Refactor nova migration config into client & target profiles

The nova migration config has always been applied by the base::nova profile.
It assumed that libvirtd/nova-compute and are all running on the
same host.
Where this config didn't apply (e.g a nova api host) it was disabled by a flag.

This approach is not compatible with containers. Hieradata for all containers
are combined so per-host flags no longer work, and we can no longer assume
libvirtd and nova-compute run in the same context.

This change refactors the profiles out of the base nova profile and into
a client profile and a target profile that can be included where appropriate.

Change-Id: I063a84a8e6da64ae3b09125cfa42e48df69adc12
Implements: blueprint tripleo-cold-migration
This commit is contained in:
Oliver Walsh 2017-06-07 23:26:25 +01:00
parent d5582dd84b
commit 6140d801f1
14 changed files with 800 additions and 570 deletions

View File

@ -22,14 +22,6 @@
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('bootstrap_nodeid')
#
# [*libvirt_enabled*]
# (Optional) Whether or not Libvirt is enabled.
# Defaults to false
#
# [*manage_migration*]
# (Optional) Whether or not manage Nova Live migration
# Defaults to false
#
# [*oslomsg_rpc_proto*]
# Protocol driver for the oslo messaging rpc service
# Defaults to hiera('messaging_rpc_service_name', rabbit)
@ -74,49 +66,27 @@
# Enable ssl oslo messaging services
# Defaults to hiera('nova::rabbit_use_ssl', '0')
#
# [*nova_compute_enabled*]
# (Optional) Whether or not nova-compute is enabled.
# Defaults to false
#
# [*step*]
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
# [*migration_ssh_key*]
# (Optional) SSH key pair for migration SSH tunnel.
# Expects a hash with keys 'private_key' and 'public_key'.
# Defaults to {}
#
# [*migration_ssh_localaddrs*]
# (Optional) Restrict ssh migration to clients connecting via this list of
# IPs.
# Defaults to [] (no restriction)
#
# [*libvirt_tls*]
# (Optional) Whether or not libvird TLS service is enabled.
# Defaults to false
class tripleo::profile::base::nova (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$libvirt_enabled = false,
$manage_migration = false,
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
$oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)),
$oslomsg_rpc_password = hiera('nova::rabbit_password'),
$oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'),
$oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'),
$oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'),
$oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)),
$oslomsg_notify_password = hiera('nova::rabbit_password'),
$oslomsg_notify_port = hiera('nova::rabbit_port', '5672'),
$oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'),
$oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'),
$nova_compute_enabled = false,
$step = Integer(hiera('step')),
$migration_ssh_key = {},
$migration_ssh_localaddrs = [],
$libvirt_tls = false
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
$oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)),
$oslomsg_rpc_password = hiera('nova::rabbit_password'),
$oslomsg_rpc_port = hiera('nova::rabbit_port', '5672'),
$oslomsg_rpc_username = hiera('nova::rabbit_userid', 'guest'),
$oslomsg_notify_proto = hiera('messaging_notify_service_name', 'rabbit'),
