Merge "Support for Ocata-Pike live-migration over ssh"
This commit is contained in:
commit
d5a23606ee
78
manifests/profile/base/nova/migration/proxy.pp
Normal file
78
manifests/profile/base/nova/migration/proxy.pp
Normal file
@ -0,0 +1,78 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::profile::base::nova::migration::proxy
|
||||
#
|
||||
# Nova migration proxy profile for tripleo.
|
||||
# Used to proxy connections from baremetal sshd to dockerized sshd on a
|
||||
# different port during rolling upgrades.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step of the deployment
|
||||
# Defaults to hiera('step')
|
||||
#
|
||||
# [*ssh_private_key*]
|
||||
# (Optional) SSH private_key for migration SSH tunnel.
|
||||
# Defaults to ''
|
||||
#
|
||||
# [*target_host*]
|
||||
# (Optional) SSH hostname to proxy.
|
||||
# Defaults to hiera('fqdn_internal_api', '127.0.0.1')
|
||||
#
|
||||
# [*target_port*]
|
||||
# (Optional) SSH port to proxy.
|
||||
# Defaults to 22
|
||||
|
||||
class tripleo::profile::base::nova::migration::proxy (
|
||||
$step = Integer(hiera('step')),
|
||||
$ssh_private_key = '',
|
||||
$target_host = hiera('fqdn_internal_api', '127.0.0.1'),
|
||||
$target_port = 22
|
||||
) {
|
||||
|
||||
include ::tripleo::profile::base::nova::migration
|
||||
|
||||
if $step >= 4 {
|
||||
if !empty($ssh_private_key) {
|
||||
class { '::tripleo::profile::base::nova::migration::target':
|
||||
step => $step,
|
||||
wrapper_command => "/bin/ssh \
|
||||
-p ${target_port} \
|
||||
-i /etc/nova/migration/proxy_identity \
|
||||
-o BatchMode=yes \
|
||||
-o UserKnownHostsFile=/dev/null \
|
||||
nova_migration@${target_host} \
|
||||
\$SSH_ORIGINAL_COMMAND"
|
||||
}
|
||||
|
||||
$migration_identity = $ssh_private_key
|
||||
$migration_identity_ensure = 'present'
|
||||
}
|
||||
else {
|
||||
$migration_identity = ''
|
||||
$migration_identity_ensure = 'absent'
|
||||
}
|
||||
|
||||
file { '/etc/nova/migration/proxy_identity':
|
||||
ensure => $migration_identity_ensure,
|
||||
content => $migration_identity,
|
||||
mode => '0600',
|
||||
owner => 'nova_migration',
|
||||
group => 'nova_migration',
|
||||
require => Package['openstack-nova-migration']
