Merge "Support for Ocata-Pike live-migration over ssh"

This commit is contained in:
Jenkins 2017-09-08 06:28:37 +00:00 committed by Gerrit Code Review
commit d5a23606ee
6 changed files with 296 additions and 6 deletions

View File

@ -0,0 +1,78 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::profile::base::nova::migration::proxy
#
# Nova migration proxy profile for tripleo.
# Used to proxy connections from baremetal sshd to dockerized sshd on a
# different port during rolling upgrades.
#
# === Parameters
#
# [*step*]
# (Optional) The current step of the deployment
# Defaults to hiera('step')
#
# [*ssh_private_key*]
# (Optional) SSH private_key for migration SSH tunnel.
# Defaults to ''
#
# [*target_host*]
# (Optional) SSH hostname to proxy.
# Defaults to hiera('fqdn_internal_api', '127.0.0.1')
#
# [*target_port*]
# (Optional) SSH port to proxy.
# Defaults to 22
class tripleo::profile::base::nova::migration::proxy (
$step = Integer(hiera('step')),
$ssh_private_key = '',
$target_host = hiera('fqdn_internal_api', '127.0.0.1'),
$target_port = 22
) {
include ::tripleo::profile::base::nova::migration
if $step >= 4 {
if !empty($ssh_private_key) {
class { '::tripleo::profile::base::nova::migration::target':
step => $step,
wrapper_command => "/bin/ssh \
-p ${target_port} \
-i /etc/nova/migration/proxy_identity \
-o BatchMode=yes \
-o UserKnownHostsFile=/dev/null \
nova_migration@${target_host} \
\$SSH_ORIGINAL_COMMAND"
}
$migration_identity = $ssh_private_key
$migration_identity_ensure = 'present'
}
else {
$migration_identity = ''
$migration_identity_ensure = 'absent'
}
file { '/etc/nova/migration/proxy_identity':
ensure => $migration_identity_ensure,
content => $migration_identity,
mode => '0600',
owner => 'nova_migration',
group => 'nova_migration',
require => Package['openstack-nova-migration']
}
}
}

View File

@ -37,12 +37,17 @@
# If the nova_migration_target service is not enabled then migration over
# ssh will be disabled.
# Defaults to hiera('service_names', [])
#
# [*wrapper_command*]
# (Internal) Used to override the wrapper command when proxying
# Defaults to /bin/nova-migration-wrapper
class tripleo::profile::base::nova::migration::target (
$step = Integer(hiera('step')),
$ssh_authorized_keys = [],
$ssh_localaddrs = [],
$services_enabled = hiera('service_names', []),
$wrapper_command = '/bin/nova-migration-wrapper',
) {
include ::tripleo::profile::base::nova::migration
@ -81,7 +86,7 @@ class tripleo::profile::base::nova::migration::target (
type => $allow_type,
order => 1,
options => {
'ForceCommand' => '/bin/nova-migration-wrapper',
'ForceCommand' => $wrapper_command,
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',

View File

@ -31,11 +31,16 @@
# Hash of SSHD options to set. See the puppet-ssh module documentation for
# details.
# Defaults to {}
#
# [*port*]
# SSH port or list of ports to bind to
# Defaults to [22]
class tripleo::profile::base::sshd (
$bannertext = hiera('BannerText', undef),
$motd = hiera('MOTD', undef),
$options = {}
$options = {},
$port = [22],
) {
if $bannertext and $bannertext != '' {
@ -67,10 +72,18 @@ class tripleo::profile::base::sshd (
$sshd_options_motd = {}
}
if $options['Port'] {
$sshd_options_port = {'Port' => unique(concat(any2array($options['Port']), $port))}
}
else {
$sshd_options_port = {'Port' => unique(any2array($port))}
}
$sshd_options = merge(
$options,
$sshd_options_banner,
$sshd_options_motd
$sshd_options_motd,
$sshd_options_port
)
# NB (owalsh) in puppet-ssh hiera takes precedence over the class param

