Configure libvirt SASL SCRAM-SHA1 when TLS is enabled
Change-Id: Ic9335829fe39eaf4e76385f651a77b293793571a Related-bug: 1732479
This commit is contained in:
parent
6de807951f
commit
c999f5152c
|
@ -25,11 +25,16 @@
|
|||
#
|
||||
# [*libvirtd_config*]
|
||||
# (Optional) Overrides for libvirtd config options
|
||||
# Default to {}
|
||||
# Defaults to {}
|
||||
#
|
||||
# [*tls_password*]
|
||||
# (Optional) SASL Password for libvirtd TLS connections
|
||||
# Defaults to '' (disabled)
|
||||
#
|
||||
class tripleo::profile::base::nova::libvirt (
|
||||
$step = Integer(hiera('step')),
|
||||
$libvirtd_config = {},
|
||||
$tls_password = '',
|
||||
) {
|
||||
include ::tripleo::profile::base::nova::compute_libvirt_shared
|
||||
|
||||
|
@ -67,5 +72,57 @@ class tripleo::profile::base::nova::libvirt (
|
|||
}
|
||||
|
||||
include ::nova::compute::libvirt::qemu
|
||||
|
||||
$libvirt_sasl_conf = "
|
||||
mech_list: scram-sha-1
|
||||
sasldb_path: /etc/libvirt/passwd.db
|
||||
"
|
||||
|
||||
package { 'cyrus-sasl-scram':
|
||||
ensure => present
|
||||
}
|
||||
->file { '/etc/sasl2/libvirt.conf':
|
||||
content => $libvirt_sasl_conf,
|
||||
mode => '0644',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
require => Package['libvirt'],
|
||||
notify => Service['libvirt'],
|
||||
}
|
||||
|
||||
if !empty($tls_password) {
|
||||
$libvirt_sasl_command = "echo \"\${TLS_PASSWORD}\" | saslpasswd2 -p -a libvirt -u overcloud migration"
|
||||
$libvirt_auth_ensure = present
|
||||
$libvirt_auth_conf = "
|
||||
[credentials-overcloud]
|
||||
authname=migration@overcloud
|
||||
password=${tls_password}
|
||||
|
||||
[auth-libvirt-default]
|
||||
credentials=overcloud
|
||||
"
|
||||
}
|
||||
else {
|
||||
$libvirt_sasl_command = 'saslpasswd2 -d -a libvirt -u overcloud migration'
|
||||
$libvirt_auth_ensure = absent
|
||||
$libvirt_auth_conf = ''
|
||||
}
|
||||
|
||||
exec{ 'set libvirt sasl credentials':
|
||||
environment => ["TLS_PASSWORD=${tls_password}"],
|
||||
command => $libvirt_sasl_command,
|
||||
path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],
|
||||
require => File['/etc/sasl2/libvirt.conf'],
|
||||
tag => ['libvirt_tls_password']
|
||||
}
|
||||
|
||||
file { '/etc/libvirt/auth.conf':
|
||||
ensure => $libvirt_auth_ensure,
|
||||
content => $libvirt_auth_conf,
|
||||
mode => '0600',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
notify => Service['libvirt']
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -61,6 +61,7 @@ class tripleo::profile::base::nova::migration::client (
|
|||
transport => 'tls',
|
||||
configure_libvirt => $libvirt_enabled,
|
||||
configure_nova => $nova_compute_enabled,
|
||||
auth => 'sasl'
|
||||
}
|
||||
} else {
|
||||
# Reuse the cold-migration SSH tunnel when TLS is not enabled
|
||||
|
|
|
@ -36,6 +36,7 @@ eos
|
|||
is_expected.to_not contain_file('/etclibvirt/qemu/networks/autostart/default.xml')
|
||||
is_expected.to_not contain_file('/etclibvirt/qemu/networks/default.xml')
|
||||
is_expected.to_not contain_exec('libvirt-default-net-destroy')
|
||||
is_expected.to_not contain_exec('set libvirt sasl credentials')
|
||||
}
|
||||
end
|
||||
|
||||
|
@ -76,6 +77,12 @@ eos
|
|||
"unix_sock_ro_perms" => {"value" => '"0777"'},
|
||||
"unix_sock_rw_perms" => {"value" => '"0770"'}
|
||||
})
|
||||
is_expected.to contain_package('cyrus-sasl-scram')
|
||||
is_expected.to contain_file('/etc/sasl2/libvirt.conf')
|
||||
is_expected.to contain_file('/etc/libvirt/auth.conf').with_ensure('absent')
