Configure libvirt SASL SCRAM-SHA1 when TLS is enabled

Change-Id: Ic9335829fe39eaf4e76385f651a77b293793571a Related-bug: 1732479
2017-11-16 01:24:55 +00:00 · 2017-11-16 01:24:55 +00:00 · c999f5152c
parent 6de807951f
commit c999f5152c
4 changed files with 121 additions and 2 deletions
--- a/manifests/profile/base/nova/libvirt.pp
+++ b/manifests/profile/base/nova/libvirt.pp
@ -25,11 +25,16 @@
 #
 # [*libvirtd_config*]
 #   (Optional) Overrides for libvirtd config options
-#   Default to {}
+#   Defaults to {}
+#
+# [*tls_password*]
+#   (Optional) SASL Password for libvirtd TLS connections
+#   Defaults to '' (disabled)
 #
 class tripleo::profile::base::nova::libvirt (
  $step = Integer(hiera('step')),
  $libvirtd_config = {},
+  $tls_password    = '',
 ) {
  include ::tripleo::profile::base::nova::compute_libvirt_shared

@ -67,5 +72,57 @@ class tripleo::profile::base::nova::libvirt (
    }

    include ::nova::compute::libvirt::qemu
+
+    $libvirt_sasl_conf = "
+mech_list: scram-sha-1
+sasldb_path: /etc/libvirt/passwd.db
+"
+
+    package { 'cyrus-sasl-scram':
+      ensure => present
+    }
+    ->file { '/etc/sasl2/libvirt.conf':
+      content => $libvirt_sasl_conf,
+      mode    => '0644',
+      owner   => 'root',
+      group   => 'root',
+      require => Package['libvirt'],
+      notify  => Service['libvirt'],
+    }
+
+    if !empty($tls_password) {
+      $libvirt_sasl_command = "echo \"\${TLS_PASSWORD}\" | saslpasswd2 -p -a libvirt -u overcloud migration"
+      $libvirt_auth_ensure = present
+      $libvirt_auth_conf = "
+[credentials-overcloud]
+authname=migration@overcloud
+password=${tls_password}
+
+[auth-libvirt-default]
+credentials=overcloud
+"
+    }
+    else {
+      $libvirt_sasl_command = 'saslpasswd2 -d -a libvirt -u overcloud migration'
+      $libvirt_auth_ensure = absent
+      $libvirt_auth_conf = ''
+    }
+
+    exec{ 'set libvirt sasl credentials':
+      environment => ["TLS_PASSWORD=${tls_password}"],
+      command     => $libvirt_sasl_command,
+      path        => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],
+      require     => File['/etc/sasl2/libvirt.conf'],
+      tag         => ['libvirt_tls_password']
+    }
+
+    file { '/etc/libvirt/auth.conf':
+      ensure  => $libvirt_auth_ensure,
+      content => $libvirt_auth_conf,
+      mode    => '0600',
+      owner   => 'root',
+      group   => 'root',
+      notify  => Service['libvirt']
+    }
  }
 }
--- a/manifests/profile/base/nova/migration/client.pp
+++ b/manifests/profile/base/nova/migration/client.pp
@ -61,6 +61,7 @@ class tripleo::profile::base::nova::migration::client (
        transport         => 'tls',
        configure_libvirt => $libvirt_enabled,
        configure_nova    => $nova_compute_enabled,
+        auth              => 'sasl'
      }
    } else {
      # Reuse the cold-migration SSH tunnel when TLS is not enabled
--- a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
@ -36,6 +36,7 @@ eos
        is_expected.to_not contain_file('/etclibvirt/qemu/networks/autostart/default.xml')
        is_expected.to_not contain_file('/etclibvirt/qemu/networks/default.xml')
        is_expected.to_not contain_exec('libvirt-default-net-destroy')
+        is_expected.to_not contain_exec('set libvirt sasl credentials')
      }
    end