View File

@ -0,0 +1,103 @@
#
# Copyright (C) 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
require 'spec_helper'
describe 'tripleo::profile::base::nova::migration::proxy' do
shared_examples_for 'tripleo::profile::base::nova::migration::proxy' do
context 'with step 4 with defaults (disabled)' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
eos
}
let(:params) { {
:step => 4,
} }
it {
is_expected.to_not contain_class('tripleo::profile::base::nova::migration::target')
is_expected.to contain_file('/etc/nova/migration/proxy_identity').with(:ensure => 'absent')
}
end
context 'with step 4 with ssh_private_key' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
eos
}
let(:params) { {
:step => 4,
:ssh_private_key => 'foo',
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration::target').with(
:wrapper_command => '/bin/ssh -p 22 -i /etc/nova/migration/proxy_identity -o BatchMode=yes -o UserKnownHostsFile=/dev/null nova_migration@127.0.0.1 $SSH_ORIGINAL_COMMAND'
)
is_expected.to contain_file('/etc/nova/migration/proxy_identity').with(
:content => 'foo',
:mode => '0600',
:owner => 'nova_migration',
:group => 'nova_migration',
)
}
end
context 'with step 4 with host and port' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
eos
}
let(:params) { {
:step => 4,
:ssh_private_key => 'foo',
:target_host => 'node.example.com',
:target_port => 1000
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration::target').with(
:wrapper_command => '/bin/ssh -p 1000 -i /etc/nova/migration/proxy_identity -o BatchMode=yes -o UserKnownHostsFile=/dev/null nova_migration@node.example.com $SSH_ORIGINAL_COMMAND'
)
is_expected.to contain_file('/etc/nova/migration/proxy_identity').with(
:content => 'foo',
:mode => '0600',
:owner => 'nova_migration',
:group => 'nova_migration',
)
}
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({ :hostname => 'node.example.com' })
end
it_behaves_like 'tripleo::profile::base::nova::migration::proxy'
end
end
end

View File

@ -269,6 +269,51 @@ eos
it { is_expected.to_not compile }
end
context 'with step 4 with wrapper_command' do
let(:pre_condition) {
<<-eos
class { '::tripleo::profile::base::nova::migration':
step => #{params[:step]}
}
class { '::ssh::server':
storeconfigs_enabled => false,
options => {}
}
eos
}
let(:params) { {
:step => 4,
:ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
:services_enabled => ['docker', 'nova_migration_target'],
:wrapper_command => '/bin/true'
} }
it {
is_expected.to contain_class('tripleo::profile::base::nova::migration')
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
:type => 'User',
:name => 'nova_migration',
:options => {
'ForceCommand' => '/bin/true',
'PasswordAuthentication' => 'no',
'AllowTcpForwarding' => 'no',
'X11Forwarding' => 'no',
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
}
)
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar\nssh-rsa baz',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end
end

View File

@ -26,7 +26,9 @@ describe 'tripleo::profile::base::sshd' do
it do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {}
'options' => {
'Port' => [22]
}
})
is_expected.to_not contain_file('/etc/issue')
is_expected.to_not contain_file('/etc/issue.net')
@ -39,7 +41,9 @@ describe 'tripleo::profile::base::sshd' do
it do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {}
'options' => {
'Port' => [22]
}
})
is_expected.to_not contain_file('/etc/issue')
is_expected.to_not contain_file('/etc/issue.net')
@ -47,13 +51,50 @@ describe 'tripleo::profile::base::sshd' do
end
end
context 'with port configured' do
let(:params) {{ :port => 123 }}
it do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {
'Port' => [123]
}
})
end
end
context 'with port configured and port option' do
let(:params) {{ :port => 123, :options => {'Port' => 456} }}
it do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {
'Port' => [456, 123]
}
})
end
end
context 'with port configured and same port option' do
let(:params) {{ :port => 123, :options => {'Port' => 123} }}
it do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {
'Port' => [123]
}
})
end
end
context 'with issue and issue.net configured' do
let(:params) {{ :bannertext => 'foo' }}
it do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {
'Banner' => '/etc/issue.net'
'Banner' => '/etc/issue.net',
'Port' => [22]
}
})
is_expected.to contain_file('/etc/issue').with({
@ -78,6 +119,7 @@ describe 'tripleo::profile::base::sshd' do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {
'Port' => [22],
'PrintMotd' => 'yes'
}
})
@ -98,6 +140,7 @@ describe 'tripleo::profile::base::sshd' do
is_expected.to contain_class('ssh::server').with({
'storeconfigs_enabled' => false,
'options' => {
'Port' => [22],
'X11Forwarding' => 'no'
}
})
@ -117,6 +160,7 @@ describe 'tripleo::profile::base::sshd' do
'storeconfigs_enabled' => false,
'options' => {
'Banner' => '/etc/issue.net',
'Port' => [22],
'PrintMotd' => 'yes'
}
})
@ -146,6 +190,7 @@ describe 'tripleo::profile::base::sshd' do
:bannertext => 'foo',
:motd => 'foo',
:options => {
'Port' => [22],
'PrintMotd' => 'no', # this should be overridden
'X11Forwarding' => 'no'
}
@ -155,6 +200,7 @@ describe 'tripleo::profile::base::sshd' do
'storeconfigs_enabled' => false,
'options' => {
'Banner' => '/etc/issue.net',
'Port' => [22],
'PrintMotd' => 'yes',
'X11Forwarding' => 'no'
}