$oslomsg_notify_hosts = any2array(hiera('rabbitmq_node_names', undef)),
$oslomsg_notify_password = hiera('nova::rabbit_password'),
$oslomsg_notify_port = hiera('nova::rabbit_port', '5672'),
$oslomsg_notify_username = hiera('nova::rabbit_userid', 'guest'),
$oslomsg_use_ssl = hiera('nova::rabbit_use_ssl', '0'),
$step = Integer(hiera('step')),
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
} else {
@ -129,10 +99,6 @@ class tripleo::profile::base::nova (
$memcache_servers = suffix(hiera('memcached_node_ips'), ':11211')
}
validate_array($migration_ssh_localaddrs)
$migration_ssh_localaddrs.each |$x| { validate_ip_address($x) }
$migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs)
if $step >= 4 or ($step >= 3 and $sync_db) {
$oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
include ::nova::config
@ -161,102 +127,4 @@ class tripleo::profile::base::nova (
}
include ::nova::placement
}
if $step >= 4 {
if $manage_migration {
# Libvirt setup (live-migration)
if $libvirt_tls {
class { '::nova::migration::libvirt':
transport => 'tls',
configure_libvirt => $libvirt_enabled,
configure_nova => $nova_compute_enabled,
}
} else {
# Reuse the cold-migration SSH tunnel when TLS is not enabled
class { '::nova::migration::libvirt':
transport => 'ssh',
configure_libvirt => $libvirt_enabled,
configure_nova => $nova_compute_enabled,
client_user => 'nova_migration',
client_extraparams => {'keyfile' => '/etc/nova/migration/identity'}
}
}
$services_enabled = hiera('service_names', [])
if !empty($migration_ssh_key) and 'sshd' in $services_enabled {
# Nova SSH tunnel setup (cold-migration)
# Server side
if !empty($migration_ssh_localaddrs_real) {
$allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,','))
$deny_type = 'LocalAddress'
$deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!'))
ssh::server::match_block { 'nova_migration deny':
name => $deny_name,
type => $deny_type,
order => 2,
options => {
'DenyUsers' => 'nova_migration'
},
notify => Service['sshd']
}
}
else {
$allow_type = 'User'
}
$allow_name = 'nova_migration'
ssh::server::match_block { 'nova_migration allow':
name => $allow_name,
type => $allow_type,
order => 1,
options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
},
notify => Service['sshd']
}
$migration_authorized_keys = $migration_ssh_key['public_key']
$migration_identity = $migration_ssh_key['private_key']
$migration_user_shell = '/bin/bash'
}
else {
# Remove the keys and prevent login when migration over SSH is not enabled
$migration_authorized_keys = '# Migration over SSH disabled by TripleO'
$migration_identity = '# Migration over SSH disabled by TripleO'
$migration_user_shell = '/sbin/nologin'
}
package { 'openstack-nova-migration':
ensure => present,
tag => ['openstack', 'nova-package'],
}
file { '/etc/nova/migration/authorized_keys':
content => $migration_authorized_keys,
mode => '0640',
owner => 'root',
group => 'nova_migration',
require => Package['openstack-nova-migration']
}
file { '/etc/nova/migration/identity':
content => $migration_identity,
mode => '0600',
owner => 'nova',
group => 'nova',
require => Package['openstack-nova-migration']
}
user {'nova_migration':
shell => $migration_user_shell,
require => Package['openstack-nova-migration']
}
}
}
}