@ -76,6 +77,12 @@ eos
          "unix_sock_ro_perms" => {"value" => '"0777"'},
          "unix_sock_rw_perms" => {"value" => '"0770"'}
        })
+        is_expected.to contain_package('cyrus-sasl-scram')
+        is_expected.to contain_file('/etc/sasl2/libvirt.conf')
+        is_expected.to contain_file('/etc/libvirt/auth.conf').with_ensure('absent')
+        is_expected.to contain_exec('set libvirt sasl credentials').with_command(
+          'saslpasswd2 -d -a libvirt -u overcloud migration'
+        )
      }
    end

@ -114,6 +121,58 @@ eos
          "unix_sock_ro_perms" => {"value" => '"0777"'},
          "unix_sock_rw_perms" => {"value" => '"0770"'}
        })
+        is_expected.to contain_package('cyrus-sasl-scram')
+        is_expected.to contain_file('/etc/sasl2/libvirt.conf')
+        is_expected.to contain_file('/etc/libvirt/auth.conf').with_ensure('absent')
+        is_expected.to contain_exec('set libvirt sasl credentials').with_command(
+          'saslpasswd2 -d -a libvirt -u overcloud migration'
+        )
+      }
+    end
+
+    context 'with step 4 and tls_password' do
+      let(:pre_condition) do
+        <<-eos
+        class { '::tripleo::profile::base::nova':
+          step => #{params[:step]},
+          oslomsg_rpc_hosts => [ '127.0.0.1' ],
+        }
+        class { '::tripleo::profile::base::nova::migration':
+          step => #{params[:step]}
+        }
+        class { '::tripleo::profile::base::nova::migration::client':
+          step => #{params[:step]}
+        }
+        class { '::tripleo::profile::base::nova::compute_libvirt_shared':
+          step => #{params[:step]}
+        }
+eos
+      end
+
+      let(:params) { { :step => 4, :tls_password => 'foo'} }
+
+      it {
+        is_expected.to contain_class('tripleo::profile::base::nova::libvirt')
+        is_expected.to contain_class('tripleo::profile::base::nova::compute_libvirt_shared')
+        is_expected.to contain_class('tripleo::profile::base::nova')
+        is_expected.to contain_class('nova::compute::libvirt::services')
+        is_expected.to contain_class('nova::compute::libvirt::qemu')
+        is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
+        is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
+        is_expected.to contain_exec('libvirt-default-net-destroy')
+        is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+          "unix_sock_group"    => {"value" => '"libvirt"'},
+          "auth_unix_ro"       => {"value" => '"none"'},
+          "auth_unix_rw"       => {"value" => '"none"'},
+          "unix_sock_ro_perms" => {"value" => '"0777"'},
+          "unix_sock_rw_perms" => {"value" => '"0770"'}
+        })
+        is_expected.to contain_package('cyrus-sasl-scram')
+        is_expected.to contain_file('/etc/sasl2/libvirt.conf')
+        is_expected.to contain_file('/etc/libvirt/auth.conf').with_ensure('present')
+        is_expected.to contain_exec('set libvirt sasl credentials').with_command(
+          "echo \"\${TLS_PASSWORD}\" | saslpasswd2 -p -a libvirt -u overcloud migration"
+        )
      }
    end
  end
--- a/spec/classes/tripleo_profile_base_nova_migration_client_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_migration_client_spec.rb
@ -101,6 +101,7 @@ eos
          :transport         => 'tls',
          :configure_libvirt => params[:libvirt_enabled],
          :configure_nova    => params[:nova_compute_enabled],
+          :auth              => 'sasl'
        )
        is_expected.to contain_file('/etc/nova/migration/identity').with(
          :content => '# Migration over SSH disabled by TripleO',
@ -163,7 +164,8 @@ eos
        is_expected.to contain_class('nova::migration::libvirt').with(
          :transport         => 'tls',
          :configure_libvirt => params[:libvirt_enabled],
-          :configure_nova    => params[:nova_compute_enabled]
+          :configure_nova    => params[:nova_compute_enabled],
+          :auth              => 'sasl'
        )
        is_expected.to contain_file('/etc/nova/migration/identity').with(
          :content => 'foo',