|
||||
}
|
||||
}
|
||||
}
|
@ -37,12 +37,17 @@
|
||||
# If the nova_migration_target service is not enabled then migration over
|
||||
# ssh will be disabled.
|
||||
# Defaults to hiera('service_names', [])
|
||||
#
|
||||
# [*wrapper_command*]
|
||||
# (Internal) Used to override the wrapper command when proxying
|
||||
# Defaults to /bin/nova-migration-wrapper
|
||||
|
||||
class tripleo::profile::base::nova::migration::target (
|
||||
$step = Integer(hiera('step')),
|
||||
$ssh_authorized_keys = [],
|
||||
$ssh_localaddrs = [],
|
||||
$services_enabled = hiera('service_names', []),
|
||||
$wrapper_command = '/bin/nova-migration-wrapper',
|
||||
) {
|
||||
|
||||
include ::tripleo::profile::base::nova::migration
|
||||
@ -81,7 +86,7 @@ class tripleo::profile::base::nova::migration::target (
|
||||
type => $allow_type,
|
||||
order => 1,
|
||||
options => {
|
||||
'ForceCommand' => '/bin/nova-migration-wrapper',
|
||||
'ForceCommand' => $wrapper_command,
|
||||
'PasswordAuthentication' => 'no',
|
||||
'AllowTcpForwarding' => 'no',
|
||||
'X11Forwarding' => 'no',
|
||||
|
@ -31,11 +31,16 @@
|
||||
# Hash of SSHD options to set. See the puppet-ssh module documentation for
|
||||
# details.
|
||||
# Defaults to {}
|
||||
#
|
||||
# [*port*]
|
||||
# SSH port or list of ports to bind to
|
||||
# Defaults to [22]
|
||||
|
||||
class tripleo::profile::base::sshd (
|
||||
$bannertext = hiera('BannerText', undef),
|
||||
$motd = hiera('MOTD', undef),
|
||||
$options = {}
|
||||
$options = {},
|
||||
$port = [22],
|
||||
) {
|
||||
|
||||
if $bannertext and $bannertext != '' {
|
||||
@ -67,10 +72,18 @@ class tripleo::profile::base::sshd (
|
||||
$sshd_options_motd = {}
|
||||
}
|
||||
|
||||
if $options['Port'] {
|
||||
$sshd_options_port = {'Port' => unique(concat(any2array($options['Port']), $port))}
|
||||
}
|
||||
else {
|
||||
$sshd_options_port = {'Port' => unique(any2array($port))}
|
||||
}
|
||||
|
||||
$sshd_options = merge(
|
||||
$options,
|
||||
$sshd_options_banner,
|
||||
$sshd_options_motd
|
||||
$sshd_options_motd,
|
||||
$sshd_options_port
|
||||
)
|
||||
|
||||
# NB (owalsh) in puppet-ssh hiera takes precedence over the class param
|
||||
|
103
spec/classes/tripleo_profile_base_nova_migration_proxy_spec.rb
Normal file
103
spec/classes/tripleo_profile_base_nova_migration_proxy_spec.rb
Normal file
@ -0,0 +1,103 @@
|
||||
#
|
||||
# Copyright (C) 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::profile::base::nova::migration::proxy' do
|
||||
shared_examples_for 'tripleo::profile::base::nova::migration::proxy' do
|
||||
|
||||
context 'with step 4 with defaults (disabled)' do
|
||||
let(:pre_condition) {
|
||||
<<-eos
|
||||
class { '::tripleo::profile::base::nova::migration':
|
||||
step => #{params[:step]}
|
||||
}
|
||||
eos
|
||||
}
|
||||
let(:params) { {
|
||||
:step => 4,
|
||||
} }
|
||||
|
||||
it {
|
||||
is_expected.to_not contain_class('tripleo::profile::base::nova::migration::target')
|
||||
is_expected.to contain_file('/etc/nova/migration/proxy_identity').with(:ensure => 'absent')
|
||||
}
|
||||
end
|
||||
|
||||
context 'with step 4 with ssh_private_key' do
|
||||
let(:pre_condition) {
|
||||
<<-eos
|
||||
class { '::tripleo::profile::base::nova::migration':
|
||||
step => #{params[:step]}
|
||||
}
|
||||
eos
|
||||
}
|
||||
let(:params) { {
|
||||
:step => 4,