View File

@ -28,6 +28,7 @@ class tripleo::profile::base::nova::compute::libvirt (
) {
if $step >= 4 {
include ::tripleo::profile::base::nova::compute
include ::tripleo::profile::base::nova::migration::client
# Ceph + Libvirt
$rbd_ephemeral_storage = hiera('nova::compute::rbd::ephemeral_storage', false)

View File

@ -28,6 +28,7 @@ class tripleo::profile::base::nova::libvirt (
) {
if $step >= 4 {
include ::tripleo::profile::base::nova
include ::tripleo::profile::base::nova::migration::client
include ::nova::compute::libvirt::services
file { ['/etc/libvirt/qemu/networks/autostart/default.xml',

View File

@ -0,0 +1,35 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::profile::base::nova::migration
#
# Nova migration profile for tripleo, common to both client and target.
#
# === Parameters
#
# [*step*]
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
class tripleo::profile::base::nova::migration (
$step = Integer(hiera('step')),
) {
if $step >= 3 {
package { 'openstack-nova-migration':
ensure => present,
tag => ['openstack', 'nova-package'],
}
}
}

View File

@ -0,0 +1,100 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::profile::base::nova::migration
#
# Nova migration client profile for tripleo
#
# === Parameters
#
# [*libvirt_enabled*]
# (Optional) Whether or not Libvirt is enabled.
# Defaults to false
#
# [*nova_compute_enabled*]
# (Optional) Whether or not nova-compute is enabled.
# Defaults to false
#
# [*step*]
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
# [*ssh_private_key*]
# (Optional) SSH private_key for migration SSH tunnel.
# Defaults to ''
#
# [*ssh_port*]
# (Optional) Port that SSH target services is listening on.
# Defaults to 22
#
# [*libvirt_tls*]
# (Optional) Whether or not libvird TLS service is enabled.
# Defaults to false
class tripleo::profile::base::nova::migration::client (
$libvirt_enabled = false,
$nova_compute_enabled = false,
$step = Integer(hiera('step')),
$ssh_private_key = '',
$ssh_port = 22,
$libvirt_tls = false,
) {
include ::tripleo::profile::base::nova::migration
if $step >= 4 {
# Libvirt setup (live-migration)
if $libvirt_tls {
class { '::nova::migration::libvirt':
transport => 'tls',
configure_libvirt => $libvirt_enabled,
configure_nova => $nova_compute_enabled,
}
} else {
# Reuse the cold-migration SSH tunnel when TLS is not enabled
class { '::nova::migration::libvirt':
transport => 'ssh',
configure_libvirt => $libvirt_enabled,
configure_nova => $nova_compute_enabled,
client_user => 'nova_migration',
client_extraparams => {'keyfile' => '/etc/nova/migration/identity'},
client_port => $ssh_port
}
}
if !empty($ssh_private_key) {
# Nova SSH tunnel setup (cold-migration)
$migration_identity = $ssh_private_key
}
else {
$migration_identity = '# Migration over SSH disabled by TripleO'
}
file { '/etc/nova/migration/identity':
content => $migration_identity,
mode => '0600',
owner => 'nova',
group => 'nova',
require => Package['openstack-nova-migration']
}
file_line { 'nova_ssh_port':
ensure => present,
path => '/var/lib/nova/.ssh/config',
after => '^Host \*$',
line => " Port ${ssh_port}",
}
}
}

View File

@ -0,0 +1,120 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::profile::base::nova::migration::target
#
# Nova migration target profile for tripleo
#
# === Parameters
#
# [*step*]
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
# [*ssh_authorized_keys*]
# (Optional) List of SSH public keys authorized for migration.
# If no keys are provided then migration over ssh will be disabled.
# Defaults to []
#
# [*ssh_localaddrs*]
# (Optional) Restrict ssh migration to clients connecting via this list of
# IPs.
# Defaults to [] (no restriction)
#
# [*services_enabled*]
# (Optional) List of services enabled on the current role.
# If the nova_migration_target service is not enabled then migration over
# ssh will be disabled.
# Defaults to hiera('service_names', [])
class tripleo::profile::base::nova::migration::target (
$step = Integer(hiera('step')),
$ssh_authorized_keys = [],
$ssh_localaddrs = [],
$services_enabled = hiera('service_names', []),
) {
include ::tripleo::profile::base::nova::migration
validate_array($ssh_localaddrs)
$ssh_localaddrs.each |$x| { validate_ip_address($x) }
$ssh_localaddrs_real = unique($ssh_localaddrs)
validate_array($ssh_authorized_keys)
$ssh_authorized_keys_real = join($ssh_authorized_keys, '\n')
if $step >= 4 {
if !empty($ssh_authorized_keys_real) {
if ('nova_migration_target' in $services_enabled) {
if !empty($ssh_localaddrs_real) {
$allow_type = sprintf('LocalAddress %s User', join($ssh_localaddrs_real,','))
$deny_type = 'LocalAddress'
$deny_name = sprintf('!%s', join($ssh_localaddrs_real,',!'))
ssh::server::match_block { 'nova_migration deny':
name => $deny_name,
type => $deny_type,
order => 2,
options => {
'DenyUsers' => 'nova_migration'
},
notify => Service['sshd']
}
}
else {
$allow_type = 'User'
}
$allow_name = 'nova_migration'
ssh::server::match_block { 'nova_migration allow':
name => $allow_name,
type => $allow_type,
order => 1,
options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
},
notify => Service['sshd']
}
$migration_authorized_keys = $ssh_authorized_keys_real
$migration_user_shell = '/bin/bash'
}
else {
# Remove the keys and prevent login when migration over SSH is not enabled
$migration_authorized_keys = '# Migration over SSH disabled by TripleO'
$migration_user_shell = '/sbin/nologin'
}
}
else {
# Remove the keys and prevent login when migration over SSH is not enabled
$migration_authorized_keys = '# Migration over SSH disabled by TripleO'
$migration_user_shell = '/sbin/nologin'
}
file { '/etc/nova/migration/authorized_keys':
content => $migration_authorized_keys,
mode => '0640',
owner => 'root',
group => 'nova_migration',
require => Package['openstack-nova-migration']
}
user {'nova_migration':
shell => $migration_user_shell,
require => Package['openstack-nova-migration']
}
}
}

