-autostart default --disable', diff --git a/manifests/compute/libvirt/qemu.pp b/manifests/compute/libvirt/qemu.pp index f0673f543..4b7414642 100644 --- a/manifests/compute/libvirt/qemu.pp +++ b/manifests/compute/libvirt/qemu.pp @@ -66,6 +66,7 @@ class nova::compute::libvirt::qemu( include nova::deps + validate_legacy(Boolean, 'validate_bool', $configure_qemu) validate_legacy(Boolean, 'validate_bool', $vnc_tls) validate_legacy(Boolean, 'validate_bool', $vnc_tls_verify) validate_legacy(Boolean, 'validate_bool', $default_tls_verify) diff --git a/manifests/compute/libvirt_guests.pp b/manifests/compute/libvirt_guests.pp index fc0d6c6a6..7f08a0232 100644 --- a/manifests/compute/libvirt_guests.pp +++ b/manifests/compute/libvirt_guests.pp @@ -57,6 +57,9 @@ class nova::compute::libvirt_guests ( include nova::params include nova::deps + validate_legacy(Boolean, 'validate_bool', $manage_service) + validate_legacy(Boolean, 'validate_bool', $enabled) + Anchor['nova::config::begin'] -> File<| tag =='libvirt-guests-file' |> -> File_line<| tag == 'libvirt-guests-file_line'|> diff --git a/manifests/compute/rbd.pp b/manifests/compute/rbd.pp index 14a78cbbd..6457f4e0b 100644 --- a/manifests/compute/rbd.pp +++ b/manifests/compute/rbd.pp @@ -103,6 +103,9 @@ class nova::compute::rbd ( include nova::deps include nova::params + validate_legacy(Boolean, 'validate_bool', $ephemeral_storage) + validate_legacy(Boolean, 'validate_bool', $manage_ceph_client) + if $manage_ceph_client { # Install ceph client libraries package { 'ceph-client-package': diff --git a/manifests/compute/spice.pp b/manifests/compute/spice.pp index e00e20e1f..8978b264b 100644 --- a/manifests/compute/spice.pp +++ b/manifests/compute/spice.pp @@ -45,6 +45,8 @@ class nova::compute::spice( include nova::deps + validate_legacy(Boolean, 'validate_bool', $agent_enabled) + if $proxy_host { $html5proxy_base_url = "${proxy_protocol}://${proxy_host}:${proxy_port}${proxy_path}" nova_config { diff --git a/manifests/conductor.pp b/manifests/conductor.pp index a14a26b34..eb0e5cb09 100644 --- a/manifests/conductor.pp +++ b/manifests/conductor.pp @@ -40,6 +40,9 @@ class nova::conductor( include nova::params include nova::availability_zone + validate_legacy(Boolean, 'validate_bool', $enabled) + validate_legacy(Boolean, 'validate_bool', $manage_service) + nova::generic_service { 'conductor': enabled => $enabled, manage_service => $manage_service, diff --git a/manifests/cron/archive_deleted_rows.pp b/manifests/cron/archive_deleted_rows.pp index 8cd826976..046e55d8c 100644 --- a/manifests/cron/archive_deleted_rows.pp +++ b/manifests/cron/archive_deleted_rows.pp @@ -114,6 +114,12 @@ class nova::cron::archive_deleted_rows ( include nova::deps + validate_legacy(Boolean, 'validate_bool', $until_complete) + validate_legacy(Boolean, 'validate_bool', $purge) + validate_legacy(Boolean, 'validate_bool', $all_cells) + validate_legacy(Boolean, 'validate_bool', $task_log) + validate_legacy(Boolean, 'validate_bool', $verbose) + if $until_complete { $until_complete_real = ' --until-complete' } diff --git a/manifests/cron/purge_shadow_tables.pp b/manifests/cron/purge_shadow_tables.pp index bdc364212..e33afacd0 100644 --- a/manifests/cron/purge_shadow_tables.pp +++ b/manifests/cron/purge_shadow_tables.pp @@ -83,6 +83,9 @@ class nova::cron::purge_shadow_tables ( include nova::deps include nova::params + validate_legacy(Boolean, 'validate_bool', $all_cells) + validate_legacy(Boolean, 'validate_bool', $verbose) + if $verbose { $verbose_real = ' --verbose' } diff --git a/manifests/db/mysql.pp b/manifests/db/mysql.pp index 747ab99cb..60ce70aa1 100644 --- a/manifests/db/mysql.pp +++ b/manifests/db/mysql.pp @@ -49,6 +49,8 @@ class nova::db::mysql( include nova::deps + validate_legacy(Boolean, 'validate_bool', $setup_cell0) + ::openstacklib::db::mysql { 'nova': user => $user, password => $password, diff --git a/manifests/db/postgresql.pp b/manifests/db/postgresql.pp index 089bccc20..5412a8c6e 100644 --- a/manifests/db/postgresql.pp +++ b/manifests/db/postgresql.pp @@ -40,6 +40,8 @@ class nova::db::postgresql( include nova::deps + validate_legacy(Boolean, 'validate_bool', $setup_cell0) + ::openstacklib::db::postgresql { 'nova': password => $password, dbname => $dbname, diff --git a/manifests/db/sync_api.pp b/manifests/db/sync_api.pp index bb5f53fbb..836869db6 100644 --- a/manifests/db/sync_api.pp +++ b/manifests/db/sync_api.pp @@ -30,6 +30,8 @@ class nova::db::sync_api( include nova::deps include nova::params + validate_legacy(Boolean, 