openstack/puppet-tripleo
Code Issues Proposed changes

Configure libvirt SASL SCRAM-SHA1 when TLS is enabled

Browse Source 
Change-Id: Ic9335829fe39eaf4e76385f651a77b293793571a
Related-bug: 1732479
This commit is contained in:
Oliver Walsh
2017-11-16 01:24:55 +00:00
parent 6de807951f
commit c999f5152c
4 changed files with 121 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
manifests/profile/base/nova/libvirt.pp
View File

@@ -25,11 +25,16 @@
# #
# [*libvirtd_config*] # [*libvirtd_config*]
# (Optional) Overrides for libvirtd config options # (Optional) Overrides for libvirtd config options
# Default to {} # Defaults to {}
#
# [*tls_password*]
# (Optional) SASL Password for libvirtd TLS connections
# Defaults to '' (disabled)
# #
class tripleo::profile::base::nova::libvirt ( class tripleo::profile::base::nova::libvirt (
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$libvirtd_config = {}, $libvirtd_config = {},
$tls_password = '',
) { ) {
include ::tripleo::profile::base::nova::compute_libvirt_shared include ::tripleo::profile::base::nova::compute_libvirt_shared
@@ -67,5 +72,57 @@ class tripleo::profile::base::nova::libvirt (
} }
include ::nova::compute::libvirt::qemu include ::nova::compute::libvirt::qemu
$libvirt_sasl_conf = "
mech_list: scram-sha-1
sasldb_path: /etc/libvirt/passwd.db
"
package { 'cyrus-sasl-scram':
ensure => present
}
->file { '/etc/sasl2/libvirt.conf':
content => $libvirt_sasl_conf,
mode => '0644',
owner => 'root',
group => 'root',
require => Package['libvirt'],
notify => Service['libvirt'],
}
if !empty($tls_password) {
$libvirt_sasl_command = "echo \"\${TLS_PASSWORD}\" | saslpasswd2 -p -a libvirt -u overcloud migration"
$libvirt_auth_ensure = present
$libvirt_auth_conf = "
[credentials-overcloud]
authname=migration@overcloud
password=${tls_password}
[auth-libvirt-default]
credentials=overcloud
"
}
else {
$libvirt_sasl_command = 'saslpasswd2 -d -a libvirt -u overcloud migration'
$libvirt_auth_ensure = absent
$libvirt_auth_conf = ''
}
exec{ 'set libvirt sasl credentials':
environment => ["TLS_PASSWORD=${tls_password}"],
command => $libvirt_sasl_command,
path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],
require => File['/etc/sasl2/libvirt.conf'],
tag => ['libvirt_tls_password']
}
file { '/etc/libvirt/auth.conf':
ensure => $libvirt_auth_ensure,
content => $libvirt_auth_conf,
mode => '0600',
owner => 'root',
group => 'root',
notify => Service['libvirt']
}
} }
} }

1
manifests/profile/base/nova/migration/client.pp
View File

@@ -61,6 +61,7 @@ class tripleo::profile::base::nova::migration::client (
transport => 'tls', transport => 'tls',
configure_libvirt => $libvirt_enabled, configure_libvirt => $libvirt_enabled,
configure_nova => $nova_compute_enabled, configure_nova => $nova_compute_enabled,
auth => 'sasl'
} }
} else { } else {
# Reuse the cold-migration SSH tunnel when TLS is not enabled # Reuse the cold-migration SSH tunnel when TLS is not enabled