View File

@ -41,6 +41,12 @@ describe 'tripleo::profile::base::nova::compute::libvirt' do
class { '::tripleo::profile::base::nova::compute':
step => #{params[:step]},
}
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::tripleo::profile::base::nova::migration::client':
step => #{params[:step]}
}
eos
end

View File

@ -40,6 +40,12 @@ describe 'tripleo::profile::base::nova::compute' do
step => #{params[:step]},
oslomsg_rpc_hosts => [ '127.0.0.1' ],
}
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::tripleo::profile::base::nova::migration::client':
step => #{params[:step]}
}
eos
end

View File

@ -39,6 +39,12 @@ describe 'tripleo::profile::base::nova::libvirt' do
step => #{params[:step]},
oslomsg_rpc_hosts => [ '127.0.0.1' ],
}
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::tripleo::profile::base::nova::migration::client':
step => #{params[:step]}
}
eos
end

View File

@ -0,0 +1,188 @@
#
# Copyright (C) 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
require 'spec_helper'
describe 'tripleo::profile::base::nova::migration::client' do
shared_examples_for 'tripleo::profile::base::nova::migration::client' do
context 'with step 4' do
let(:pre_condition) {
<<-eos
include ::nova::compute::libvirt::services
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
eos
}
let(:params) { {
:step => 4,
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration')
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'ssh',
:configure_libvirt => false,
:configure_nova => false
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
}
end
context 'with step 4 with libvirt' do
let(:pre_condition) {
<<-eos
include ::nova::compute::libvirt::services
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
eos
}
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:nova_compute_enabled => true,
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration')
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'ssh',
:configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled]
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
}
end
context 'with step 4 with libvirt TLS' do
let(:pre_condition) {
<<-eos
include ::nova::compute::libvirt::services
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
eos
}
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:nova_compute_enabled => true,
:libvirt_tls => true,
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration')
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'tls',
:configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled],
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
}
end
context 'with step 4 with libvirt and migration ssh key' do
let(:pre_condition) {
<<-eos
include ::nova::compute::libvirt::services
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
eos
}
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:nova_compute_enabled => true,
:ssh_private_key => 'foo'
} }
it {
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'ssh',
:configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled]
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => 'foo',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
}
end
context 'with step 4 with libvirt TLS and migration ssh key' do
let(:pre_condition) {
<<-eos
include ::nova::compute::libvirt::services
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
eos
}
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:nova_compute_enabled => true,
:libvirt_tls => true,
:ssh_private_key => 'foo'
} }
it {
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'tls',
:configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled]
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => 'foo',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
}
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({ :hostname => 'node.example.com' })
end
it_behaves_like 'tripleo::profile::base::nova::migration::client'
end
end
end

View File

@ -0,0 +1,40 @@
#
# Copyright (C) 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
require 'spec_helper'
describe 'tripleo::profile::base::nova::migration' do
shared_examples_for 'tripleo::profile::base::nova::migration' do
context 'with step 3' do
let(:params) { {
:step => 3,
} }
it {
is_expected.to contain_package('openstack-nova-migration')
}
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
it_behaves_like 'tripleo::profile::base::nova::migration'
end
end
end