'validate_bool', $cellv2_setup) + exec { 'nova-db-sync-api': command => "/usr/bin/nova-manage ${extra_params} api_db sync", user => $::nova::params::user, diff --git a/manifests/generic_service.pp b/manifests/generic_service.pp index bdf06fe8c..9213e9c23 100644 --- a/manifests/generic_service.pp +++ b/manifests/generic_service.pp @@ -41,6 +41,9 @@ define nova::generic_service( include nova::deps include nova::params + validate_legacy(Boolean, 'validate_bool', $enabled) + validate_legacy(Boolean, 'validate_bool', $manage_service) + $nova_title = "nova-${name}" # I need to mark that ths package should be diff --git a/manifests/init.pp b/manifests/init.pp index 3d6d717df..afd2f1a7e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -459,6 +459,8 @@ class nova( include nova::deps include nova::workarounds + validate_legacy(Boolean, 'validate_bool', $use_ssl) + validate_legacy(Array, 'validate_array', $enabled_ssl_apis) if empty($enabled_ssl_apis) and $use_ssl { warning('enabled_ssl_apis is empty but use_ssl is set to true') diff --git a/manifests/migration/libvirt.pp b/manifests/migration/libvirt.pp index 458406a27..2777a590b 100644 --- a/manifests/migration/libvirt.pp +++ b/manifests/migration/libvirt.pp @@ -174,6 +174,10 @@ class nova::migration::libvirt( include nova::deps include nova::params + validate_legacy(Boolean, 'validate_bool', $override_uuid) + validate_legacy(Boolean, 'validate_bool', $configure_libvirt) + validate_legacy(Boolean, 'validate_bool', $configure_nova) + if $transport { $transport_real = $transport } else { diff --git a/manifests/migration/qemu.pp b/manifests/migration/qemu.pp index 83b3cd743..2bab8dc47 100644 --- a/manifests/migration/qemu.pp +++ b/manifests/migration/qemu.pp @@ -24,6 +24,8 @@ class nova::migration::qemu( include nova::deps + validate_legacy(Boolean, 'validate_bool', $configure_qemu) + Anchor['nova::config::begin'] -> Augeas<| tag == 'qemu-conf-augeas'|> -> Anchor['nova::config::end'] @@ -32,7 +34,6 @@ class nova::migration::qemu( ~> Service<| tag == 'libvirt-qemu-service' |> if $configure_qemu { - augeas { 'qemu-conf-migration-ports': context => '/files/etc/libvirt/qemu.conf', changes => [ diff --git a/manifests/scheduler.pp b/manifests/scheduler.pp index 21366c806..71b077c36 100644 --- a/manifests/scheduler.pp +++ b/manifests/scheduler.pp @@ -97,6 +97,9 @@ class nova::scheduler( include nova::params include nova::availability_zone + validate_legacy(Boolean, 'validate_bool', $enabled) + validate_legacy(Boolean, 'validate_bool', $manage_service) + if $query_placement_for_availability_zone != undef { warning('The query_placement_for_availability_zone parameter is deprecated.') } diff --git a/manifests/serialproxy.pp b/manifests/serialproxy.pp index 114999ef1..ad2c4b1a4 100644 --- a/manifests/serialproxy.pp +++ b/manifests/serialproxy.pp @@ -35,9 +35,12 @@ class nova::serialproxy( include nova::deps include nova::params + validate_legacy(Boolean, 'validate_bool', $manage_service) + validate_legacy(Boolean, 'validate_bool', $enabled) + nova_config { - 'serial_console/serialproxy_port': value => $serialproxy_port; - 'serial_console/serialproxy_host': value => $serialproxy_host; + 'serial_console/serialproxy_port': value => $serialproxy_port; + 'serial_console/serialproxy_host': value => $serialproxy_host; } nova::generic_service { 'serialproxy': diff --git a/manifests/spicehtml5proxy.pp b/manifests/spicehtml5proxy.pp index a5d54df4d..f997c40a8 100644 --- a/manifests/spicehtml5proxy.pp +++ b/manifests/spicehtml5proxy.pp @@ -39,6 +39,9 @@ class nova::spicehtml5proxy( include nova::deps include nova::params + validate_legacy(Boolean, 'validate_bool', $enabled) + validate_legacy(Boolean, 'validate_bool', $manage_service) + # Nodes running spicehtml5proxy do *not* need (and in fact, don't care) # about [spice]/enable to be set. This setting is for compute nodes, # where we must select VNC or SPICE so that it can be passed on to diff --git a/manifests/vncproxy.pp b/manifests/vncproxy.pp index 88389bb39..88ae6d3c2 100644 --- a/manifests/vncproxy.pp +++ b/manifests/vncproxy.pp @@ -79,6 +79,11 @@ class nova::vncproxy( include nova::deps include nova::params + validate_legacy(Boolean, 'validate_bool', $enabled) + validate_legacy(Boolean, 'validate_bool', $manage_service) + validate_legacy(Boolean, 'validate_bool', $allow_noauth) + validate_legacy(Boolean, 'validate_bool', $allow_vencrypt) + if (!$allow_noauth and !$allow_vencrypt) { fail('Either allow_noauth or allow_vencrypt must be true') }