diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 65e8ebc9b..16ba7be65 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -22,14 +22,6 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # -# [*libvirt_enabled*] -# (Optional) Whether or not Libvirt is enabled. -# Defaults to false -# -# [*manage_migration*] -# (Optional) Whether or not manage Nova Live migration -# Defaults to false -# # [*oslomsg_rpc_proto*] # Protocol driver for the oslo messaging rpc service # Defaults to hiera('messaging_rpc_service_name', rabbit) @@ -74,49 +66,27 @@ # Enable ssl oslo messaging services # Defaults to hiera('nova::rabbit_use_ssl', '0') # -# [*nova_compute_enabled*] -# (Optional) Whether or not nova-compute is enabled. -# Defaults to false -# # [*step*] # (Optional) The current step of the deployment # Defaults to hiera('step') # -# [*migration_ssh_key*] -# (Optional) SSH key pair for migration SSH tunnel. -# Expects a hash with keys 'private_key' and 'public_key'. -# Defaults to {} -# -# [*migration_ssh_localaddrs*] -# (Optional) Restrict ssh migration to clients connecting via this list of -# IPs. -# Defaults to [] (no restriction) -# -# [*libvirt_tls*] -# (Optional) Whether or not libvird TLS service is enabled. -# Defaults to false class tripleo::profile::base::nova ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $libvirt_enabled = false, - $manage_migration = false, - $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), - $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), - $oslomsg_rpc_password = hiera('nova::rabbit_password'), - $oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'), - $oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'), - $oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'), - $oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)), - $oslomsg_notify_password = hiera('nova::rabbit_password'), - $oslomsg_notify_port = hiera('nova::rabbit_port', '5672'), - $oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'), - $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), - $nova_compute_enabled = false, - $step = Integer(hiera('step')), - $migration_ssh_key = {}, - $migration_ssh_localaddrs = [], - $libvirt_tls = false + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'), + $oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $oslomsg_rpc_password = hiera('nova::rabbit_password'), + $oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'), + $oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'), + $oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'), + $oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)), + $oslomsg_notify_password = hiera('nova::rabbit_password'), + $oslomsg_notify_port = hiera('nova::rabbit_port', '5672'), + $oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'), + $oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'), + $step = Integer(hiera('step')), ) { + if $::hostname == downcase($bootstrap_node) { $sync_db = true } else { @@ -129,10 +99,6 @@ class tripleo::profile::base::nova ( $memcache_servers = suffix(hiera('memcached_node_ips'), ':11211') } - validate_array($migration_ssh_localaddrs) - $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) } - $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs) - if $step >= 4 or ($step >= 3 and $sync_db) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) include ::nova::config @@ -161,102 +127,4 @@ class tripleo::profile::base::nova ( } include ::nova::placement } - - if $step >= 4 { - if $manage_migration { - # Libvirt setup (live-migration) - if $libvirt_tls { - class { '::nova::migration::libvirt': - transport => 'tls', - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, - } - } else { - # Reuse the cold-migration SSH tunnel when TLS is not enabled - class { '::nova::migration::libvirt': - transport => 'ssh', - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, - client_user => 'nova_migration', - client_extraparams => {'keyfile' => '/etc/nova/migration/identity'} - } - } - - $services_enabled = hiera('service_names', []) - if !empty($migration_ssh_key) and 'sshd' in $services_enabled { - # Nova SSH tunnel setup (cold-migration) - - # Server side - if !empty($migration_ssh_localaddrs_real) { - $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,',')) - $deny_type = 'LocalAddress' - $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!')) - - ssh::server::match_block { 'nova_migration deny': - name => $deny_name, - type => $deny_type, - order => 2, - options => { - 'DenyUsers' => 'nova_migration' - }, - notify => Service['sshd'] - } - } - else { - $allow_type = 'User' - } - $allow_name = 'nova_migration' - - ssh::server::match_block { 'nova_migration allow': - name => $allow_name, - type => $allow_type, - order => 1, - options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - }, - notify => Service['sshd'] - } - - $migration_authorized_keys = $migration_ssh_key['public_key'] - $migration_identity = $migration_ssh_key['private_key'] - $migration_user_shell = '/bin/bash' - } - else { - # Remove the keys and prevent login when migration over SSH is not enabled - $migration_authorized_keys = '# Migration over SSH disabled by TripleO' - $migration_identity = '# Migration over SSH disabled by TripleO' - $migration_user_shell = '/sbin/nologin' - } - - package { 'openstack-nova-migration': - ensure => present, - tag => ['openstack', 'nova-package'], - } - - file { '/etc/nova/migration/authorized_keys': - content => $migration_authorized_keys, - mode => '0640', - owner => 'root', - group => 'nova_migration', - require => Package['openstack-nova-migration'] - } - - file { '/etc/nova/migration/identity': - content => $migration_identity, - mode => '0600', - owner => 'nova', - group => 'nova', - require => Package['openstack-nova-migration'] - } - - user {'nova_migration': - shell => $migration_user_shell, - require => Package['openstack-nova-migration'] - } - } - } } diff --git a/manifests/profile/base/nova/compute/libvirt.pp b/manifests/profile/base/nova/compute/libvirt.pp index ec592cb4a..c22578c5d 100644 --- a/manifests/profile/base/nova/compute/libvirt.pp +++ b/manifests/profile/base/nova/compute/libvirt.pp @@ -28,6 +28,7 @@ class tripleo::profile::base::nova::compute::libvirt ( ) { if $step >= 4 { include ::tripleo::profile::base::nova::compute + include ::tripleo::profile::base::nova::migration::client # Ceph + Libvirt $rbd_ephemeral_storage = hiera('nova::compute::rbd::ephemeral_storage', false) diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp index b63985892..06baa39d0 100644 --- a/manifests/profile/base/nova/libvirt.pp +++ b/manifests/profile/base/nova/libvirt.pp @@ -28,6 +28,7 @@ class tripleo::profile::base::nova::libvirt ( ) { if $step >= 4 { include ::tripleo::profile::base::nova + include ::tripleo::profile::base::nova::migration::client include ::nova::compute::libvirt::services file { ['/etc/libvirt/qemu/networks/autostart/default.xml', diff --git a/manifests/profile/base/nova/migration.pp b/manifests/profile/base/nova/migration.pp new file mode 100644 index 000000000..0c4c844b9 --- /dev/null +++ b/manifests/profile/base/nova/migration.pp @@ -0,0 +1,35 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::migration +# +# Nova migration profile for tripleo, common to both client and target. +# +# === Parameters +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# + +class tripleo::profile::base::nova::migration ( + $step = Integer(hiera('step')), +) { + if $step >= 3 { + package { 'openstack-nova-migration': + ensure => present, + tag => ['openstack', 'nova-package'], + } + } +} diff --git a/manifests/profile/base/nova/migration/client.pp b/manifests/profile/base/nova/migration/client.pp new file mode 100644 index 000000000..12b83dc99 --- /dev/null +++ b/manifests/profile/base/nova/migration/client.pp @@ -0,0 +1,100 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::migration +# +# Nova migration client profile for tripleo +# +# === Parameters +# +# [*libvirt_enabled*] +# (Optional) Whether or not Libvirt is enabled. +# Defaults to false +# +# [*nova_compute_enabled*] +# (Optional) Whether or not nova-compute is enabled. +# Defaults to false +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# +# [*ssh_private_key*] +# (Optional) SSH private_key for migration SSH tunnel. +# Defaults to '' +# +# [*ssh_port*] +# (Optional) Port that SSH target services is listening on. +# Defaults to 22 +# +# [*libvirt_tls*] +# (Optional) Whether or not libvird TLS service is enabled. +# Defaults to false + +class tripleo::profile::base::nova::migration::client ( + $libvirt_enabled = false, + $nova_compute_enabled = false, + $step = Integer(hiera('step')), + $ssh_private_key = '', + $ssh_port = 22, + $libvirt_tls = false, +) { + + include ::tripleo::profile::base::nova::migration + + if $step >= 4 { + + # Libvirt setup (live-migration) + if $libvirt_tls { + class { '::nova::migration::libvirt': + transport => 'tls', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + } + } else { + # Reuse the cold-migration SSH tunnel when TLS is not enabled + class { '::nova::migration::libvirt': + transport => 'ssh', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + client_user => 'nova_migration', + client_extraparams => {'keyfile' => '/etc/nova/migration/identity'}, + client_port => $ssh_port + } + } + + if !empty($ssh_private_key) { + # Nova SSH tunnel setup (cold-migration) + $migration_identity = $ssh_private_key + } + else { + $migration_identity = '# Migration over SSH disabled by TripleO' + } + + file { '/etc/nova/migration/identity': + content => $migration_identity, + mode => '0600', + owner => 'nova', + group => 'nova', + require => Package['openstack-nova-migration'] + } + + file_line { 'nova_ssh_port': + ensure => present, + path => '/var/lib/nova/.ssh/config', + after => '^Host \*$', + line => " Port ${ssh_port}", + } + } +} diff --git a/manifests/profile/base/nova/migration/target.pp b/manifests/profile/base/nova/migration/target.pp new file mode 100644 index 000000000..7c210284c --- /dev/null +++ b/manifests/profile/base/nova/migration/target.pp @@ -0,0 +1,120 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::migration::target +# +# Nova migration target profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step of the deployment +# Defaults to hiera('step') +# +# [*ssh_authorized_keys*] +# (Optional) List of SSH public keys authorized for migration. +# If no keys are provided then migration over ssh will be disabled. +# Defaults to [] +# +# [*ssh_localaddrs*] +# (Optional) Restrict ssh migration to clients connecting via this list of +# IPs. +# Defaults to [] (no restriction) +# +# [*services_enabled*] +# (Optional) List of services enabled on the current role. +# If the nova_migration_target service is not enabled then migration over +# ssh will be disabled. +# Defaults to hiera('service_names', []) + +class tripleo::profile::base::nova::migration::target ( + $step = Integer(hiera('step')), + $ssh_authorized_keys = [], + $ssh_localaddrs = [], + $services_enabled = hiera('service_names', []), +) { + + include ::tripleo::profile::base::nova::migration + + validate_array($ssh_localaddrs) + $ssh_localaddrs.each |$x| { validate_ip_address($x) } + $ssh_localaddrs_real = unique($ssh_localaddrs) + validate_array($ssh_authorized_keys) + $ssh_authorized_keys_real = join($ssh_authorized_keys, '\n') + + if $step >= 4 { + if !empty($ssh_authorized_keys_real) { + if ('nova_migration_target' in $services_enabled) { + if !empty($ssh_localaddrs_real) { + $allow_type = sprintf('LocalAddress %s User', join($ssh_localaddrs_real,',')) + $deny_type = 'LocalAddress' + $deny_name = sprintf('!%s', join($ssh_localaddrs_real,',!')) + + ssh::server::match_block { 'nova_migration deny': + name => $deny_name, + type => $deny_type, + order => 2, + options => { + 'DenyUsers' => 'nova_migration' + }, + notify => Service['sshd'] + } + } + else { + $allow_type = 'User' + } + $allow_name = 'nova_migration' + + ssh::server::match_block { 'nova_migration allow': + name => $allow_name, + type => $allow_type, + order => 1, + options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + }, + notify => Service['sshd'] + } + $migration_authorized_keys = $ssh_authorized_keys_real + $migration_user_shell = '/bin/bash' + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' + } + } + else { + # Remove the keys and prevent login when migration over SSH is not enabled + $migration_authorized_keys = '# Migration over SSH disabled by TripleO' + $migration_user_shell = '/sbin/nologin' + } + + file { '/etc/nova/migration/authorized_keys': + content => $migration_authorized_keys, + mode => '0640', + owner => 'root', + group => 'nova_migration', + require => Package['openstack-nova-migration'] + } + + user {'nova_migration': + shell => $migration_user_shell, + require => Package['openstack-nova-migration'] + } + } +} diff --git a/spec/classes/tripleo_profile_base_nova_compute_libvirt_spec.rb b/spec/classes/tripleo_profile_base_nova_compute_libvirt_spec.rb index 32482a91e..db9e77e4e 100644 --- a/spec/classes/tripleo_profile_base_nova_compute_libvirt_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_compute_libvirt_spec.rb @@ -41,6 +41,12 @@ describe 'tripleo::profile::base::nova::compute::libvirt' do class { '::tripleo::profile::base::nova::compute': step => #{params[:step]}, } + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::tripleo::profile::base::nova::migration::client': + step => #{params[:step]} + } eos end diff --git a/spec/classes/tripleo_profile_base_nova_compute_spec.rb b/spec/classes/tripleo_profile_base_nova_compute_spec.rb index 545a1fa85..90820753a 100644 --- a/spec/classes/tripleo_profile_base_nova_compute_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_compute_spec.rb @@ -40,6 +40,12 @@ describe 'tripleo::profile::base::nova::compute' do step => #{params[:step]}, oslomsg_rpc_hosts => [ '127.0.0.1' ], } + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::tripleo::profile::base::nova::migration::client': + step => #{params[:step]} + } eos end diff --git a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb index 36a6110c1..d9a06b2ae 100644 --- a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb @@ -39,6 +39,12 @@ describe 'tripleo::profile::base::nova::libvirt' do step => #{params[:step]}, oslomsg_rpc_hosts => [ '127.0.0.1' ], } + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::tripleo::profile::base::nova::migration::client': + step => #{params[:step]} + } eos end diff --git a/spec/classes/tripleo_profile_base_nova_migration_client_spec.rb b/spec/classes/tripleo_profile_base_nova_migration_client_spec.rb new file mode 100644 index 000000000..91294dd7f --- /dev/null +++ b/spec/classes/tripleo_profile_base_nova_migration_client_spec.rb @@ -0,0 +1,188 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::nova::migration::client' do + shared_examples_for 'tripleo::profile::base::nova::migration::client' do + + context 'with step 4' do + let(:pre_condition) { + <<-eos + include ::nova::compute::libvirt::services + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => false, + :configure_nova => false + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + } + end + + context 'with step 4 with libvirt' do + let(:pre_condition) { + <<-eos + include ::nova::compute::libvirt::services + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :nova_compute_enabled => true, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + } + end + + context 'with step 4 with libvirt TLS' do + let(:pre_condition) { + <<-eos + include ::nova::compute::libvirt::services + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :nova_compute_enabled => true, + :libvirt_tls => true, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'tls', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled], + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + } + end + + context 'with step 4 with libvirt and migration ssh key' do + let(:pre_condition) { + <<-eos + include ::nova::compute::libvirt::services + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :nova_compute_enabled => true, + :ssh_private_key => 'foo' + } } + + it { + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => 'foo', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + } + end + + context 'with step 4 with libvirt TLS and migration ssh key' do + let(:pre_condition) { + <<-eos + include ::nova::compute::libvirt::services + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } +eos + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :nova_compute_enabled => true, + :libvirt_tls => true, + :ssh_private_key => 'foo' + } } + + it { + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'tls', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + is_expected.to contain_file('/etc/nova/migration/identity').with( + :content => 'foo', + :mode => '0600', + :owner => 'nova', + :group => 'nova', + ) + } + end + + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + it_behaves_like 'tripleo::profile::base::nova::migration::client' + end + end +end diff --git a/spec/classes/tripleo_profile_base_nova_migration_spec.rb b/spec/classes/tripleo_profile_base_nova_migration_spec.rb new file mode 100644 index 000000000..86c790e15 --- /dev/null +++ b/spec/classes/tripleo_profile_base_nova_migration_spec.rb @@ -0,0 +1,40 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::nova::migration' do + shared_examples_for 'tripleo::profile::base::nova::migration' do + + context 'with step 3' do + let(:params) { { + :step => 3, + } } + + it { + is_expected.to contain_package('openstack-nova-migration') + } + end + + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + it_behaves_like 'tripleo::profile::base::nova::migration' + end + end +end diff --git a/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb b/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb new file mode 100644 index 000000000..a14b89afe --- /dev/null +++ b/spec/classes/tripleo_profile_base_nova_migration_target_spec.rb @@ -0,0 +1,283 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::nova::migration::target' do + shared_examples_for 'tripleo::profile::base::nova::migration::target' do + + context 'with step 4 without authorized_keys' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :services_enabled => ['docker', 'nova_migration_target'] + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/sbin/nologin' + ) + } + end + + context 'with step 4 without nova_migration_target service enabled' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['bar', 'baz'], + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => '# Migration over SSH disabled by TripleO', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/sbin/nologin' + ) + } + end + + context 'with step 4 with invalid ssh_authorized_keys' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => 'ssh-rsa bar', + } } + + it { is_expected.to_not compile } + end + + context 'with step 4 with nova_migration_target services enabled' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'], + :services_enabled => ['docker', 'nova_migration_target'] + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_ssh__server__match_block('nova_migration allow').with( + :type => 'User', + :name => 'nova_migration', + :options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + } + ) + is_expected.to_not contain_ssh__server__match_block('nova_migration deny') + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => 'ssh-rsa bar\nssh-rsa baz', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' + ) + } + end + + context 'with step 4 with ssh_localaddrs' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'], + :services_enabled => ['docker', 