View File

@ -0,0 +1,283 @@
#
# Copyright (C) 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
require 'spec_helper'
describe 'tripleo::profile::base::nova::migration::target' do
shared_examples_for 'tripleo::profile::base::nova::migration::target' do
context 'with step 4 without authorized_keys' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eos
}
let(:params) { {
:step => 4,
:services_enabled => ['docker', 'nova_migration_target']
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration')
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/sbin/nologin'
)
}
end
context 'with step 4 without nova_migration_target service enabled' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eos
}
let(:params) { {
:step => 4,
:ssh_authorized_keys => ['bar', 'baz'],
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration')
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/sbin/nologin'
)
}
end
context 'with step 4 with invalid ssh_authorized_keys' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eos
}
let(:params) { {
:step => 4,
:ssh_authorized_keys => 'ssh-rsa bar',
} }
it { is_expected.to_not compile }
end
context 'with step 4 with nova_migration_target services enabled' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eos
}
let(:params) { {
:step => 4,
:ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
:services_enabled => ['docker', 'nova_migration_target']
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration')
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
:type => 'User',
:name => 'nova_migration',
:options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
}
)
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar\nssh-rsa baz',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end
context 'with step 4 with ssh_localaddrs' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eos
}
let(:params) { {
:step => 4,
:ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
:services_enabled => ['docker', 'nova_migration_target'],
:ssh_localaddrs => ['127.0.0.1', '127.0.0.2']
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration')
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
:type => 'LocalAddress 127.0.0.1,127.0.0.2 User',
:name => 'nova_migration',
:options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
}
)
is_expected.to contain_ssh__server__match_block('nova_migration deny').with(
:type => 'LocalAddress',
:name => '!127.0.0.1,!127.0.0.2',
:options => {
'DenyUsers' => 'nova_migration'
}
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar\nssh-rsa baz',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end
context 'with step 4 with duplicate ssh_localaddrs' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eos
}
let(:params) { {
:step => 4,
:ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
:services_enabled => ['docker', 'nova_migration_target'],
:ssh_localaddrs => ['127.0.0.1', '127.0.0.1']
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration')
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
:type => 'LocalAddress 127.0.0.1 User',
:name => 'nova_migration',
:options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
}
)
is_expected.to contain_ssh__server__match_block('nova_migration deny').with(
:type => 'LocalAddress',
:name => '!127.0.0.1',
:options => {
'DenyUsers' => 'nova_migration'
}
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar\nssh-rsa baz',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end
context 'with step 4 with invalid ssh_localaddrs' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eos
}
let(:params) { {
:step => 4,
:ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
:services_enabled => ['docker', 'nova_migration_target'],
:ssh_localaddrs => ['127.0.0.1', '']
} }
it { is_expected.to_not compile }
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({ :hostname => 'node.example.com' })
end
it_behaves_like 'tripleo::profile::base::nova::migration::target'
end
end
end