|
||||
:ssh_private_key => 'foo',
|
||||
} }
|
||||
|
||||
it {
|
||||
is_expected.to contain_class('tripleo::profile::base::nova::migration::target').with(
|
||||
:wrapper_command => '/bin/ssh -p 22 -i /etc/nova/migration/proxy_identity -o BatchMode=yes -o UserKnownHostsFile=/dev/null nova_migration@127.0.0.1 $SSH_ORIGINAL_COMMAND'
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/proxy_identity').with(
|
||||
:content => 'foo',
|
||||
:mode => '0600',
|
||||
:owner => 'nova_migration',
|
||||
:group => 'nova_migration',
|
||||
)
|
||||
}
|
||||
end
|
||||
|
||||
context 'with step 4 with host and port' do
|
||||
let(:pre_condition) {
|
||||
<<-eos
|
||||
class { '::tripleo::profile::base::nova::migration':
|
||||
step => #{params[:step]}
|
||||
}
|
||||
eos
|
||||
}
|
||||
let(:params) { {
|
||||
:step => 4,
|
||||
:ssh_private_key => 'foo',
|
||||
:target_host => 'node.example.com',
|
||||
:target_port => 1000
|
||||
} }
|
||||
|
||||
it {
|
||||
is_expected.to contain_class('tripleo::profile::base::nova::migration::target').with(
|
||||
:wrapper_command => '/bin/ssh -p 1000 -i /etc/nova/migration/proxy_identity -o BatchMode=yes -o UserKnownHostsFile=/dev/null nova_migration@node.example.com $SSH_ORIGINAL_COMMAND'
|
||||
)
|
||||
is_expected.to contain_file('/etc/nova/migration/proxy_identity').with(
|
||||
:content => 'foo',
|
||||
:mode => '0600',
|
||||
:owner => 'nova_migration',
|
||||
:group => 'nova_migration',
|
||||
)
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge({ :hostname => 'node.example.com' })
|
||||
end
|
||||
it_behaves_like 'tripleo::profile::base::nova::migration::proxy'
|
||||
end
|
||||
end
|
||||
end
|
@ -269,6 +269,51 @@ eos
|
||||
it { is_expected.to_not compile }
|
||||
end
|
||||
|
||||
context 'with step 4 with wrapper_command' do
|
||||
let(:pre_condition) {
|
||||
<<-eos
|
||||
class { '::tripleo::profile::base::nova::migration':
|
||||
step => #{params[:step]}
|
||||
}
|
||||
class { '::ssh::server':
|
||||
storeconfigs_enabled => false,
|
||||
options => {}
|
||||
}
|
||||
eos
|
||||
}
|
||||
let(:params) { {
|
||||
:step => 4,
|
||||
:ssh_authorized_keys => ['ssh-rsa bar', 'ssh-rsa baz'],
|
||||
:services_enabled => ['docker', 'nova_migration_target'],
|
||||
:wrapper_command => '/bin/true'
|
||||
} }
|
||||
|
||||
it {
|
||||
is_expected.to contain_class('tripleo::profile::base::nova::migration')
|
||||
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
|
||||
:type => 'User',
|
||||
:name => 'nova_migration',
|
||||
:options => {
|
||||
'ForceCommand' => '/bin/true',
|
||||
'PasswordAuthentication' => 'no',
|
||||
'AllowTcpForwarding' => 'no',
|
||||
'X11Forwarding' => 'no',
|
||||
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
|
||||
}
|
||||
)
|
||||
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
|
||||
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||
:content => 'ssh-rsa bar\nssh-rsa baz',
|
||||
:mode => '0640',
|
||||
:owner => 'root',
|
||||
:group => 'nova_migration',
|
||||
)
|
||||
is_expected.to contain_user('nova_migration').with(
|
||||
:shell => '/bin/bash'
|
||||
)
|
||||
}
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
||||
|
@ -26,7 +26,9 @@ describe 'tripleo::profile::base::sshd' do
|
||||
it do
|
||||
is_expected.to contain_class('ssh::server').with({
|
||||
'storeconfigs_enabled' => false,