59
spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
View File

@@ -36,6 +36,7 @@ eos
is_expected.to_not contain_file('/etclibvirt/qemu/networks/autostart/default.xml') is_expected.to_not contain_file('/etclibvirt/qemu/networks/autostart/default.xml')
is_expected.to_not contain_file('/etclibvirt/qemu/networks/default.xml') is_expected.to_not contain_file('/etclibvirt/qemu/networks/default.xml')
is_expected.to_not contain_exec('libvirt-default-net-destroy') is_expected.to_not contain_exec('libvirt-default-net-destroy')
is_expected.to_not contain_exec('set libvirt sasl credentials')
} }
end end
@@ -76,6 +77,12 @@ eos
"unix_sock_ro_perms" => {"value" => '"0777"'}, "unix_sock_ro_perms" => {"value" => '"0777"'},
"unix_sock_rw_perms" => {"value" => '"0770"'} "unix_sock_rw_perms" => {"value" => '"0770"'}
}) })
is_expected.to contain_package('cyrus-sasl-scram')
is_expected.to contain_file('/etc/sasl2/libvirt.conf')
is_expected.to contain_file('/etc/libvirt/auth.conf').with_ensure('absent')
is_expected.to contain_exec('set libvirt sasl credentials').with_command(
'saslpasswd2 -d -a libvirt -u overcloud migration'
)
} }
end end
@@ -114,6 +121,58 @@ eos
"unix_sock_ro_perms" => {"value" => '"0777"'}, "unix_sock_ro_perms" => {"value" => '"0777"'},
"unix_sock_rw_perms" => {"value" => '"0770"'} "unix_sock_rw_perms" => {"value" => '"0770"'}
}) })
is_expected.to contain_package('cyrus-sasl-scram')
is_expected.to contain_file('/etc/sasl2/libvirt.conf')
is_expected.to contain_file('/etc/libvirt/auth.conf').with_ensure('absent')
is_expected.to contain_exec('set libvirt sasl credentials').with_command(
'saslpasswd2 -d -a libvirt -u overcloud migration'
)
}
end
context 'with step 4 and tls_password' do
let(:pre_condition) do
<<-eos
class { '::tripleo::profile::base::nova':
step => #{params[:step]},
oslomsg_rpc_hosts => [ '127.0.0.1' ],
}
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::tripleo::profile::base::nova::migration::client':
step => #{params[:step]}
}
class { '::tripleo::profile::base::nova::compute_libvirt_shared':
step => #{params[:step]}
}
eos
end
let(:params) { { :step => 4, :tls_password => 'foo'} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::libvirt')
is_expected.to contain_class('tripleo::profile::base::nova::compute_libvirt_shared')
is_expected.to contain_class('tripleo::profile::base::nova')
is_expected.to contain_class('nova::compute::libvirt::services')
is_expected.to contain_class('nova::compute::libvirt::qemu')
is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
is_expected.to contain_exec('libvirt-default-net-destroy')
is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
"unix_sock_group" => {"value" => '"libvirt"'},
"auth_unix_ro" => {"value" => '"none"'},
"auth_unix_rw" => {"value" => '"none"'},
"unix_sock_ro_perms" => {"value" => '"0777"'},
"unix_sock_rw_perms" => {"value" => '"0770"'}
})
is_expected.to contain_package('cyrus-sasl-scram')
is_expected.to contain_file('/etc/sasl2/libvirt.conf')
is_expected.to contain_file('/etc/libvirt/auth.conf').with_ensure('present')
is_expected.to contain_exec('set libvirt sasl credentials').with_command(
"echo \"\${TLS_PASSWORD}\" | saslpasswd2 -p -a libvirt -u overcloud migration"
)
} }
end end
end end

4
spec/classes/tripleo_profile_base_nova_migration_client_spec.rb
View File

@@ -101,6 +101,7 @@ eos
:transport => 'tls', :transport => 'tls',
:configure_libvirt => params[:libvirt_enabled], :configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled], :configure_nova => params[:nova_compute_enabled],
:auth => 'sasl'
) )
is_expected.to contain_file('/etc/nova/migration/identity').with( is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => '# Migration over SSH disabled by TripleO', :content => '# Migration over SSH disabled by TripleO',
@@ -163,7 +164,8 @@ eos
is_expected.to contain_class('nova::migration::libvirt').with( is_expected.to contain_class('nova::migration::libvirt').with(
:transport => 'tls', :transport => 'tls',
:configure_libvirt => params[:libvirt_enabled], :configure_libvirt => params[:libvirt_enabled],
:configure_nova => params[:nova_compute_enabled] :configure_nova => params[:nova_compute_enabled],
:auth => 'sasl'
) )
is_expected.to contain_file('/etc/nova/migration/identity').with( is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => 'foo', :content => 'foo',