View File

@ -100,429 +100,6 @@ describe 'tripleo::profile::base::nova' do
}
end
context 'with step 4 with libvirt' do
let(:pre_condition) {
'include ::nova::compute::libvirt::services'
}
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:manage_migration => true,
:nova_compute_enabled => true,
:bootstrap_node => 'node.example.com',
:oslomsg_rpc_hosts => [ 'localhost' ],
:oslomsg_rpc_password => 'foo',
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('nova').with(
:default_transport_url => /.+/,
:notification_transport_url => /.+/,
:nova_public_key => nil,
:nova_private_key => nil,
)
is_expected.to contain_class('nova::config')
is_expected.to contain_class('nova::placement')
is_expected.to contain_class('nova::cache')
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'ssh',
:configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled]
)
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/sbin/nologin'
)
}
end
context 'with step 4 with libvirt TLS' do
let(:pre_condition) {
'include ::nova::compute::libvirt::services'
}
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:manage_migration => true,
:nova_compute_enabled => true,
:bootstrap_node => 'node.example.com',
:oslomsg_rpc_hosts => [ 'localhost' ],
:oslomsg_rpc_password => 'foo',
:libvirt_tls => true,
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('nova').with(
:default_transport_url => /.+/,
:notification_transport_url => /.+/,
:nova_public_key => nil,
:nova_private_key => nil,
)
is_expected.to contain_class('nova::config')
is_expected.to contain_class('nova::placement')
is_expected.to contain_class('nova::cache')
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'tls',
:configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled],
)
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/sbin/nologin'
)
}
end
context 'with step 4 with libvirt and migration ssh key' do
let(:pre_condition) do
<<-eof
include ::nova::compute::libvirt::services
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eof
end
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:manage_migration => true,
:nova_compute_enabled => true,
:bootstrap_node => 'node.example.com',
:oslomsg_rpc_hosts => [ 'localhost' ],
:oslomsg_rpc_password => 'foo',
:migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('nova').with(
:default_transport_url => /.+/,
:notification_transport_url => /.+/,
:nova_public_key => nil,
:nova_private_key => nil,
)
is_expected.to contain_class('nova::config')
is_expected.to contain_class('nova::placement')
is_expected.to contain_class('nova::cache')
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'ssh',
:configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled]
)
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
:type => 'User',
:name => 'nova_migration',
:options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
}
)
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => 'foo',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end
context 'with step 4 with libvirt and migration ssh key and migration_ssh_localaddrs' do
let(:pre_condition) do
<<-eof
include ::nova::compute::libvirt::services
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eof
end
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:manage_migration => true,
:nova_compute_enabled => true,
:bootstrap_node => 'node.example.com',
:oslomsg_rpc_hosts => [ 'localhost' ],
:oslomsg_rpc_password => 'foo',
:migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'},
:migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.2']
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('nova').with(
:default_transport_url => /.+/,
:notification_transport_url => /.+/,
:nova_public_key => nil,
:nova_private_key => nil,
)
is_expected.to contain_class('nova::config')
is_expected.to contain_class('nova::placement')
is_expected.to contain_class('nova::cache')
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'ssh',
:configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled]
)
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
:type => 'LocalAddress 127.0.0.1,127.0.0.2 User',
:name => 'nova_migration',
:options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
}
)
is_expected.to contain_ssh__server__match_block('nova_migration deny').with(
:type => 'LocalAddress',
:name => '!127.0.0.1,!127.0.0.2',
:options => {
'DenyUsers' => 'nova_migration'
}
)
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => 'foo',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end
context 'with step 4 with libvirt and migration ssh key and invalid migration_ssh_localaddrs' do
let(:pre_condition) do
<<-eof
include ::nova::compute::libvirt::services
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eof
end
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:manage_migration => true,
:nova_compute_enabled => true,
:bootstrap_node => 'node.example.com',
:oslomsg_rpc_hosts => [ 'localhost' ],
:oslomsg_rpc_password => 'foo',
:migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'},
:migration_ssh_localaddrs => ['127.0.0.1', '']
} }
it { is_expected.to_not compile }
end
context 'with step 4 with libvirt and migration ssh key and duplicate migration_ssh_localaddrs' do
let(:pre_condition) do
<<-eof
include ::nova::compute::libvirt::services
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eof
end
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:manage_migration => true,
:nova_compute_enabled => true,
:bootstrap_node => 'node.example.com',
:oslomsg_rpc_hosts => [ 'localhost' ],
:oslomsg_rpc_password => 'foo',
:migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'},
:migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.1']
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('nova').with(
:default_transport_url => /.+/,
:notification_transport_url => /.+/,
:nova_public_key => nil,
:nova_private_key => nil,
)
is_expected.to contain_class('nova::config')
is_expected.to contain_class('nova::placement')
is_expected.to contain_class('nova::cache')
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'ssh',
:configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled]
)
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
:type => 'LocalAddress 127.0.0.1 User',
:name => 'nova_migration',
:options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
}
)
is_expected.to contain_ssh__server__match_block('nova_migration deny').with(
:type => 'LocalAddress',
:name => '!127.0.0.1',
:options => {
'DenyUsers' => 'nova_migration'
}
)
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => 'foo',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end
context 'with step 4 with libvirt TLS and migration ssh key' do
let(:pre_condition) do
<<-eof
include ::nova::compute::libvirt::services
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eof
end
let(:params) { {
:step => 4,
:libvirt_enabled => true,
:manage_migration => true,
:nova_compute_enabled => true,
:bootstrap_node => 'node.example.com',
:oslomsg_rpc_hosts => [ 'localhost' ],
:oslomsg_rpc_password => 'foo',
:libvirt_tls => true,
:migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'}
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('nova').with(
:default_transport_url => /.+/,
:notification_transport_url => /.+/,
:nova_public_key => nil,
:nova_private_key => nil,
)
is_expected.to contain_class('nova::config')
is_expected.to contain_class('nova::placement')
is_expected.to contain_class('nova::cache')
is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'tls',
:configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled]
)
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
:type => 'User',
:name => 'nova_migration',
:options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
}
)
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => 'foo',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end
end

View File

@ -48,6 +48,5 @@ memcached_node_ips:
# octavia related items
octavia::rabbit_password: 'password'
horizon::secret_key: 'secrete'
service_names: ['sshd']
#Neutron related
neutron::rabbit_password: 'password'