|
||||
'options' => {}
|
||||
'options' => {
|
||||
'Port' => [22]
|
||||
}
|
||||
})
|
||||
is_expected.to_not contain_file('/etc/issue')
|
||||
is_expected.to_not contain_file('/etc/issue.net')
|
||||
@ -39,7 +41,9 @@ describe 'tripleo::profile::base::sshd' do
|
||||
it do
|
||||
is_expected.to contain_class('ssh::server').with({
|
||||
'storeconfigs_enabled' => false,
|
||||
'options' => {}
|
||||
'options' => {
|
||||
'Port' => [22]
|
||||
}
|
||||
})
|
||||
is_expected.to_not contain_file('/etc/issue')
|
||||
is_expected.to_not contain_file('/etc/issue.net')
|
||||
@ -47,13 +51,50 @@ describe 'tripleo::profile::base::sshd' do
|
||||
end
|
||||
end
|
||||
|
||||
context 'with port configured' do
|
||||
let(:params) {{ :port => 123 }}
|
||||
it do
|
||||
is_expected.to contain_class('ssh::server').with({
|
||||
'storeconfigs_enabled' => false,
|
||||
'options' => {
|
||||
'Port' => [123]
|
||||
}
|
||||
})
|
||||
end
|
||||
end
|
||||
|
||||
context 'with port configured and port option' do
|
||||
let(:params) {{ :port => 123, :options => {'Port' => 456} }}
|
||||
it do
|
||||
is_expected.to contain_class('ssh::server').with({
|
||||
'storeconfigs_enabled' => false,
|
||||
'options' => {
|
||||
'Port' => [456, 123]
|
||||
}
|
||||
})
|
||||
end
|
||||
end
|
||||
|
||||
context 'with port configured and same port option' do
|
||||
let(:params) {{ :port => 123, :options => {'Port' => 123} }}
|
||||
it do
|
||||
is_expected.to contain_class('ssh::server').with({
|
||||
'storeconfigs_enabled' => false,
|
||||
'options' => {
|
||||
'Port' => [123]
|
||||
}
|
||||
})
|
||||
end
|
||||
end
|
||||
|
||||
context 'with issue and issue.net configured' do
|
||||
let(:params) {{ :bannertext => 'foo' }}
|
||||
it do
|
||||
is_expected.to contain_class('ssh::server').with({
|
||||
'storeconfigs_enabled' => false,
|
||||
'options' => {
|
||||
'Banner' => '/etc/issue.net'
|
||||
'Banner' => '/etc/issue.net',
|
||||
'Port' => [22]
|
||||
}
|
||||
})
|
||||
is_expected.to contain_file('/etc/issue').with({
|
||||
@ -78,6 +119,7 @@ describe 'tripleo::profile::base::sshd' do
|
||||
is_expected.to contain_class('ssh::server').with({
|
||||
'storeconfigs_enabled' => false,
|
||||
'options' => {
|
||||
'Port' => [22],
|
||||
'PrintMotd' => 'yes'
|
||||
}
|
||||
})
|
||||
@ -98,6 +140,7 @@ describe 'tripleo::profile::base::sshd' do
|
||||
is_expected.to contain_class('ssh::server').with({
|
||||
'storeconfigs_enabled' => false,
|
||||
'options' => {
|
||||
'Port' => [22],
|
||||
'X11Forwarding' => 'no'
|
||||
}
|
||||
})
|
||||
@ -117,6 +160,7 @@ describe 'tripleo::profile::base::sshd' do
|
||||
'storeconfigs_enabled' => false,
|
||||
'options' => {
|
||||
'Banner' => '/etc/issue.net',
|
||||
'Port' => [22],
|
||||
'PrintMotd' => 'yes'
|
||||
}
|
||||
})
|
||||
@ -146,6 +190,7 @@ describe 'tripleo::profile::base::sshd' do
|
||||
:bannertext => 'foo',
|
||||
:motd => 'foo',
|
||||
:options => {
|
||||
'Port' => [22],
|
||||
'PrintMotd' => 'no', # this should be overridden
|
||||
'X11Forwarding' => 'no'
|
||||
}
|
||||
@ -155,6 +200,7 @@ describe 'tripleo::profile::base::sshd' do
|
||||
'storeconfigs_enabled' => false,
|
||||
'options' => {
|
||||
'Banner' => '/etc/issue.net',
|
||||
'Port' => [22],
|
||||
'PrintMotd' => 'yes',
|
||||
'X11Forwarding' => 'no'
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user