'nova_migration_target'], + :ssh_localaddrs => ['127.0.0.1', '127.0.0.2'] + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_ssh__server__match_block('nova_migration allow').with( + :type => 'LocalAddress 127.0.0.1,127.0.0.2 User', + :name => 'nova_migration', + :options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + } + ) + is_expected.to contain_ssh__server__match_block('nova_migration deny').with( + :type => 'LocalAddress', + :name => '!127.0.0.1,!127.0.0.2', + :options => { + 'DenyUsers' => 'nova_migration' + } + ) + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => 'ssh-rsa bar\nssh-rsa baz', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' + ) + } + end + + context 'with step 4 with duplicate ssh_localaddrs' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'], + :services_enabled => ['docker', 'nova_migration_target'], + :ssh_localaddrs => ['127.0.0.1', '127.0.0.1'] + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::migration') + is_expected.to contain_ssh__server__match_block('nova_migration allow').with( + :type => 'LocalAddress 127.0.0.1 User', + :name => 'nova_migration', + :options => { + 'ForceCommand' => '/bin/nova-migration-wrapper', + 'PasswordAuthentication' => 'no', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' + } + ) + is_expected.to contain_ssh__server__match_block('nova_migration deny').with( + :type => 'LocalAddress', + :name => '!127.0.0.1', + :options => { + 'DenyUsers' => 'nova_migration' + } + ) + is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( + :content => 'ssh-rsa bar\nssh-rsa baz', + :mode => '0640', + :owner => 'root', + :group => 'nova_migration', + ) + is_expected.to contain_user('nova_migration').with( + :shell => '/bin/bash' + ) + } + end + + context 'with step 4 with invalid ssh_localaddrs' do + let(:pre_condition) { + <<-eos + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::ssh::server': + storeconfigs_enabled => false, + options => {} + } +eos + } + let(:params) { { + :step => 4, + :ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'], + :services_enabled => ['docker', 'nova_migration_target'], + :ssh_localaddrs => ['127.0.0.1', ''] + } } + + it { is_expected.to_not compile } + end + + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + it_behaves_like 'tripleo::profile::base::nova::migration::target' + end + end +end \ No newline at end of file diff --git a/spec/classes/tripleo_profile_base_nova_spec.rb b/spec/classes/tripleo_profile_base_nova_spec.rb index a7f1ccea8..c6878c63d 100644 --- a/spec/classes/tripleo_profile_base_nova_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_spec.rb @@ -100,429 +100,6 @@ describe 'tripleo::profile::base::nova' do } end - context 'with step 4 with libvirt' do - let(:pre_condition) { - 'include ::nova::compute::libvirt::services' - } - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'ssh', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled] - ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => '# Migration over SSH disabled by TripleO', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => '# Migration over SSH disabled by TripleO', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/sbin/nologin' - ) - } - end - - context 'with step 4 with libvirt TLS' do - let(:pre_condition) { - 'include ::nova::compute::libvirt::services' - } - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :libvirt_tls => true, - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'tls', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled], - ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => '# Migration over SSH disabled by TripleO', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => '# Migration over SSH disabled by TripleO', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/sbin/nologin' - ) - } - end - - context 'with step 4 with libvirt and migration ssh key' do - let(:pre_condition) do - <<-eof - include ::nova::compute::libvirt::services - class { '::ssh::server': - storeconfigs_enabled => false, - options => {} - } - eof - end - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'} - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'ssh', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled] - ) - is_expected.to contain_ssh__server__match_block('nova_migration allow').with( - :type => 'User', - :name => 'nova_migration', - :options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - } - ) - is_expected.to_not contain_ssh__server__match_block('nova_migration deny') - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => 'ssh-rsa bar', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => 'foo', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/bin/bash' - ) - } - end - - context 'with step 4 with libvirt and migration ssh key and migration_ssh_localaddrs' do - let(:pre_condition) do - <<-eof - include ::nova::compute::libvirt::services - class { '::ssh::server': - storeconfigs_enabled => false, - options => {} - } - eof - end - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}, - :migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.2'] - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'ssh', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled] - ) - is_expected.to contain_ssh__server__match_block('nova_migration allow').with( - :type => 'LocalAddress 127.0.0.1,127.0.0.2 User', - :name => 'nova_migration', - :options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - } - ) - is_expected.to contain_ssh__server__match_block('nova_migration deny').with( - :type => 'LocalAddress', - :name => '!127.0.0.1,!127.0.0.2', - :options => { - 'DenyUsers' => 'nova_migration' - } - ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => 'ssh-rsa bar', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => 'foo', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/bin/bash' - ) - } - end - - context 'with step 4 with libvirt and migration ssh key and invalid migration_ssh_localaddrs' do - let(:pre_condition) do - <<-eof - include ::nova::compute::libvirt::services - class { '::ssh::server': - storeconfigs_enabled => false, - options => {} - } - eof - end - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}, - :migration_ssh_localaddrs => ['127.0.0.1', ''] - } } - - it { is_expected.to_not compile } - end - - context 'with step 4 with libvirt and migration ssh key and duplicate migration_ssh_localaddrs' do - let(:pre_condition) do - <<-eof - include ::nova::compute::libvirt::services - class { '::ssh::server': - storeconfigs_enabled => false, - options => {} - } - eof - end - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}, - :migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.1'] - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'ssh', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled] - ) - is_expected.to contain_ssh__server__match_block('nova_migration allow').with( - :type => 'LocalAddress 127.0.0.1 User', - :name => 'nova_migration', - :options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - } - ) - is_expected.to contain_ssh__server__match_block('nova_migration deny').with( - :type => 'LocalAddress', - :name => '!127.0.0.1', - :options => { - 'DenyUsers' => 'nova_migration' - } - ) - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => 'ssh-rsa bar', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => 'foo', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/bin/bash' - ) - } - end - - context 'with step 4 with libvirt TLS and migration ssh key' do - let(:pre_condition) do - <<-eof - include ::nova::compute::libvirt::services - class { '::ssh::server': - storeconfigs_enabled => false, - options => {} - } - eof - end - let(:params) { { - :step => 4, - :libvirt_enabled => true, - :manage_migration => true, - :nova_compute_enabled => true, - :bootstrap_node => 'node.example.com', - :oslomsg_rpc_hosts => [ 'localhost' ], - :oslomsg_rpc_password => 'foo', - :libvirt_tls => true, - :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'} - } } - - it { - is_expected.to contain_class('tripleo::profile::base::nova') - is_expected.to contain_class('nova').with( - :default_transport_url => /.+/, - :notification_transport_url => /.+/, - :nova_public_key => nil, - :nova_private_key => nil, - ) - is_expected.to contain_class('nova::config') - is_expected.to contain_class('nova::placement') - is_expected.to contain_class('nova::cache') - is_expected.to contain_class('nova::migration::libvirt').with( - :transport => 'tls', - :configure_libvirt => params[:libvirt_enabled], - :configure_nova => params[:nova_compute_enabled] - ) - is_expected.to contain_ssh__server__match_block('nova_migration allow').with( - :type => 'User', - :name => 'nova_migration', - :options => { - 'ForceCommand' => '/bin/nova-migration-wrapper', - 'PasswordAuthentication' => 'no', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys' - } - ) - is_expected.to_not contain_ssh__server__match_block('nova_migration deny') - is_expected.to contain_package('openstack-nova-migration').with( - :ensure => 'present' - ) - is_expected.to contain_file('/etc/nova/migration/authorized_keys').with( - :content => 'ssh-rsa bar', - :mode => '0640', - :owner => 'root', - :group => 'nova_migration', - ) - is_expected.to contain_file('/etc/nova/migration/identity').with( - :content => 'foo', - :mode => '0600', - :owner => 'nova', - :group => 'nova', - ) - is_expected.to contain_user('nova_migration').with( - :shell => '/bin/bash' - ) - } - end - end diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml index a0f4efc42..116444809 100644 --- a/spec/fixtures/hieradata/default.yaml +++ b/spec/fixtures/hieradata/default.yaml @@ -48,6 +48,5 @@ memcached_node_ips: # octavia related items octavia::rabbit_password: 'password' horizon::secret_key: 'secrete' -service_names: ['sshd'] #Neutron related neutron::rabbit_password: 'password'