|
||||
is_expected.to contain_exec('set libvirt sasl credentials').with_command(
|
||||
'saslpasswd2 -d -a libvirt -u overcloud migration'
|
||||
)
|
||||
}
|
||||
end
|
||||
|
||||
|
@ -114,6 +121,58 @@ eos
|
|||
"unix_sock_ro_perms" => {"value" => '"0777"'},
|
||||
"unix_sock_rw_perms" => {"value" => '"0770"'}
|
||||
})
|
||||
is_expected.to contain_package('cyrus-sasl-scram')
|
||||
is_expected.to contain_file('/etc/sasl2/libvirt.conf')
|
||||
is_expected.to contain_file('/etc/libvirt/auth.conf').with_ensure('absent')
|
||||
is_expected.to contain_exec('set libvirt sasl credentials').with_command(
|
||||
'saslpasswd2 -d -a libvirt -u overcloud migration'
|
||||
)
|
||||
}
|
||||
end
|
||||
|
||||
context 'with step 4 and tls_password' do
|
||||
let(:pre_condition) do
|
||||
<<-eos
|
||||
class { '::tripleo::profile::base::nova':
|
||||
step => #{params[:step]},
|
||||
oslomsg_rpc_hosts => [ '127.0.0.1' ],
|
||||
}
|
||||
class { '::tripleo::profile::base::nova::migration':
|
||||
step => #{params[:step]}
|
||||
}
|
||||
class { '::tripleo::profile::base::nova::migration::client':
|
||||
step => #{params[:step]}
|
||||
}
|
||||
class { '::tripleo::profile::base::nova::compute_libvirt_shared':
|
||||
step => #{params[:step]}
|
||||
}
|
||||
eos
|
||||
end
|
||||
|
||||
let(:params) { { :step => 4, :tls_password => 'foo'} }
|
||||
|
||||
it {
|
||||
is_expected.to contain_class('tripleo::profile::base::nova::libvirt')
|
||||
is_expected.to contain_class('tripleo::profile::base::nova::compute_libvirt_shared')
|
||||
is_expected.to contain_class('tripleo::profile::base::nova')
|
||||
is_expected.to contain_class('nova::compute::libvirt::services')
|
||||
is_expected.to contain_class('nova::compute::libvirt::qemu')
|
||||
is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
|
||||
is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
|
||||
is_expected.to contain_exec('libvirt-default-net-destroy')
|
||||
is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
|
||||
"unix_sock_group" => {"value" => '"libvirt"'},
|
||||
"auth_unix_ro" => {"value" => '"none"'},
|
||||
"auth_unix_rw" => {"value" => '"none"'},
|
||||
"unix_sock_ro_perms" => {"value" => '"0777"'},
|
||||
"unix_sock_rw_perms" => {"value" => '"0770"'}
|
||||
})
|
||||
is_expected.to contain_package('cyrus-sasl-scram')
|
||||
is_expected.to contain_file('/etc/sasl2/libvirt.conf')
|
||||
is_expected.to contain_file('/etc/libvirt/auth.conf').with_ensure('present')
|
||||
is_expected.to contain_exec('set libvirt sasl credentials').with_command(
|
||||
"echo \"\${TLS_PASSWORD}\" | saslpasswd2 -p -a libvirt -u overcloud migration"
|
||||
)
|
||||
}
|
||||
end
|
||||
end
|
||||
|
|
|
@ -101,6 +101,7 @@ eos
|
|||
:transport => 'tls',
|
||||
:configure_libvirt => params[:libvirt_enabled],
|
||||
:configure_nova => params[:nova_compute_enabled],
|
||||
:auth => 'sasl'
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/identity').with(
|
||||
:content => '# Migration over SSH disabled by TripleO',
|
||||
|
@ -163,7 +164,8 @@ eos
|
|||
is_expected.to contain_class('nova::migration::libvirt').with(
|
||||
:transport => 'tls',
|
||||
:configure_libvirt => params[:libvirt_enabled],
|
||||
:configure_nova => params[:nova_compute_enabled]
|
||||
:configure_nova => params[:nova_compute_enabled],
|
||||
:auth => 'sasl'
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/identity').with(
|
||||
:content => 'foo',
|
||||
|
|
Loading…
Reference in New Issue